ASPICE Extension to Cybersecurity. What's in for you?

  VDA-QMC released ASPICE with extension to Cybersecurity this month. This is released as "Yellow book" meaning draft version for public review. 

Let's look at the V-Model on how the Cybersecurity Processes fits the bill with other Process Group.

1. Cybersecurity Engineering Process group is added to the V-Model with 4 Processes - 

• SEC.1  - Cybersecurity Requirements Elicitation - Perform TARA , Defining Cybersecurity goals, Deriving Cyber security Requirements 
• SEC.2 - Cybersecurity Implementation - Architecture Design refinement and implementation at the source code level
• SEC.3 - Risk Treatment Verification - Verification of the Risk treatment measures
• SEC.4 - Risk Treatment Validation 
• MAN.7 - Cybersecurity Risk Management extension of MAN.5 .

Applicability of the SEC processes across V-Life cycle is shown below

How Can we Implement?

Well that's a great point to ponder. In my opinion, SEC.1 can be mapped to Stakeholders, System and Software Requirements analysis where we perform the TARA to start with , Derive the Security Goals from which the Requirements are defined to meet the Goals. SEC.2 can be mapped to System/ Software Architecture Design , Coding and Unit Testing where the Architecture design is refined to include the Cybersecurity related components , Concepts of Encryptions and Key based handling can be implemented in the source and static testing can be done to verify compliance with MISRA and Security standard norms. 

SEC.3 and 4 will be mapped with the right side of the V to verify / validate the product with security measures. Test methods like penetration testing and end to end functional testing can be done.

MAN.7 will be extension of Risk Management where Security culture at the organization level needs to be enforced with clearly defined processes & roles to perform Cyber security related activities and implement them in Products. Risk management framework will help handle identifying threats , identifying attack paths and containment / corrective actions that needs to be taken for implemented . The catch is we need to assess the Risks for internal / external threats whole of V Life cycle to ensure complete product security. 

 
Ensuring Safety is not that easy considering the current operating model of OEM -- Tier 1--Tier 2. OEM outsources the Software to Tier 1 and Tier 2 so on.. A Clear Cybersecurity Development Interface Agreement is the Key to start with and Assessments and Audits can ensure compliance along way.

Check out the model today and Share your comments on what you think below ... Drop me a email if you don't have a copy yet.

Do you need Consulting support for ASPICE / Functional Safety & Cybersecurity?. Then contact us - ram@knot-tek.com or visit Knot-Tek.com

Do you share your thoughts or comments below and let's talk...