Content

Motivation

History of ISO/SAE 21434 standard, objectives, purpose and scope
Structure: clauses, objectives, requirements, work products, annexes, …
Meaning and relation to other security standards like SAE J3061^TM, ISO PAS 5112, ACSMS, ASPICE^® for cybersecurity, ISO/IEC 27001, UNECE, ISO/IEC 31000, EU-GDPR, ISO 26262, TISAX, GSR, …
Motivation for the standard
Embedding and correlation to similar domains, like Functional Safety

Overview

Introduction

Cybersecurity management

General overview and focus of Security Management Systems: ISO/IEC 27001, TISAX, UNECE, QMS, RMS
Objectives and requirements for an overall Cybersecurity Management | examples for implementation | organizational responsibilities | definition of a CSMS (Cybersecurity Management System) and relation to ISMS (Information Cybersecurity Management System)
Objectives and requirements for a project dependent Cybersecurity Management | examples in correlation with overall Cybersecurity Management
Kugler Maag Cie experiences implementing efficient and effective Cybersecurity Management Systems in organizations

Repetition

Distributed Cybersecurity Activities

How to work together between supplier and customer? | example for an Cybersecurity Interface Agreement (CIA)

Continuous Cybersecurity Activities

Presentation of ongoing activities: Cybersecurity Monitoring | Event Management | Vulnerability Analysis | Vulnerability Management
Examples how to achieve goals for continuous cybersecurity activities

Lifecycle

Concept Phase: from item definition to security concept, defining cybersecurity goals, deriving cybersecurity requirements
ProductDevelopment and Validation: relationship to V-model, activities on left side and right side of development V | consideration of system, software and hardware development | verification and validation
Post development phases: requirements for production (e.g. TARA refinement), operation and maintenance (e.g. SW-OTA) and decommissioning (e.g. TARA refinement for logistics) | operation and maintenance (incident management and updates) | decommissioning

Annexes

Content, purpose and objectives of the 8 annexes will be explained: summary of work products, examples for a good cybersecurity culture (real-world examples in relation with safety will be given), use-case example will be presented, tables for the determination of attack feasibilities will be explained, …

Interaction with other standards

Cooperation with Functional Safety ISO 26262 standard, development interfaces between Safety and Cybersecurity. Point of contact within the V-model and management
Combination of methods to gain synergies. E.g. HARA and TARA: How to perform together? Safety FMEA vs. Security FMEA, …

Repetition

Risk Assessment Methods

Presentation of the seven steps to perform a risk assessment from asset identification till risk determination decision | get familiar with valuation tables for attack feasibility and estimation of damage | creation of risk matrix | parameter and content of attack feasibility | get familiar with different terms like damage scenario, threat scenario, attack path, attack
Example of performing a TARA | network of work products and dependabilities
KMC XLS-TARA template will be provided to each participant

Exercises for the different steps of the risk analysis

UNECE WP.29 regulation No. [155] (CSMS); No. [156] (SUMS)

Objectives and motivation; GSR (General Safety Regulation)
Interpretation and interface to ISO/SAE 21434
Regulation for Homologation: Management Systems
- CSMS, SUMS, RXSWIN, SW OTA
Regulation for Homologation: Type Approval
- Risk analysis, Annex 5: Threats and potential attacks