Cybersecurity

• INVENSITY supports the security management as an expert in the implementation of the OEM’s security requirements and through the process-compliant creation of security requirements.

Methodology

• The OEM’s requirements were analyzed in a structured manner and coordinated with the stakeholders in the project
• On this basis, system requirements including verification criteria for the security area were formulated in DOORS in a process-compliant manner
• Security management: support of the security team in concept development and handling of deviations as well as coordination with the OEM

Result & Added value

• Development of security concepts in coordination with feature owners and OEM
• Creation of security architecture requirements
• Process-compliant documentation of security requirements at system level
• Formulation of verification criteria to test the system-level requirements
• Ensuring traceability to OEM security requirements
• Communicating the new security concepts with the OEM and with the customer’s entire security team
• Problem management for security

• For the development of a central control unit, a body computer, the OEM’s security requirements must be implemented. The requirements of ISO/SAE 21434 regarding security processes and development must also be observed.

Methodology

• Analysis of OEM requirements with regard to security
• Performance of a Threat Analysis and Risk Assessment (TARA) using the customer’s own Excel template
• Creation of a security concept based on the OEM requirements and the findings from the TARA
• Performance of a residual risk analysis

Result & Added value

• The OEM’s security requirements were analyzed
• A TARA was performed and risk reduction measures were defined
• An appropriate security concept was developed and aligned with system / OEM requirements
• System level security requirements were established and documented in accordance with the requirements engineering process
• A residual risk analysis was performed to assess the remaining risk when the defined security concept was implemented

• The OEM sets requirements that make it necessary to adapt the processes for cybersecurity to ISO 21434.
• Cybersecurity documents that have already been created must be checked for conformity.

Methodology

• Review of the existing cybersecurity documents and alignment with the requirements from the interface agreement with the OEM
• Review of the TARA (Threat Analysis and Risk Assessment) as a central cybersecurity document and support in its revision
• Develop a general TARA methodology for the customer based on their current practices as well as Industry Best Practices and ISO 21434

Result & Added Value

• An understanding of the need for cybersecurity was generated and a prioritization of the work packages required by the OEM was created
• A TARA methodology customized to the customer was developed, agreed with stakeholders, and issues were resolved
• Improved and enhanced TARA based on review results

• Cybersecurity is new territory for the customer
• Initial TARA has already been made, but is still incomplete
• ISystem has BT LE interface, but board performance is not sufficient for common pairing processes

Methodology

• Review of initial TARA for completeness, correctness and conformance to IEC 62443
• Detailed analysis of HW capabilities to secure BT LE communications
• General consulting to build further cybersecurity competencies

Result & Added value

• TARA Review:
  • Detailed review of initial TARA including improvements and report
  • Consultation on general approach to TARAs
• BT LE Communication:
  • Analysis of options for BT LE safeguarding given HW restrictions
  • Detailed proposal for securing BT LE communication including cryptographic methods
  • Detailed proposal for securing sensitive data on the ECU
• IEC 62443:
  • Consulting the customer regarding certifications
  • Consulting the customer regarding the development of CS competencies