As a functional safety engineer, Justin has many years of experience in delivering E/E systems. He has been on the frontline of all stages of the development cycle, from creating a concept to delivering a tested & certified product. Due to his excellent performance, he is now in charge of the new generation of electrical powertrains, the most advanced product of his company. However, during the last meeting with the customer he was caught by surprise: the OEM asked whether his product complies with their new security requirements.
Justin is now confused: are the security requirements not already covered by safety processes? In any case the electrical powertrain does not connect to the Internet, so why are security requirements needed? He wants to deliver the best product, but where to start? From experience, Justin knows that misalignment between the OEM’s wishes (expressed in their requirements) and product implementation can delay the start of production, and that is one scenario he strongly wishes to avoid.
Although Justin is a fictional character (we value the privacy of our customers above all else), the situation is very real: at Riscure we receive more and more requests on advising Tier-1 companies on how to start with cybersecurity activities. The regulations that are being approved now in Europe and USA (e.g. GDPR), or the security standards expected to be public next year (e.g. ISO 21434) mean that you have to start tackling security now in order to avoid being liable for subsequent issues later.
If you are in the same situation as Justin, where do you start? Let us investigate the options together and identify the following steps:
Step 1. To assess if your product is relevant for cybersecurity, you can follow the SAE J3061 question list:
Step 2. If you answered yes to any of the questions above, then you must integrate cybersecurity in your system.
Step 3. Learn how a Threat Analysis and Risk Assessment (TARA) works. If you want to save time in learning about the pros and cons of existing TARA methodologies, you can take our “Security Requirements” Course.
Step 4. Complete the TARA process and summarize it into cybersecurity requirements.
Step 5. Understand the cybersecurity requirements to make sure that the final product meets them.
After step 3, Justin contacts Riscure and learns what the security requirements presented by his OEM mean. Together with Riscure, he chooses the TARA methodology which fits his company best and learns how to avoid the most common pitfalls when integrating security in the existing process.
Do you want to hear more about Justin’s adventures in understanding security requirements? In the next blogpost we will discuss how the OEM came up with a security concept (containing security goals and security requirements for each goal), and how can he discuss further about whether his refined technical requirements will satisfy the OEM requirements.
Would you like to receive updates about new blogposts? Then feel free to sign up by entering your e-mail in the form below. We will notify you once a month about new blog posts and articles from Riscure Security Training. If you would like to start embedding security requirements in your automotive development today, check out this online course.