Once the risk treatment decision has been made, a Cybersecurity Concept defining concrete mechanisms to be implemented needs to be created. Not only the results of the TARA and existing stakeholder requirements, e.g. from an OEM, need to be taken into account, but also any system design decisions already made, performance requirements of the system and requirements coming from other disciplines, e.g. Functional Safety. This is necessary in order to really build security into the system (“security by design”), to prevent conflicts and to make use of possible synergies.
When several possible realizations of a security control are possible, the effort and cost for each possibility must be weighed against their respective impact on the overall residual risk. After defining the Cybersecurity Concept in this manner, Cybersecurity requirements must be derived and security aspects included in the architectural design.
We can support all these steps using our experience and knowledge from numerous security engineering projects to define a cost-effective, standard-conform, state-of-the-art Cybersecurity Concept.