SAE Update - February 2021 - 19

The principles and practice of security are already well-established in the IT domain
and address potential impacts on privacy, financial and operational outcomes of a
security incident. However security aspects in road vehicles (and similar applications)
need to consider that computer-based systems are also controlling physical entities;
since physical harm may result from a security incident the term " cyber-physical system "
is used to refer to collaborating elements controlling physical entities and the term
" cybersecurity " reflects that safety and cyber-physical aspects are in scope.
Addressing cybersecurity is not a new topic for the automotive industry; for example
the EVITA collaborative project that started in 2008 considered the need for tailored
automotive security solutions and also proposed a framework for threat analysis and
risk assessment (TARA). More recently industry efforts around standardization have
produced firstly a recommended practice (SAE J3061, released in January 2016) and
then a standard (ISO/SAE 21434, due for final publication mid-2021).
A further aspect relates to regulatory requirements; new legislation being enacted
in 2021, such as UNECE Regulation 155, requires that vehicle manufacturers provide
evidence of their cybersecurity management system (CSMS) processes, as well as for
the specific design of their products to be robust.
A common feature of these emerging practices is that they are based on an
engineering-led risk management approach. This engineering framework encompasses
identification and deployment of appropriate solutions as well as the need for ongoing
monitoring and response to emergence of new potential threats.
Although ISO/SAE 21434 has been written from the perspective of road vehicles, the
engineering framework and its principles are transferrable to other applications such
as off-highway vehicles. Therefore the standard will provide a good foundation for a
common approach throughout the supply chain and across different applications.
So how can organizations prepare for the adoption of ISO/SAE 21434 and also the
regulatory frameworks coming into effect in a similar timeframe? Here are three
practical suggestions:
* Ensuring appropriate skills (or competencies) of staff involved in management
and delivery of cybersecurity activities. The ODC (on demand course) offered by
SAE International is a great place to start as it gives an overview of the standard and
highlights some key activities required in implementing it. However competency is
an ongoing journey and there is no substitute for continued on the job learning and
skills development, not just the " one shot " approach of attending a training course.
* Implementing the framework requirements of the standard into an organization's
own processes and activities and aligning with progress criteria. For instance,
program gateways should include reviews of cybersecurity activities
and deliverables.

SOME KEY FEATURES OF
ISO/SAE 21434 INCLUDE:
* Requirements for overall
cybersecurity management
and project-dependent
cybersecurity management,
both of which can
support implementation
of a CSMS as required by
regulatory requirements;
* A modular, iterative approach
to risk management,
providing a toolbox for
identifying and mitigating
risks that can be used
throughout the lifecycle;
* Modular requirements for
the product development
phases including concept
phase (which incorporates
TARA), product design
and implementation, and
verification and validation;
* Full lifecycle activities
including monitoring, event
assessment, vulnerability
management and postdevelopment phases;
* Supply chain management
covering requirements
for distributed cybersecurity activities.

* Deploying appropriate tools and templates to support the processes and workflows
required by the standard. For example, the SAE ODC includes an example of a
TARA workbook that can be used on a standard desktop computer with common
office productivity tools which will help course participants get underway with
this key activity.

P20582450

In conclusion, cybersecurity is an important and significant attribute of vehicle design.
With the emergence of both an engineering standard (ISO/SAE 21434) and regulatory
requirements (such as UNECE Regulation 155) it's never been more important to be
ready for the challenges in this domain.
SAE Update - February 2021

Table of Contents for the Digital Edition of SAE Update - February 2021
