Cybersecurity engineering, Road Vehicle, ISO/SAE 21434:2021

ISO/SAE 21434:2021 Road vehicles Cybersecurity engineering
https://www.iso.org/standard/70918.html

Table of contents

Foreword
Introduction
1 Scope
2 Normative references
3 Terms, definitions and abbreviated terms
3.1 Terms and definitions
3.2 Abbreviated terms
4 General considerations
5 Organizational cybersecurity management
5.1 General
5.2 Objectives
5.3 Inputs
5.3.1 Prerequisites
5.3.2 Further supporting information
5.4 Requirements and recommendations
5.4.1 Cybersecurity governance
5.4.2 Cybersecurity culture
5.4.3 Information sharing
5.4.4 Management systems
5.4.5 Tool management
5.4.6 Information security management
5.4.7 Organizational cybersecurity audit
5.5 Work products
6 Project dependent cybersecurity management
6.1 General
6.2 Objectives
6.3 Inputs
6.3.1 Prerequisites
6.3.2 Further supporting information
6.4 Requirements and recommendations
6.4.1 Cybersecurity responsibilities
6.4.2 Cybersecurity planning
6.4.3 Tailoring
6.4.4 Reuse
6.4.5 Component out-of-context
6.4.6 Off-the-shelf component
6.4.7 Cybersecurity case
6.4.8 Cybersecurity assessment
6.4.9 Release for post-development
6.5 Work products
7 Distributed cybersecurity activities
7.1 General
7.2 Objectives
7.3 Inputs
7.4 Requirements and recommendations
7.4.1 Supplier capability
7.4.2 Request for quotation
7.4.3 Alignment of responsibilities
7.5 Work products
8 Continual cybersecurity activities
8.1 General
8.2 Objectives
8.3 Cybersecurity monitoring
8.3.1 Inputs
8.3.1.1 Prerequisites
8.3.1.2 Further supporting information
8.3.2 Requirements and recommendations
8.3.3 Work products
8.4 Cybersecurity event evaluation
8.4.1 Inputs
8.4.1.1 Prerequisites
8.4.1.2 Further supporting information
8.4.2 Requirements and recommendations
8.4.3 Work products
8.5 Vulnerability analysis
8.5.1 Inputs
8.5.1.1 Prerequisites
8.5.1.2 Further supporting information
8.5.2 Requirements and recommendations
8.5.3 Work products
8.6 Vulnerability management
8.6.1 Inputs
8.6.1.1 Prerequisites
8.6.1.2 Further supporting information
8.6.2 Requirements and recommendations
8.6.3 Work products
9 Concept
9.1 General
9.2 Objectives
9.3 Item definition
9.3.1 Inputs
9.3.1.1 Prerequisites
9.3.1.2 Further supporting information
9.3.2 Requirements and recommendations
9.3.3 Work products
9.4 Cybersecurity goals
9.4.1 Inputs
9.4.1.1 Prerequisites
9.4.1.2 Further supporting information
9.4.2 Requirements and recommendations
9.4.3 Work products
9.5 Cybersecurity concept
9.5.1 Inputs
9.5.1.1 Prerequisites
9.5.1.2 Further supporting information
9.5.2 Requirements and recommendations
9.5.3 Work products
10 Product development
10.1 General
10.2 Objectives
10.3 Inputs
10.3.1 Prerequisites
10.3.2 Further supporting information
10.4 Requirements and recommendations
10.4.1 Design
10.4.2 Integration and verification
10.5 Work products
11 Cybersecurity validation
11.1 General
11.2 Objectives
11.3 Inputs
11.3.1 Prerequisites
11.3.2 Further supporting information
11.4 Requirements and recommendations
11.5 Work products
12 Production
12.1 General
12.2 Objectives
12.3 Inputs
12.3.1 Prerequisites
12.3.2 Further supporting information
12.4 Requirements and recommendations
12.5 Work products
13 Operations and maintenance
13.1 General
13.2 Objectives
13.3 Cybersecurity incident response
13.3.1 Inputs
13.3.1.1 Prerequisites
13.3.1.2 Further supporting information
13.3.2 Requirements and recommendations
13.3.3 Work products
13.4 Updates
