Automotive SPICE for Cybersecurity in relation to Cybersecurity Management System

Politics, ISO and Audit/Assessment

Politicians have implemented requirements from UN R155 into national law in the various jurisdictions of Europe, China, and the USA. Besides the differences, they all have in common that the introduction of a cybersecurity management system is required for all new vehicle type registrations by the beginning of the 3rd quarter 2022.

ISO/SAE 21434 “Road vehicles – Cybersecurity engineering” was created in 2021 as a standard that reflects both the hierarchical organizational structure of OEMs with their TIERs and the product lifecycle from conception of a vehicle to decommissioning.

In the future, OEMs will have to demonstrate compliance. The ISO/SAE 21434 standard describes what should be done, but implementation in a best practice must be certified. ISO PAS 5112 “Guidelines for auditing cybersecurity engineering” will not be completed in time. That is why VDA QMC has published the red book “Automotive Cybersecurity Management System Audit” (ACSMS Audit). This provides a benchmark for an ACSMS audit until ISO PAS 5112 is finalized. At the organizational level, OEMs can hereby provide evidence of their cybersecurity management system.

Automotive SPICE only considers development processes. The new Process Assessment Model (PAM) “Cybersecurity for Automotive SPICE” provides a plug-in for ASPICE assessments in six new processes. The new course „intacs™ certified Automotive SPICE® Cybersecurity“ trains lead assessors for the assessment of the new practices.

TARA, Vulnerability DB and Cybersecurity Claim

In functional safety, HARA (Hazard Analysis and Risk Assessment) is well known. The Safety Case certifies the implementation of the risk analysis of the vehicle component.

The TARA (Threat Analysis and Risk Assessment) deals with the valuables that are worth protecting, possible threat scenarios, the evaluation of potential damage, attack paths and their feasibility. The results of the risk assessments will result in risk reduction activities.

The Cybersecurity Claim certifies that cybersecurity threats have been analyzed in the project and their risks have been appropriately minimized.

A Vulnerability DB must be maintained in the Cybersecurity Management System to enable monitoring of all vehicle components in conjunction with the Cybersecurity Claims.

Relationship between Automotive SPICE  for Cybersecurity and the Cybersecurity Management System

The responsibility for cybersecurity clearly lies with the OEM. Part of this responsibility is passed on to the suppliers. By setting up a cybersecurity management system at the OEM and its suppliers threats are systematically evaluated and minimized at the various hierarchical levels throughout the whole product cycle.

With the process ACQ.2/ACQ.4 the suppliers are checked in their responsibility for cybersecurity and the exchange of data relevant for the cybersecurity claim. MAN.7 defines cybersecurity risk management activities. SEC.x processes are used to analyze threats in the project and verify and validate the implementation of defensive measures.

Conclusion

Assessments with the Automotive SPICE for Cybersecurity PAM evaluate ISO 21434 compliant processes, which allow conclusions to be drawn about the systematics of the threat analysis (TARA) and the cybersecurity claim.

intacs™ Training for the Automotive SPICE® for Cybersecurity Model

The new Process Assessment Model (PAM) ” Automotive SPICE® for Cybersecurity ” provides an extension to Automotive SPICE in six new processes. The new course “intacs™ certified Automotive SPICE® Cybersecurity” is meant to prepare assessors for the assessment of the new processes.

Read more about the training

SPICE Booklet with Cybersecurity Model

We have already included the Automotive SPICE for Cybersecurity PAM into our SPICE Booklet

Download SPICE Booklet