Annex E of ISO/SAE 21434 provides a high-level overview of the Cybersecurity Assurance Level (CAL) classification scheme, outlining methods for determining and applying CAL during the product development lifecycle. While ISO/SAE 21434 does not mandate the use of CAL concepts, these concepts can be beneficial in streamlining discussions and improving consistency within the supply chain. However, a limitation of Annex E is that it lacks the necessary provisions for companies that choose to adopt the CAL classification scheme. To address this gap, a draft for a new standard, ISO/SAE CD PAS 8475 – Road Vehicles – Cybersecurity Assurance Levels and Targeted Attack Feasibility (TAF), has been introduced. In this article, we aim to simplify the CAL classification concept, the CAL determination process, and its usage, based on the two standards mentioned above, with appropriate examples.

Introduction to CAL

The Cybersecurity Assurance Level (CAL) specifies the criteria required to maintain security throughout a product’s (i.e. item/component) lifecycle. A CAL is determined during the concept phase of item or component development and remains fixed throughout specification, design, and implementation to provide a consistent assurance target. This consistency facilitates efficient communication across the supply chain. There are four levels of CAL (CAL1 to CAL4). Each increment in CAL level corresponds to an increase in the assurance of the item or component through design, verification, and cybersecurity assessment. Table 1 provides an overview of the application of CAL levels, with an example in the context of autonomous vehicle systems.

CAL Level	Security Criteria	Example w.r.t. Autonomous Vehicle Systems
CAL1	Low to moderate	Infotainment System (IS) – Breach in IS has minimal impact on the vehicle’s safety or critical functions.  Note: CAL may vary based on vehicle architecture.
CAL2	Moderate	Tire Pressure Monitoring System (TPMS) – Breach in TPMS could lead to incorrect readings and potentially unsafe driving.
CAL3	Moderate to high	Vehicle-to-Vehicle (V2V) communication – Breach in V2V could result in collision and other safety hazards.
CAL4	High	Autonomous driving controls – Compromise in the autonomous driving system may lead to catastrophic consequences, including loss of life.

CAL Determination

CAL is indirectly related to risk because it cannot be directly determined from risk value derived from Threat Analysis and Risk Assessment (TARA). The risk value is dynamic, varying over time depending on specification, design, implementation and operational environment of the item or component, whereas the CAL expresses a level of assurance that remains constant over time. CAL can still be determined and applied to the items or components that were not developed with CAL originally. Although CAL remains constant throughout the product’s lifecycle, it can be changed during an update to the item/component or it may be adjusted based on consideration of other static risk factors with a rationale.  Note: Static risk factors are those which are stable and are unlikely to change for the duration of development of an item or component, such as architectural decisions. Table 2 below provides the CAL determination matrix based on the impact and attack vectors (ISO 21434: 2021, RQ-15-05 and G.4).

		Attack Vector
		Physical	Local	Adjacent	Network
Impact	Severe	CAL2	CAL3	CAL4	CAL4
	Major	CAL1	CAL2	CAL3	CAL4
	Moderate	CAL1	CAL1	CAL2	CAL3
	Negligible	—	—	—	—

If the impact factor is negligible for a threat scenario, CAL can be omitted. Note: As per ISO 21434: 2021, [PM-06-08], for threat scenarios of risk value 1 that are determined from an analysis in accordance with 15.8, conformity with 9.5, Clause 10 and Clause 11 may be omitted. The impact factors of the above CAL determination matrix can be determined from the results of a TARA work product [WP-15-03] and [WP-15-04] of ISO/SAE 21434.

The attack vectors in the matrix are indicating the attack feasibility rating for the following criteria (ISO 21434: 2021, G.4) which are the result of TARA work product [WP-15-05] and [WP-15-06] of ISO/SAE 21434.

Attack feasibility rating	Criteria
High	Network: Potential attack path is bound to network stack without any limitation.
Medium	Adjacent: Potential attack path is bound to network stack; however, the connection is limited physically or logically.
Low	Local: Potential attack path is not bound to network stack and threat agents require direct access to the item for realizing the attack path.
Very low	Physical: Threat agents require physical access to realize the attack path.

If the risk treatment decision for a threat scenario includes reducing the risk (as a result of [WP-15-08] of ISO/SAE 21434), then one or more corresponding cybersecurity goals shall be specified and if applicable, a CAL can be determined for each cybersecurity goal. If multiple threat scenarios with different CALs are related to a single cybersecurity goal, the CAL assigned to the cybersecurity goal shall be the maximum of all determined CALs for relevant threat scenarios. An item or component to which cybersecurity requirements are allocated shall inherit the highest CAL of all allocated cybersecurity requirements.