13.4.1 Inputs
13.4.1.1 Prerequisites
13.4.1.2 Further supporting information
13.4.2 Requirements and recommendations
13.4.3 Work products
14 End of cybersecurity support and decommissioning
14.1 General
14.2 Objectives
14.3 End of cybersecurity support
14.3.1 Inputs
14.3.2 Requirements and recommendations
14.3.3 Work products
14.4 Decommissioning
14.4.1 Inputs
14.4.1.1 Prerequisites
14.4.1.2 Further supporting information
14.4.2 Requirements and recommendations
14.4.3 Work products
15 Threat analysis and risk assessment methods
15.1 General
15.2 Objectives
15.3 Asset identification
15.3.1 Inputs
15.3.1.1 Prerequisites
15.3.1.2 Further supporting information
15.3.2 Requirements and recommendations
15.3.3 Work products
15.4 Threat scenario identification
15.4.1 Inputs
15.4.1.1 Prerequisites
15.4.1.2 Further supporting information
15.4.2 Requirements and recommendations
15.4.3 Work products
15.5 Impact rating15.5.1 Inputs
15.5.1.1 Prerequisites
15.5.1.2 Further supporting information
15.5.2 Requirements and recommendations
15.5.3 Work products
15.6 Attack path analysis
15.6 Attack path analysis
15.6.1 Inputs
15.6.1.1 Prerequisites
15.6.1.2 Further supporting information
15.6.2 Requirements and recommendations
15.6.3 Work products
15.7 Attack feasibility rating
15.7.1 Inputs
15.7.1.1 Prerequisites
15.7.1.2 Further supporting information
15.7.2 Requirements and recommendations
15.7.3 Work products
15.8 Risk value determination
15.8.1 Inputs
15.8.1.1 Prerequisites
15.8.1.2 Further supporting information
15.8.2 Requirements and recommendations
15.8.3 Work products
15.9 Risk treatment decision
15.9.1 Inputs
15.9.1.1 Prerequisites
15.9.1.2 Further supporting information
15.9.2 Requirements and recommendations
15.9.3 Work products
Annex A Summary of cybersecurity activities and work products
A.1 General
A.2 Overview of cybersecurity activities and work products
Annex B Examples of cybersecurity culture
Annex C Example of cybersecurity interface agreement template
C.1 General
C.2 Example template
Annex D Cybersecurity relevance – example methods and criteria
D.1 General
D.2 Methods
Annex E Cybersecurity assurance levels
E.1 General
E.2 Determining a CAL
E.3 Using a CAL
E.3.1 General considerations
E.3.2 Concept
E.3.3 Product development
Annex F Guidelines for impact rating
F.1 General
F.2 Impact rating for safety damage
F.3 Impact rating for financial damage
F.4 Impact rating for operational damage
F.5 Impact rating for privacy damage
Annex G Guidelines for attack feasibility rating
G.1 General
G.2 Guidelines for the attack potential-based approach
G.2.1 Background on attack potential
G.2.2 Example of adaptation of the parameters
G.2.2.1 Example customization of elapsed time
G.2.2.2 Example customization of specialist expertise
G.2.2.3 Example customization of knowledge of the item or component
G.2.2.4 Example customization of window of opportunity
G.2.2.5 Example customization of equipment
G.2.2.6 Example mapping between attack potential and attack feasibilityG.3 Guidelines for the CVSS-based approach
G.4 Guidelines for the attack vector-based approach
Annex H Examples of application of TARA methods – headlamp system
H.1 General
H.2 Example activities for concept phase of a headlamp system
H.2.1 Item definition
H.2.2 Asset identification
H.2.3 Impact rating
H.2.4 Threat scenario identification
H.2.5 Attack path analysis
H.2.6 Attack feasibility rating
H.2.7 Risk value determination
H.2.8 Risk treatment decision
BIBLIOGRAPHY

