History of ISO/SAE 21434 standard, objectives, purpose and scope
Structure: clauses, objectives, requirements, work products, annexes, …
Meaning and relation to other security standards like SAE J3061TM, ISO PAS 5112, ACSMS, ASPICE® for cybersecurity, ISO/IEC 27001, UNECE, ISO/IEC 31000, EU-GDPR, ISO 26262, TISAX, GSR, …
Motivation for the standard
Embedding and correlation to similar domains, like Functional Safety
Overview
Explanation of structure of the training / clustering of subjects
The clauses (chapters) and their objectives/ content will be explained
Introduction
Explanation of the first four administrative chapters of the standards
Scope
References: list of standards including Kugler Maag Cie experiences regarding evaluation for relevance
Terms and definitions: examples, relationship to each other
Relationship to ISO 31000 risk management
Interaction with Safety
Cybersecurity management
General overview and focus of Security Management Systems: ISO/IEC 27001, TISAX, UNECE, QMS, RMS
Objectives and requirements for an overall Cybersecurity Management | examples for implementation | organizational responsibilities | definition of a CSMS (Cybersecurity Management System) and relation to ISMS (Information Cybersecurity Management System)
Objectives and requirements for a project dependent Cybersecurity Management | examples in correlation with overall Cybersecurity Management
Kugler Maag Cie experiences implementing efficient and effective Cybersecurity Management Systems in organizations
Repetition
Consolidation of learning material
Distributed Cybersecurity Activities
How to work together between supplier and customer? | example for an Cybersecurity Interface Agreement (CIA)
Examples how to achieve goals for continuous cybersecurity activities
Lifecycle
Concept Phase: from item definition to security concept, defining cybersecurity goals, deriving cybersecurity requirements
ProductDevelopment and Validation: relationship to V-model, activities on left side and right side of development V | consideration of system, software and hardware development | verification and validation
Post development phases: requirements for production (e.g. TARA refinement), operation and maintenance (e.g. SW-OTA) and decommissioning (e.g. TARA refinement for logistics) | operation and maintenance (incident management and updates) | decommissioning
Annexes
Content, purpose and objectives of the 8 annexes will be explained: summary of work products, examples for a good cybersecurity culture (real-world examples in relation with safety will be given), use-case example will be presented, tables for the determination of attack feasibilities will be explained, …
Interaction with other standards
Cooperation with Functional Safety ISO 26262 standard, development interfaces between Safety and Cybersecurity. Point of contact within the V-model and management
Combination of methods to gain synergies. E.g. HARA and TARA: How to perform together? Safety FMEA vs. Security FMEA, …
Repetition
Consolidation of learning material
Risk Assessment Methods
Presentation of the seven steps to perform a risk assessment from asset identification till risk determination decision | get familiar with valuation tables for attack feasibility and estimation of damage | creation of risk matrix | parameter and content of attack feasibility | get familiar with different terms like damage scenario, threat scenario, attack path, attack
Example of performing a TARA | network of work products and dependabilities
KMC XLS-TARA template will be provided to each participant
Exercises for the different steps of the risk analysis