Once the decision to address risk has been made, a Cybersecurity Concept must be created that defines concrete mechanisms to be implemented. This must take into account not only the results of TARA and existing stakeholder requirements, e.g., from an OEM, but also system design decisions already made, performance requirements for the system, and requirements from other disciplines, e.g., functional safety. This is necessary to truly develop cybersecurity into the system (“security by design”), avoid conflicts, and exploit potential synergies.
If multiple implementations of a security mechanism are possible, the effort and cost of each option must be weighed against its respective impact on the overall residual risk. After the Cybersecurity Concept has been defined in this way, Cybersecurity requirements must be derived and Cybersecurity aspects must be included in the architecture.
We can support all these steps with our experience and knowledge from numerous security engineering projects to define a cost-effective, standards-compliant and state-of-the-art Cybersecurity Concept.