One of the important clauses in ISO/SAE 21434 (Road Vehicles – Cybersecurity engineering) is organizational cybersecurity management. Unlike any other standards, utmost importance is given in this standard to have the management involvement in setting up the cybersecurity policies, rules, and processes for the organization. The organization should develop a strong cybersecurity culture in its DNA through awareness management, competence management and continuous improvement. It’s important that management should be aware of the security risks associated with their product and support implementation of cybersecurity controls. To support cybersecurity engineering at the organization level, system should be defined for tool management, quality management, risk management, resource management, information management and performing cybersecurity audits. The organization has the freedom to define its own cybersecurity policy, rules, and processes linked with its existing policies of other standards (like ISO26262) and meet the ISO/SAE 21434 organizational cybersecurity management.
There are several requirements and recommendations mentioned in the ISO/SAE 21434 standard to define the organizational cybersecurity management as below:
As part of cybersecurity governance,
- Organization shall define a cybersecurity policy acknowledging the road vehicle cybersecurity risks and executive management’s commitment to manage those cybersecurity risks. The cybersecurity policy can include a statement regarding the risk treatment of generic threat scenarios with respect to the organization’s products or services portfolio.
- Organization shall establish and maintain rules and process to enable the implementation of ISO/SAE21434 and support the execution of corresponding activities. Rules and processes cover concept, product development, production, operation, maintenance, and decommissioning, including TARA methods, information sharing, cybersecurity monitoring, cybersecurity incident response, and trigger.
- Organization shall assign and communicate the responsibilities and corresponding authority to achieve and maintain cybersecurity.
- Organization shall provide the resources to address cybersecurity. Resources include the persons responsible for cybersecurity risk management, development, and
incident management. It also includes suitable tools.
- The organization shall identify disciplines (like ISO26262) related to, or interacting with, cybersecurity and establish and maintain communication channels between those disciplines. It includes sharing of processes and using strategies and tools between those discipline.
As part of cybersecurity culture,
- Organization shall foster and maintain a strong cybersecurity culture through traceable accountability for decisions, giving highest priority for security and safety, rewarding to motivate security culture, acting like a role model with practical knowledge, undergoing assessments, proactive attitudes towards vulnerabilities or incidents, providing skilled resources, continuous improvements, defining traceable and controlled process etc.
- Organization shall ensure that persons to which cybersecurity roles and responsibilities are assigned have the competences and awareness in organizational rules and process, functional safety and privacy expertise, domain knowledge and system knowledge, security methods, tools, and guidelines knowledge, known about attack methods and cybersecurity controls.
- Organization shall institute and maintain a continuous improvement process including learning from previous experience, learning from information related to security of similar products in field, deriving improvements during subsequent cybersecurity activities, communicating lesson learned and checking the adequacy of the organizational rules and process.
As part of Information sharing,
- Organization shall define the circumstances under which information sharing related to cybersecurity is required, permitted, or prohibited, internal to or external to the organization. Circumstances to share information can be based on, types of information that can be shared, approval processes for sharing, requirements for redacting information, rules for source attribution, types of communications for specific parties, vulnerability disclosure procedures and/or requirements for receiving party on handling of highly sensitive
- Organization should align its information security management of the shared data with other parties according to the circumstances mentioned above. The alignment of security classification levels can be public, internal, confidential, third-party confidential.
As part of Management Systems,
- Organization shall institute and maintain a quality management system in accordance with International Standards (Like IATF 16949), to support cybersecurity engineering, addressing change management, documentation management, configuration management and requirements management.
- The configuration information (build environment, bill of materials, software configuration etc) required for maintaining cybersecurity of a product in the field shall remain available until the end of cybersecurity support for the product, to enable remedial actions.
- A cybersecurity management system for the production processes (Like IEC 62443 2-1) should be established to support the activities for production.
As part of Tools management,
- Tools that can influence the cybersecurity of an item or component shall be managed by applying user manual with errata, protecting it against unintended usage, and adding access control and/or authentications. The tool management is applicable for all the tools used in various phases like concept or product development, production, and maintenance (e.g: Models based development tools, static checkers, verification tools, OBD/reprogramming tools, flash writer, EOL tools etc.)
- An appropriate environment to support remedial actions for cybersecurity incidents should be reproducible until the end of cybersecurity support for the product. This includes tool chain, compilers, SW build and development environment for reproducing and managing vulnerabilities.
Information security management
Work products should be managed in accordance with an information security management system. Example: Work products can be stored on a file server that protects them from unauthorized alteration or deletion
Organizational cybersecurity Audit
A cybersecurity audit shall be performed independently to judge whether the organizational processes achieve the objective of ISO/SAE 21434. A cybersecurity audit can be included in, or combined with a quality management system standard, e.g. IATF 16949. To ensure that organizational processes remain appropriate for cybersecurity, an audit can be performed periodically by an internal or external auditor.
Having a strong foundation of organizational cybersecurity management is the key success factor for developing the secure products that continuously safeguard the road users from cyber threats, incidents, and vulnerabilities. Siri AB, which is a Sweden, based organization with expertise in Automotive, Telecom and IoT engineering, can help your organization in developing Organizational Cybersecurity management according to ISO/SAE 21434 to reach the Cybersecurity Management System (CSMS) assessment journey.
Source: ISO/SAE 21434: 2021 Road vehicles- Cybersecurity engineering, Clause 5
About the Author
Ishwaraprasada is the Head of Cyber Security Services in Siri AB with several years of experience in the Automotive domain. His area of expertise includes Cyber security, Functional safety, Autosar, Base Software, Battery management system, Vehicle Charging standards, Inverters & Engine management.