ISO 21434 준수 확인을 위한 사이버 보안 프로세스 심사의 이해와 대응 방안

V1.0 | 2021-10-26
1/20
 Agenda

u I. Overall plan of cybersecurity and status

II. Referenceable standards for cybersecurity audit
III. Approach for major cybersecurity audit area
VI. Summary

2/20 © 2021. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2021-10-26
 I. Overall plan of cybersecurity and status
Motivation : New UN Regulations for CSMS, SUMS

Driving license will be required for the vehicle on AD context.

➔ Need new approach for future certifications

Source : https://unece.org/

u UN Regulation No. 155 : Cyber Security and Cyber Security Management System (CSMS)

u UN Regulation No. 156 : Software Update Processes and Software Update Management System (SUMS)

Additional certifications are required to ensure the integrity of future AD : CSMS and SUMS
3/20 © 2021. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2021-10-26
 I. Overall plan of cybersecurity and status
UN Regulation and Standards : schedules

2018 2019 2020 2021 2022 2023 2024

2018.09.20 2020.03 2020.06 2021.01.22

Recommendations on GRVA WP29 Effective
Cybersecurity & Adoption Adoption
SW Update
self authentication, Safety Standard
Planned for 2022.07

Mandatory for Mandatory for the first

New whole vehicle types registration of Vehicles
→ For Legacy
Legislation by region
Made regulation from 2022.07 from 2024.07

GB/T (Recommended) GB (Mandatory)

Standard Standard
Planed for 2022 Planed for 2023
ISO/SAE 21434
Process implementation 2021.08
Publication
2018.09.22 2020.02.12 2021.Q1
CD DIS 2020.05 FDIS
Kick-off
2021.05
Process ISO PAS 5112
Audit
Publication(delayed)
2020.03.28 2021.03.29
2nd Draft Committee Draft

4/20 © 2021. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2021-10-26
 Agenda

I. Overall plan of cybersecurity and status

u II. Referenceable standards for cybersecurity audit
III. Approach for major cybersecurity audit area
VI. Summary

5/20 © 2021. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2021-10-26
 II. Referenceable standards for cybersecurity audit
Relationship between regulation and standards

u OEM will be required CSMS Certification for UNECE Regulation 155 to sell the vehicle in market
u OEM & Supplier need Cybersecurity Audit to judge the fulfilment of ISO 21434 requirements

CSMS VDA ACSMS Audit

Regulation can be referenced for
Required by Certificate What to ask &
UNECE of compliance How to rate
WP.29/R-155
applicable to OEM
What to do includes Sync.
CS Engineering Verify process Cybersecurity applicable to
Supports implementation of execution Audit OEM or suppliers
ISO/SAE 21434
Guideline for CSMS
can be referenced for
How to do Audit
CSMS Application ISO PAS 5112
Supports
Process governance Information technology Engineering Risk Management Audit
Guideline for CSMS
QMS for Automotive Assessment Capability Risk management
Audit
IATF 16949 ISO/IEC 33001 Automotive SPICE (w/CS plugin) IEC 31010
ISO PAS 5112
Quality management General Standard for
ISMS SW Engineering Guideline
System Audit
ISO/IEC 27001 ISO/IEC/IEEE 12207 ISO 31000
ISO 9001 ISO 19011

Quality management ISMS Overview System Engineering

ISO 9000 ISO/IEC 27000 ISO/IEC/IEEE 15288
Process basis
6/20 © 2021. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2021-10-26
 II. Referenceable standards for cybersecurity audit
Cybersecurity audit processes and its relationship

u ACSMS Audit : Binding with regulation, audit standards

<VDA ACSMS Audit> <ISO PAS 5112>

PAS 5112
4

4
Overall concept

u VDA ACSMS Audit provides guidance for CSMS audit including main questionnaires and is being referenced by some OEMs.
u ISO PAS 5112 is providing more abundant auditing guideline, pass/fail criteria and examples of evidence regarding for each
work product. But it is still in development phase.

7/20 © 2021. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2021-10-26
 II. Referenceable standards for cybersecurity audit
Example : Overview of VDA ACSMS Audit

u Scope and main questions of VDA ACSMS Audit

Number
Scope Question
of REQ
Q1.1 Is a cybersecurity policy defined for the CSMS area of application? 1
Q1.2 Are responsibilities assigned and resources provided to ensure the required cybersecurity? 1
Cybersecurity Management
Q1.3 Are cybersecurity-relevant processes managed in the CSMS area of application and continuously improved? 3
Q1.4 Are cybersecurity culture and cybersecurity awareness established and maintained? 2
Risk identification Q2.1 Is a process established to identify cybersecurity risks to items and components across development, production and post-production? 4