参考資料

auditing

ISO/PAS 5112:2022 Road vehicles Guidelines for auditing cybersecurity engineering
https://www.iso.org/standard/80840.html

Foreword
Introduction
1 Scop
2 Normative references
3 Terms and definitions
4 Principles of auditing
5 Managing an audit programme
5.1 General
5.2 Establishing audit programme objectives
5.3 Determining and evaluating audit programme risks and opportunities
5.4 Establishing the audit programme
5.4.1 Roles and responsibilities of the individual(s) managing the audit programme
5.4.2 Competence of individual(s) managing audit programme
5.4.3 Establishing extent of audit programme
5.4.4 Determining audit programme resources
5.5 Implementing audit programme
5.5.1 General
5.5.2 Defining the objectives, scope and criteria for an individual audi
t5.5.3 Selecting and determining audit methods
5.5.4 Selecting audit team member
s5.5.5 Assigning responsibility for an individual audit to the audit team leader
5.5.6 Managing audit programme results
5.5.7 Managing and maintaining audit programme records
5.6 Monitoring audit programme
5.7 Reviewing and improving audit programme6 Conducting an audit
6.1 General
6.2 Initiating audit
6.2.1 General
6.2.2 Establishing contact with auditee
6.2.3 Determining feasibility of audit
6.3 Preparing audit activities
6.3.1 Performing review of documented information
6.3.2 Audit planning
6.3.2.1 Risk-based approach to planning
6.3.2.2 Audit planning details
6.3.3 Assigning work to audit team
6.3.4 Preparing documented information for audit
6.4 Conducting audit activities6.4.1 General
6.4.2 Assigning roles and responsibilities of guides and observers
6.4.3 Conducting opening meeting
6.4.4 Communicating during audit
6.4.5 Audit information availability and access
6.4.6 Reviewing documented information while conducting audit
6.4.7 Collecting and verifying information
6.4.8 Generating audit findings
6.4.9 Determining audit conclusions
6.4.10 Conducting closing meeting
6.5 Preparing and distributing audit report
6.5.1 Preparing audit report
6.5.2 Distributing audit report
6.6 Completing audit
6.7 Conducting audit follow-up7 Competence and evaluation of auditors7.1 General7.2 Determining auditor competence7.2.1 General7.2.2 Personal behaviour7.2.3 Knowledge and skills7.2.3.1 General7.2.3.2 Generic knowledge and skills of management system auditors7.2.3.3 Discipline and sector specific competence of auditors7.2.3.4 Generic competence of audit team leader7.2.3.5 Knowledge and skills for auditing multiple disciplines7.2.4 Achieving auditor competence7.2.5 Achieving audit team leader competence7.3 Establishing auditor evaluation criteria7.4 Selecting appropriate auditor evaluation method7.5 Conducting auditor evaluation7.6 Maintaining and improving auditor competenceAnnex A Audit questionnaireA.1 GeneralA.2 Audit questionnaireA.2.1 Cybersecurity managementA.2.2 Continual cybersecurity activities
A.2.3 Risk assessment and methods
A.2.4 Concept and product development phaseA.2.5 Post-development phaseA.2.6 Distributed cybersecurity activitiesAnnex B Auditor competencesB.1 GeneralB.2 Knowledge of ISO/SAE 21434 cybersecurity activitiesB.3 Knowledge related to CSMSB.4 Demonstration of auditor competenceBibliography

2 Normative references

ISO/SAE 21434:2021, Road vehicles — Cybersecurity engineering
ISO 19011:2018, Guidelines for auditing management systems

Bibliography

[1] ISO Guide 73, Risk management — Vocabulary
[2] ISO 9001, Quality management systems — Requirements
[3] ISO/IEC 17000, Conformity assessment — Vocabulary and general principles
[4] ISO/IEC 17021-1, Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements
[5] ISO 26262 (all parts), Road vehicles — Functional safety
[6] ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary
[7] ISO/IEC 27036-1:2021, Cybersecurity — Supplier relationships — Part 1: Overview and concepts
[8] IATF 16949, Quality management system requirements for automotive production and relevant service parts organizations
[9] UN E/ECE/TRANS/505/Rev.3/Add.154 — UN Regulation No. 155, Uniform provisions concerning the approval of vehicles with regards to cyber security and cyber security management system [online]. March 2021 [viewed 2021-03-24]. Available at https://unece.org/sites/default/files/2021-03/R155e.pdf
[10] VDA QMC WORKING GROUP 13 / AUTOMOTIVE SIG. Automotive SPICE Process Assessment / Reference Model, Version 3.1 [online]. Berlin: VDA QMC, November 2017. Available at: http://www.automotivespice.com/fileadmin/software -download/ AutomotiveSPICE _PAM _31. pdf

others

ISO/SAE AWI PAS 8475 Road vehicles Cybersecurity Assurance Levels (CAL) and Targeted Attack Feasibility (TAF)
https://www.iso.org/standard/83187.html

ISO/SAE AWI 8477 Road vehicles Cybersecurity verification and validation
https://www.iso.org/standard/83188.html

文書履歴(document history)

ver. 0.01 初稿 20231104

最後までおよみいただきありがとうございました。

いいね　💚、フォローをお願いします。

Thank you very much for reading to the last sentence.

Please press the like icon 💚　and follow me for your happy life.