In the last blog, “Automotive SPICE for Cybersecurity in conjunction with a Cybersecurity Management System“, the focus was on regulatory compliance, the standard for cybersecurity published by the International Organization for Standardization (ISO), and the Audit Cybersecurity Management System (ACSMS).
Cybersecurity has many facets. In this article, we want to give a rough overview of the evaluation of cybersecurity risks directly resulting out of the product.
Attackers on a system are creative and always looking for new ways. How to evaluate the risk of such an attack in the first place?
In Automotive SPICE for Cybersecurity, new processes are introduced. In process MAN.7 “Cybersecurity Risk Management”, the analysis of risks is described in detail.
Initially, threat scenarios are analyzed using a TARA (Threat Analysis and Risk Assessment). Assets (objects worth protecting) are identified first. For example, the receiver of a key remote control. In publicly accessible databases, a wide variety of attack scenarios on cybersecurity properties can be found. This data can then be used to describe threat scenarios. In the following steps, the potential attack paths and their probability, as well as the consequences for stakeholders in the event of a successful attack, are evaluated. Now, the risk for each threat scenario can be determined on stakeholders such as drivers, passengers, pedestrians, car, OEM, etc.
The Risk Treatment Decision describes whether a risk is avoided, reduced, shared or accepted.
The risk analysis (TARA) from MAN.7 is the starting point for the cybersecurity goals derived in SEC.1. (Concept-level cybersecurity requirements associated with one or more threat scenarios).
“The authenticity of the unlock door command by a given key remote must be guaranteed at all times” would be a concept-level cybersecurity goal.
Creative attacks on this cybersecurity goal cannot be entirely predicted. But system specialists can derive system- and software-level cybersecurity requirements that eliminate or reduce the likelihood of a successful attack on the cybersecurity goal.
Cybersecurity Requirements directly impact system and software requirements. The implementation path follows the same processes described in Automotive SPICE. Software and system testing verifies the software and system requirements.
In contrast, the risk treatment verifications in SEC.3 refer to the Cybersecurity Requirements derived from Threat Scenarios.
The last step is to validate the cybersecurity objectives in the integrated system (SEC.4). The strategy has to be built in a way that any undetected vulnerabilities are revealed. In our example from above, the goal is to rule out the possibility of the door being locked by a third party.
The new processes in Automotive SPICE for Cybersecurity MAN.7 and SEC.1-4 equip engineering departments with methods to minimize the risks of cyberattacks. However, since attackers can have large budgets and be highly motivated, risks can never be completely eliminated. However, the carefully conducted TARA reveals potential vulnerabilities and their risks. The risk treatment measures derived from TARA increase the time and effort required to breach the cybersecurity goal significantly and make it much more difficult for hackers.
The new Process Assessment Model (PAM) ” Automotive SPICE® for Cybersecurity ” provides an extension to Automotive SPICE in six new processes. The new course “intacs™ certified Automotive SPICE® Cybersecurity” is meant to prepare assessors for the assessment of the new processes.
We have already included the Automotive SPICE for Cybersecurity PAM into our SPICE Booklet