Risk assessment, categorization and Q3.1 Is a process established to assess and categorize cybersecurity risks for items and components across development, production and post-production? 1
management Q3.2 Is a process treat cybersecurity risks for items and components across development, production and post-production? 1
Consistency check Q4.1 Is a process established to verify that identified cybersecurity risks are managed adequately? 3
Q5.1 Is a process established to specify cybersecurity requirements? 2

Cybersecurity specification, Q5.2 Is a process established to validate the cybersecurity requirements of items or verify them on components during development phase? 3
verification, validation and release Q5.3 Is a process validate the cybersecurity requirements of items or verify them on components during production phase? 1
Q5.4 Is a process established to release items and components for post-development phases? 2
Updating the risk assessments Q6.1 Is a process established to keep the cybersecurity risk assessment current? 4
Q7.1 Is a process established to monitor for cybersecurity information? 1
Q7.2 Is a process established to detect cybersecurity events? 1
Q7.3 Is a process established to assess cybersecurity events and analyze vulnerabilities? 1
Cybersecurity incident response
Q7.4 Is a process established to manage identified vulnerabilities? 4
Q7.5 Is a process established to respond on cybersecurity incidents? 2
Q7.6 Is a process established to validate the effectiveness and adequacy of the response to a cybersecurity incident? 1
Reporting against authorities Q8.1 Is a process established to provide detected and relevant data from attempted or successful cyberattacks for analysis? 1
Cybersecurity management in the
Q9.1 Is a process established to manage dependencies that may exist with relevant contract partners regarding the Cybersecurity Management System? 1
supply chain

Challenge : How to align organizational processes with CSMS Audit?

8/20 © 2021. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2021-10-26
 Agenda

I. Overall plan of cybersecurity and status

II. Referenceable standards for cybersecurity audit
u III. Approach for major cybersecurity audit area
VI. Summary

9/20 © 2021. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2021-10-26
 III. Approach for major cybersecurity audit area
Organizational process

u Organizational process can organically connect from top-level goal of management and to detailed
guideline and templates to support its realization

Process Framework
Process realization
Product Liability
Functional Safety Cybersecurity Homologation
u Generic E/E u Product u UNECE R155.
systems development: CSMS
Process manual
development: ISO 21434, u Goal of process
IEC 61508 SAE J3061 u UNECE R156. u Owner of process
u Automotive u Enterprise IT SUMS
functional safety Security:
u Entry/Exist Criteria
ISO 26262 ISO 27001, :
Category Sub process
u SOTIF: ISO TISAX :
21448 :
Process Maturity: ISO 330xx Project
Project Planning Project Control …
Policy & Manual
Application of methodological Frameworks, i.e. A-SPICE or CMMI management
Product Prototype Project Procedure
Product Development Process: ISO 9001, IATF 16949 Engineering development Development
.. (Definition)

Process Standardization Process

Work instruction
Procedure Work Instruction
management management improvement (Guide)

Quality Management System Product

Realizatio
Support
Configuration
management
Review … How to perform
Forms and Record
n
Contract
(template) a Process
Quality Management System Sales …
management

purchase
Equipment/gener How to perform
Continuous improvement Purchasing
management
al purchase … a tasks
management
Supply Supplier Component
Management …
Responsibilities
management management development
Engineering Process
:
Requirements

Satisfaction

Team2
Customer
Customer

Department
Measurement Input Task Task Output
Resource
& analysis and
Management
Improvement
Forms & Forms &
Records Records

Team1
Task Output
Product Realization
input Product

Good organizational processes make it easy to ensure cybersecurity adaption.

10/20 © 2021. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2021-10-26
 III. Approach for major cybersecurity audit area
Overall cybersecurity management

Cybersecurity policy Responsibilities & resources

Clear, concise policies serve to enact the intent of the organization and Top Management
u Cybersecurity activities must be
help fulfill organizational cybersecurity objectives. orchestrated across all development
Security Steering Board
A security policy specifies :
and maintenance projects
u its intended purpose Organization
u its scope Security Officer u Top management must drive
u related roles and responsibilities governance
Security Coordination

Categories of security policies include : u For efficiency and mitigation of key

Project 1 Project n
Project 1
u acceptable use (for users, system administrators, security personnel, and outside parties) Safety Manager
Cybersecurity Cybersecurity risks, it is possible combining security
u remote access Manager Manager
u information protection
initially with safety organization
Cybersecurity Cybersecurity
u perimeter protection Safety Team
u change management (patch management)
Team Team u Collaboration with the IT security
u application security department and security office need
: Project Teams to be considered.

