Validation of the implemented measures is key to understanding whether cyber security goals have been achieved and requirements have been correctly implemented. This step shall also be considered whenever new threats are identified or major updates are implemented. The validation process shall include how relevant activities related to cyber security validation are planned, conducted and documented, from component level up to vehicle level. The validation process should also define clear roles and responsibilities among all involved members (within the organisation and also from outside, such as Tier 1 suppliers), which will help to avoide possible duplication and will ensure its efficiency and robustness. Additionally, the validation process should consider specific validation activities such as conducting security evaluations by appropriate means (e.g. penetration testing, vulnerability scanning or fuzz testing) and covering all the levels in the ADF. The required expertise to conduct them shall also be clearly defined in this process or this topic and it is recommended to follow the guidelines under ISO/SAE 21434 (2021) and ISO/SAE AWI TR 8477 (under development) as a reference.
Main Question
Is a cyber security validation process clearly defined and followed, as part of the overall validation concept?
Sub-Questions
- Are roles and responsibilities as well as the required expertise for conducting specific validation activities clearly defined?
References
- ISO/SAE (2021) 21434: Road vehicles – Cybersecurity engineering. Available at: https://www.iso.org/standard/70918.html (Accessed: 18 October 2023)
- ISO/SAE AWI TR 8477: Road vehicles – Cybersecurity verification and validation. Available at: https://www.iso.org/standard/83188.html (Accessed: 14 February 2024)