UN Regulation No. 155 of the UNECE (United Nations Economic Commission for Europe) of January 22, 2021, describes in detail how national homologation authorities will implement the topic of cybersecurity when approving new vehicles with mechatronic components in future. Car manufacturers will have to demonstrate a cybersecurity management system that implements cybersecurity risk management in the development, production and vehicle use phases.
Functional safety and cybersecurity are designed to make the risks in the vehicle manageable. However, the domains are very different in terms of the nature of the threat. While functional safety examines the failure safety of the vehicle components in the hazard analysis (HARA), cybersecurity deals with ways malicious attacks on the vehicle could take place in the development, production phase and after production on the road. This means that there is a constant threat of malicious attackers using ever evolving methods to hack the cars integrity. Not only update mechanisms need to be secured, even special security measures in the workshops need to be considered.
ISO 26262 has been successfully implemented for functional safety projects for years. ISO/SAE 21434 “Road Vehicles – Cybersecurity Engineering”, on the other hand, has only been in final draft form since March 2021 (edit: published 08/2021). It describes how OEMs and their suppliers should assess cybersecurity risks and derive suitable counter-measures.
UNECE 155 clearly places the responsibility on the OEM. Establishing an end-to-end cybersecurity management system is no easy task given the increasing complexity, numerous suppliers and global production sites.
Intacs and the VDA QMC approached this challenge and broke it down for future development projects.
In the VDA QMC yellow print “VDA Automotive SPICE® for Cybersecurity” on page 13, new processes are presented: SEC.1 “Cybersecurity Requirements Elicitation”, SEC.2 “Cybersecurity Implementation”, SEC.3 “Verification”, SEC.4 “Risk Treatment Validation”, MAN.7 “Cybersecurity Risk Management”.
(edit: blue-gold print VDA Automotive SPICE® for Cybersecurity expected to be published in 09/2021)
The Cybersecurity Engineering Process Group (SEC) describes how cybersecurity risks in mechatronic systems shall be assessed and how appropriate counter-measures shall be implemented, verified and tested in the future. MAN.7 describes in detail how cybersecurity risk management will be designed.
New rules for ACQ.2 and ACQ.4 are introduced here to ensure the monitoring of suppliers with regard to cybersecurity.
In the future, OEMs have to incorporate mechatronic components into their cybersecurity management systems. There is no way around this. Therefore, if you want to play in this arena, you are forced to build competencies and adapt your processes to adequately include cybersecurity.
It is expected that the processes named above will be integrated into the new ASPICE 4.0 standard, thus becoming binding.
Intacs™ and the VDA-QMC are currently working on a training concept, training material and an exam for the model extension Autmotive SPICE Cybersecurity. A first train-the-trainer seminar is planned for Q4. As soon as the training is accredited, the accredited training providers will offer the training.