Accessibility Tools

  • Content scaling 100%
  • Font size 100%
  • Line height 100%
  • Letter spacing 100%

Implementation of

Cybersecurity Management Systems

Which requirements must be taken into account?

Implementation of

Cybersecurity Management Systems

Which requirements must be taken into account?

Management of cybersecurity systems

The ISO/SAE 21434 standard differentiates between a CSMS for the organization and the application of the CSMS at product level. At product level, a differentiation is made via the product life cycle. This is because this kind of system (section 5) must cover the entire cycle of a vehicle, starting with the design phase, planning of production, development, through the supply chains, to commissioning and ultimate scrapping. 

In the organization, responsibilities for cybersecurity activities must be clarified at the project level and communicated to authorities. For each item, a cybersecurity plan must be designed that reviews a product in the portfolio for its relevance to cybersecurity, as well as whether it is a new development or reuse. Once a process is established at the organizational level, it must pass a cybersecurity audit by an independent auditor.

The (6.6) attack path analysis produces a list of cybersecurity-relevant vulnerabilities. These can be deficiencies in the implementation, for example. These possible attack paths can be exploited to realize a threat. The possibility of these attack paths is classified in process step (6.7) attack feasibility. 

Finally, the (6.8) risk assessment and treatment is carried out with classification of the identified threat scenarios based on the impact and feasibility of attacks as well as the selection of suitable (6.9) risk treatment options in a risk report. No specific methods are named in the risk assessment. 

The "Cybersecurity Assurance Level" (CAL) is also derived from the risk assessment and is divided into four classes with different levels of criticality. In this context, the CALs represent a qualitative assessment of the product developers. Depending on the objective, certain cybersecurity activities may be redundant. If a component is assigned to the highest level four, it requires a high level of security. 

Design phase of a CSMS

The design phase (section 7) addresses cybersecurity objectives that result from a threat analysis and risk assessment, and defines cybersecurity requirements to help achieve the cybersecurity objectives. 

CSMS for product development

Section 8 goes into detail about the implementation and review of cybersecurity requirements specific to the product development phase. A differentiation is made between a system, hardware and software development phase. The V-model provides a basis here for simply depicting the necessary process steps, in this case the verification and validation steps. As with functional safety, traceability is particularly important. Furthermore, all physical and virtual interfaces of the hardware should be identified in terms of cybersecurity with regard to their purpose, use and parameters. After all, in the event of an attack, these also represent possible entry points. 

For work on software in the cybersecurity environment, the standard specifies that the requirements are derived from the cybersecurity system and associated software modules. The specification and implementation of the software must be constant and dynamically verifiable. 

Production, operation and maintenance

Section 9 focuses on the production, operation, and maintenance phases. Specifically, it requires processes for monitoring cybersecurity activities to collect and evaluate relevant data. Also mentioned are the handling and response to cybersecurity incidents, as well as cybersecurity events and basic cybersecurity requirements and capabilities.

Supporting processes

The supporting processes described in the last section (section 10) aim to define interactions, dependencies and responsibilities between customers and suppliers.

Current challenges and solutions in practice

In summary, a cybersecurity management system involves a variety of parameters and processes, with several factors to consider when implementing it. Potential problems include missing or insufficient compliance monitoring, delays in implementation, missing risk identification processes and lack of transparency. To prevent such challenges from the outset, msg supports you as a competent partner with appropriate tools, solutions and expertise. For example, with THREATGET manufacturers and suppliers have a tool available to prepare the cybersecurity of their vehicle systems for type approval in compliance with the authorities and thus remain competitive in top markets. 

The IT, automotive and homologation experts at msg

msg has in-depth IT and industry expertise. Experts in the areas of cybersecurity and software update management systems as well as electrics/electronics support our customers in identifying relevant regulations, in evaluating company-specific processes and homologation procedures up to obtaining type approval. From consulting, conception, functional specification up to the implementation of IT systems – we are ready to help.

Do you have any questions?

Christina Brandstetter msg Automotive 150x150 v1

Christina Brandstetter
Business Development Automotive

Contact our expert now

How can we assist you?

Kontaktieren Sie uns!

Invalid Input