Managed processes & continuous improvement culture & organizational awareness

How do I decide what to do and in How do I do it? Commitment Mindset Risk Business
what order? u For an effective, sustainable security effort Management Impact
u The following prerequisites must be in place prerequisites must be in place such as
for an effective, sustainable security effort: • Protect sensitive data. u Support from u Implementation of
• management commitment to security • Maintain a vulnerability management program. u Involvement u Policies acceptance management CS policy
• security policy • Implement strong access control measures
security risk assessment results • Maintain a security policy u Recognizing u Competence
• u Lesson-Learnt u compromise
• security strategy and plan : personal management between security
: responsibility Reporting Culture
u and business needs
u Collaboration with
How do I decide what to do next? u Understand of security team u Security
u The Act phase involves determining how best How do I know if what I did worked? impact of personnel
u The check phase involves regular Recognition
to sustain the current security state of action
systems and software while also monitoring, intrusion detection and other
accommodating changes and improvements. security alert mechanisms

Build a project dependent/independent CSMS and

reflect the organizational commitment to security culture.
11/20 © 2021. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2021-10-26
 III. Approach for major cybersecurity audit area
Risk management

u Continuous risk management shall be performed throughout the whole product lifecycle for
cybersecurity.
Concept phase Product development phase Post-development phase

As tier-1: Agree scope with OEM Threat analysis and risk assessment
Item identification As OEM: Collaborate with suppliers

Asset Candidates, Cybersecurity Avoiding risk

Asset identification properties Reducing risk
Risk Treatment Decision
Sharing/Transferring risk
Accepting risk
Assets,
Damage Risk Values
Scenario

Damage Impact of Damage

Scenario Impact Rating Scenario
Threat Scenario identification (Assessed against Safety, Risk Determination
Financial, Operational & Privacy)

Attack Feasibility
(Ease of Exploitation)

Attack Path Analysis Attack Feasibility Rating

Threat Scenario per Damage Scenario and Attack paths per Threat
known vulnerabilities Scenario

TARA methodology shall be established to support continuous risk management

12/20 © 2021. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2021-10-26
 III. Approach for major cybersecurity audit area
Cybersecurity activities during development phase

u Although some technical challenges remain in cybersecurity context, R&D activities in development
phase are not much different from those of functional safety context.
Production / Operation

CS requirements Test coverage by test

CS requirements
u on the operational cases shall be
(higher level) environment
determined for the
u for post development Analyze
completeness of testing
test results
Arch. design activities
(higher level)
Conduct Verification
test cases Report
• Refinement of cybersecurity requirements
Refined • Refinement of architectural design
Derive test
architectural • Allocation of refined cybersecurity requirements Test methods:
cases
design • Verification of design activities Verification
• Vulnerability analysis Report Test specification u Penetration Testing (search
u Identifier for unknown vulnerabilities)
Vulnerability Select related u Test object u Fuzz Testing (confirm
methods from u Pass/Fail criteria
analysis report robustness of the system)
Allocation refined ISO SAE 21434
Report
Design activities include: CS requirements to Test case u Vulnerability Scanning
u Understanding and complying with the refined architectural (search for known
cybersecurity requirements from a higher level components vulnerabilities)
u Preventing the introduction of new vulnerabilities u Code Quality Assessment
u Identifying and managing known vulnerabilities, (identify software security
if applicable issues early on unit level)

Traceability and consistency are still the most important concerns during development phase.
13/20 © 2021. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2021-10-26
 III. Approach for major cybersecurity audit area
Continuous cybersecurity Activities Validation
report
Concept Specify cybersecurity goals Perform validation Cybersecurity
activities Validation
Chapter 9 State cybersecurity claims
Vulnerability report Chapter 11
Goals and Validation
claims specification

Specify cybersecurity requirements Define validation

Allocate them to components of the item Analyze and specification
Manage
Cybersecurity Integration and
vulnerabilities
concept verification report

Product Product development

Development Refine cybersecurity requirements Perform Chapter 10
Chapter 10 Refine System architectural design verification activities

Cybersecurity events
SW/HW cybersecurity Integration and
requirements and verification specification
interface specification

Create software/hardware
Define integration and
architectural design
verification specification
Implement the design