To summarize the CAL determination process, it begins at the concept phase during TARA by considering the threat scenario(s) and determining the impact rating and attack feasibility rating. CAL levels may vary for each threat scenario; however, the highest CAL level will be assigned to the item/component.

CAL Usage

The determined CAL shall be used to select appropriate methods to perform corresponding cybersecurity activities. The selection of methods may be tailored based on negotiation between customers and suppliers. Examples of CAL usage to select methods for performing cybersecurity activities are given below. 

Methods	CAL
	CAL1	CAL2	CAL3	CAL4
Analysis against weaknesses derived from known information. See ref. (a) below.
Search for weaknesses that are not derived from known information. See ref. (b) below.
(a) Known information can be based on known vulnerability databases, e.g. National Vulnerability Database (NVD). (b) Such a search can be based on expert judgment.

CAL can also be applied to the following verification methods, independent schemes, and completeness categories to provide confidence that the cybersecurity activities are performed with appropriate rigor and the actions taken are appropriate.

Methods	CAL
	CAL1	CAL2	CAL3	CAL4
Verification	Correct/Consistent	Checklist based	Checklist based	Risk reduction
Independence	I1	I1	I2	I3
Completeness	Mapping cybersecurity controls	Mapping cybersecurity controls	Mapping all cybersecurity specification	Mapping all cybersecurity specification

Verification Method

• Correct/consistent based:  Verifying cybersecurity specifications from higher levels of architectural abstraction.
• Checklist-based: Checklist-based method involves:
  • a checklist of best practices in architecture, design and implementation to achieve security by design, and
  • a checklist of known, relevant weaknesses/vulnerabilities.
• Risk reduction: Verification that cybersecurity controls achieve risk reduction through methods such as simulation or prototyping.

Notation for Independence (I):

Notations for independence are as follows for CAL:

• I1: the activity is performed by a different person in relation to the person(s) responsible for the creation of the considered work product(s);
• I2: the activity is performed by a person who is independent from the team that is responsible for the creation of the considered work product(s), i.e. by a person reporting to a different direct superior; and
• I3: the activity is performed by a person who is independent, regarding management, resources and release authority, from the department responsible for the creation of the considered work product(s).

Completeness:

This method maps cybersecurity controls and specifications to higher-level requirements.

• Mapping cybersecurity controls: It is done in the cybersecurity specification to higher level requirements and architectural components.
• Mapping all cybersecurity specifications: Mapping all elements of the cybersecurity specification (e.g. privilege level of a processor) to higher level requirements and architectural components.

The table below lists a few cybersecurity activities from ISO/SAE 21434 as an example and determines the level of independence using CAL. 

Activity	ISO/SAE 21434:2021Requirements	CAL
		CAL1	CAL2	CAL3	CAL4
Verification of TARA, cybersecurity goals and cybersecurity claims	[RQ-09-07]	I1	I1	I2	I3
Analysis of architectural design	[RQ-10-07]	I1	I1	I2	I3
Verification of cybersecurity concept and design activities	[RQ-09-11] [RQ-10-08]	I1	I1	I2	I2
Cybersecurity validation	[RQ-11-01]	I1	I1	I2	I2
Cybersecurity assessment	[RQ-06-27]	I1	I1	I2	I3

Conclusion

The CAL framework provides a structured and consistent method for conveying the assurance that the protection of an item’s or component’s assets is adequately developed. By establishing clear criteria and maintaining fixed assurance levels throughout the development process, CAL not only enhances the security of individual items/components but also fosters trust and transparency within the supply chain. As industries continue to integrate advanced technologies like autonomous vehicles, adhering to CAL standards becomes essential for ensuring the reliability and security of these systems, ultimately contributing to safer and more secure technological ecosystems. In Block Harbor cybersecurity, we help our customers determine the CAL level of their item and/or component via our dedicated services like TARA and CSMS. To know more about these and/or other vehicle cybersecurity services, please don’t hesitate to contact us.

References

[1] ISO/SAE 21434:2021 Road vehicles — Cybersecurity engineering

[2] ISO/SAE CD PAS 8475 Road vehicles — Cybersecurity Assurance Levels (CAL) and Targeted Attack Feasibility (TAF)