The goal of ISO SAE 21434 is to build upon functional safety standard ISO 26262 and provide a framework similar to it for the entire life cycle of road vehicles. The major components of this new standard include security management, project-dependent cyber security management, continuous cyber security activities, associated risk assessment methods, and cyber security within the concept product development and post development stages of road vehicles.
The vehicle and systems development process has been refined over many years to standardize specification and verification tasks. Synopsys understands that automotive OEMs, Tier 1 suppliers, and others most likely currently include cyber security among other functionality and features in their systems development process. The fast-approaching question is: how does the upcoming standard affect your manufacturing or service delivery process? In this blog post I will briefly discuss some of the major work products and organizational processes that will need to be integrated in order for you to be ready for ISO SAE 21434.
A cyber security plan at a high level is a project plan to track cyber security activities and their progress. This must include the objectives and dependencies of cyber security activities and their responsible parties, resources, and associated timing. A cyber security plan also identifies all other cyber security work products and serves as a central document for both internal and external parties. Think of it as your mission statement and high-level objectives incorporated into a single document.
For each major clause of the ISO SAE 21434 standard, an organization must tailor cyber security activities and continuously improve their specifications and verification methods. This includes governance models and organizational artifacts such as training and awareness, as well as all the way down to the technical component specifications. Your process, procedures, and documentation must align to ISO SAE 21434 cyber security planning activities in order to be ready for upcoming regulatory requirements and independent cyber security audits.
Cyber security assurance levels state requirements in terms of rigor rather than technical specification. These levels can be used to establish goals and longer-term program objectives. Assurance levels also help simplify communication between those at the program level and the cyber security engineers ensuring assurance is met.
Cyber security assurance levels need to be progressive in nature, but they can be combined in order to reach a specific objective. The number of levels will depend on your cyber security plan, but there must be a clear delineation between levels and you must specify the associated goals. A great way to accomplish this is to state your assurance goal or description, and then lay out a business case, justification, or philosophy behind the assurance level. Finally, provide a measurable metric that can be associated with a technical goal. Keep in mind that as your cyber security program matures, these technical goals and metrics will be refined. These moving technical targets should be independent of your assurance goals.
Threat Analysis and Risk Assessment (TARA) is an important capability and work product within the ISO SAE 21434 standard. TARA covers the risk evaluation and assessment methods, as well as the treatment and planning of identified risks. These methods are aligned with NIST SP-800-30 and ISO IEC 31010, which deal with attack feasibility and the likelihood and associated impacts. Your organization will need to standardize on a central process and method for assessing risk, which may involve tooling for calculation. Be sure to establish a common language when communicating risk in a policy or procedure, and define categories and apply numerical values to impacts, attack paths, and damage.
Your cyber security plan will be an important requirement for the proper composition of a TARA. Without a cyber security goal, your evident damage scenarios and risk treatment plans will have to be performed ad hoc and without a defined level of assurance. The output of a TARA will indicate a High, Medium, Low, or Very Low rating, but without proper definition of risk tolerances, caution, and established baselines, the organizational usefulness will be limited. While TARA may be seen as a minimum requirement for communicating road vehicle risk, it is truly a component that fits within cyber security assurance and your overall cyber security program.
In my next blog post on the ISO SAE 21434 standard and upcoming ratification, I cover cyber security assurance levels in depth and explore tailoring assurance levels to example product and service scopes and building your road vehicle security program.