Implementation

Vulnerability Analysis covers weaknesses and cybersecurity events from all activities.
14/20 © 2021. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2021-10-26
 III. Approach for major cybersecurity audit area
Cybersecurity activities during production phase

u The production control plan should include measures to verify the cybersecurity integrity of the
product.
u It should also be considered that vulnerabilities can be introduced into the product even during the
production process.
Product aspect Production process aspect
u Production control plan is created to : ▪ Example of threat in production
site
u Ensure that cybersecurity requirements for post-development are
applied to the item or component • Unpatched devices: Patching not
available or feasible
u Ensure that it cannot be exploited during production
• Insecure protocols: Unencrypted
u Ensure that additional vulnerabilities cannot be added during networks and/or systems
production.
• Shadow OT: Unknown devices and
u The production control plan should include : connections

u Related rules, specifications, analyses results, and validations • Insecure authentication: Flaws
arising from design or
u cybersecurity requirements for post-development and those Information Operational implementation oversights
included in production Technology Technology
• Insider threat: Unintentional
u description of the protection measures for components to prevent Image source : https://www.klimaoprema.com/en/digital- incidents delivered via infected
unauthorized alteration transformation-of-panel-production-for-cleanrooms/728 devices (such as USB sticks)

u methods to confirm that the cybersecurity

:
ISMS should be extended to cover the security of the production

Follow the latest guidelines for operational technology security and the IATF 16949
as well as product-specific security measures.
15/20 © 2021. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2021-10-26
 III. Approach for major cybersecurity audit area
Cybersecurity incident response

u It is recommended to list available sources of cybersecurity information and define responsibility for
corresponding information.
u Project-independent cybersecurity incident monitoring should be performed continuously.

Information collection channel Cybersecurity incident monitoring

▪ Definition of CS incidents ▪ Escalation strategy for CS incidents

Plan & ▪ Method for dealing with CS incidents ▪ Priorities for the treatment of CS incidents
Prepare ▪ Responsibilities in case of CS ▪ Guidelines for the treatment of CS incidents
incidents
▪ Reporting channels for CS incidents

CS Event Evaluation Learn & Optimize

CS Monitoring

Monitor Analyze Inform

systems and Analyze Improve
incident internal
services risk product
technically stakeholders
security
Monitor Assign and
public forward
information incident
pools report Carry out Carry out
Inform
immediate Preserve sustained
countermea evidence
external
countermea
Improve
Accept and stakeholder
Depending on the company’s size, the Automotive CSIR Team can be a register
sures sures cybersecurity
policies
single person or ‘how might involve experts from other units for each incident
Vulnerability management & Risk
notified cybersecurity incident Treatment
* Source : https://aqigmbh.de/fileadmin/redakteure/publikationen/englisch/201812_PocketGuideAutomotiveCSIR.pdf

Try to integrate cybersecurity incident response into existing

quality management system or quality assurance system.
16/20 © 2021. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2021-10-26
 III. Approach for major cybersecurity audit area
Supplier chain management aspects

u Typical supplier management concept can expand to cover cybersecurity aspects.

u Process group(ACQ, SPL, SUP) of Automotive SPICE combined with FuSa is good starting point for
supplier chain management in cybersecurity
u Cybersecurity related properties
Supplier Request and Selection Supplier Monitoring
u Technical evaluation regarding CS capabilities of the
u Agree on and maintain joint processes, joint interfaces, and information to
supplier (e.g. TARA, attack models etc.)
be exchanged
Evaluation
u The organization’s capability of the supplier concerning CS
criteria (e.g. cybersecurity best practices, ISMS) u Alignment between customer and supplier regarding CS requirements
and responsibilities
u Performance evidence obtained by previous projects
u Joint processes and interfaces including incident response
u A formal request to comply with all relevant standards management and application of a CS-specific test
u The expectation of CS responsibilities taken by the supplier u Exchange of agreed information
RFP u The scope of work regarding CS, including the cybersecurity
u Use of agreed joint interfaces between customer and supplier
goals or the set of relevant CS requirements
u Action plan for identified deviations and risks u Review technical development
u Review of chosen methods for implementation of cybersecurity
u The contract should consider requirements including
Selection of cybersecurity and safety requirements, if applicable (e.g., as u Track open items to closure
preferred part of customer requirements).
u Take action when agreed upon objectives are not achieved to correct
bidder u An initial interface agreement (e.g., for cybersecurity) may deviations and prevent reoccurrence of identified problems.
be set up and used for the detailed contract definition

Supplier management is not much different from legacy practices,

but the portion of security incident monitoring should be more highlighted.
17/20 © 2021. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2021-10-26
 Agenda

I. Overall plan of cybersecurity and status

II. Referenceable standards for cybersecurity audit
III. Approach for major cybersecurity audit area
u VI. Summary

18/20 © 2021. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2021-10-26
 VI. Summary
Conclusion

u A safe & secure E/E function can be defined as the fulfillment of requirements given by standards.

u It can be helpful to verify internal organizational CS processes based on referenceable cybersecurity

audit processes.

u Continuous cybersecurity risk management and field monitoring are the highlights of CSMS.

u It is recommended that extending an existing process system rather than create additional measures
for cybersecurity.

19/20 © 2021. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2021-10-26
For more information about Vector
and our products please visit

www.vector.com

Author:
Kim, Youn Ho / Joo, Unggul
Vector Consulting

© 2021. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2021-10-26