EN 
DE 
What goals, requirements, and guidelines serve as the basis for a shared understanding of the cybersecurity perspective in the development of road vehicles? How are the processes defined and the risks managed in accordance with ISO 31000?
The first part provides an introduction to the topic and highlights the overarching cybersecurity management – goals, governance & culture.
The highly anticipated “ISO/SAE 21434 Road Vehicles — Cybersecurity Engineering” has been available as a Draft International Standard since June 2020, and its final adoption as an international standard is imminent. Even though changes may still occur, it is worthwhile to familiarize oneself with the content and requirements, which cover the development of safe vehicles not only from a safety perspective but now also from a security perspective. Threat analysis, risk assessment, activities, and work products are ready to be addressed.
Let's look at the motivation behind the standard and the document:
- It addresses the cybersecurity perspective in the development of electrical and electronic (E/E) systems in road vehicles.
- It ensures that cybersecurity is given due consideration.
- It is intended to enable the development of E/E systems to keep pace with changing technologies and attack methods.
- It provides vocabulary, goals, requirements and guidelines as a basis for a common understanding throughout the supply chain.
- It enables organizations to,
- Defining cybersecurity policies and processes,
- the management of cybersecurity risks and
- to foster a cybersecurity culture
It is therefore also about establishing a common language for communication and management of cybersecurity risks and promoting a culture of cybersecurity.
A common language includes terms whose meaning should be familiar to all levels of a cybersecurity project. This requires an understanding of the terminology and the culture behind the terms. Tasks and responsibilities extend beyond the development team to the management level.
General terms and definitions
If we are talking about security from a Threat When we speak of a threat, we mean vulnerabilities (Vulnerabilities) exploits to launch an attack (Attack) to execute. The risks (Risks) result from the probability of a successful attack, coupled with the damage that can result.
Figure 1: Factors influencing the probability of a successful attack
To create the best possible and safest scenario here, so-called [methods] are used. Cybersecurity Properties. Whether these are applicable to your project will need to be determined through a proper analysis. They usually involve a combination of several attributes.
The most important properties requiring protection (security services) include:
- Integrity (Integrity of data or messages)
- Confidentiality (Confidentiality)
- Availability (Availability)
- Accountability (Accountability)
- Authenticity (Authenticity)
- Privacy (Privacy)
Evaluation of cybersecurity measures
Not all components installed in vehicles are relevant from a cybersecurity perspective. To determine this, a short questionnaire can be used to evaluate whether the standard applies. The questions each relate to the component under investigation.
- Does it implement or contribute to vehicle functionality through the use of E/E technology?
- Does it contain interfaces outside the vehicle?
- Does it contribute to the safe operation of the vehicle?
- Does it contain wirelessly connected sensors or actuators?
- Does it implement functions that require the collection or processing of user-related data?
- Does it implement vehicle functions based on networked components?
Figure 2: Flowchart for assessing cybersecurity relevance
Part I: Comprehensive Cybersecurity Management: Goals, Governance & Culture
A comprehensive cybersecurity management system pursues a number of goals (Objectives):
- one Cybersecurity Policy as well as defining organization-specific rules and processes
- Responsibilities and Powers assign those necessary to carry out cybersecurity activities
- the Implementation of cybersecurity support (including resources and management of interactions between cybersecurity processes and related processes)
- one Cybersecurity culture introduce and maintain (including competence management, awareness management and their continuous improvement)
- a Cybersecurity audit to conduct an audit of the organization
- the exchange of Cybersecurity information manage
- Management systems, supporting, setting up and maintaining cybersecurity activities
- Provide evidence, that the tools used do not compromise cybersecurity
Cybersecurity management is like an umbrella of culture and organizational leadership (Governance & Culture), which enables but also monitors cybersecurity.
Image 3: Under the umbrella of Governance & Culture
In doing so, it sets guidelines (PolicyIt establishes rules and processes by providing guidelines, best practices, and templates, for example. It defines responsibilities and assigns authority (Responsibilities) and creates resources.
In addition, Governance & Culture establishes a culture by creating skills and awareness of the importance of cybersecurity and driving a continuous improvement process. This is achieved, for example, through training programs and the establishment of transparent responsibilities (Traceable Accountability) and the emphasis on “Security & Safety First”. Incentives are used to attract employees who see an advantage in engaging in cybersecurity. A proactive attitude, diverse and creative thinking, and adherence to processes should be encouraged and rewarded in this context.
Risks, audits and information management
The Risk management It should be in accordance with ISO 31000, but deviations are generally permitted. If a Audit If an audit is conducted, it should be combined with quality management to work more efficiently and avoid wasting resources. Ideally, an audit is not a one-off event but is carried out periodically and continuously. In addition to internal review, an external perspective from an external organization is expressly desired. Sharing information This is subject to critical scrutiny. It should be determined what kind of information should or may be shared under which circumstances, and when this is not permitted. What does information exchange look like within the organization, and what measures do you need to ensure secure exchange with external parties?
The organization of the various management systems must also not be left to chance. Within the Quality management This includes change management (Change Management, the Documentation Management, the Configuration Management as well as requirements management (Requirements Management).
For whom the term is new: In Configuration management The system's components and software are defined and documented. This allows for better tracking, verification, and identification of the cause of a malfunction. The scope of the Change management In cybersecurity, this involves managing changes to elements or components in such a way that the relevant cybersecurity goals and requirements continue to be met.
Finally, that deserves Tool Management Special attention should be paid to the tools and resources used to write and test software. These can also negatively impact security. This includes using the tools correctly, following the user manual (including errata), preventing unintentional use, and implementing access control or user authentication.
The situation is similar with information security (Information security management), which should also follow a cybersecurity plan and, for example, guarantees the secure storage of work products and documents on a file server that is protected against unauthorized access.
The points mentioned so far, which fall under the umbrella term of an overarching (OverallCybersecurity management, which can be summarized as follows, is a top priority for the entire organization and must be constantly monitored. This is complemented by the... Project Specific Management, which is used in a targeted manner in every new project.
Learn more in second part of the series, what project-specific cybersecurity management entails – including goals, planning and assessment.
MicroConsult offers professional training and coaching on the following topics: Safety & Security on – in live online and in-person formats.
Further information
MicroConsult Training & Coaching on the topic of Safety & Security
