In the following decade, billions of internet connected devices are coming online. Currently we’re seeing many seep into our households: smart speakers, thermostats, and fridges to name a few. In mobility, autonomous fleets and vehicles are being simulated and driven all over the US. While innovation in these technologies are exciting, vulnerabilities will always follow. This blog series will focus on breaking down the J3061 document to help suppliers and OEMs understand what is expected for cyberphysical security in the coming years.
The goal of J3061 is to aid engineers, developers, and managers utilize a framework for integrating cybersecurity with cyberphysical systems. It’s viewed as a “Lifecycle process framework that can be tailored for any organization through concept – production- operation – service – decommissioning.”
What J3061 provided was The Cybersecurity Guidebook for Cyber-Physical Vehicle Systems. The evolution of this guidebook is translated to ISO Compliance 21434 which will come out later in 2020. While J3061 is a digestible first step, how does an automotive supplier or OEM approach an initiative as large as this? What are the requirements and deliverables? While J3061 provides a high-level overview, ISO 21434 will provide actionable steps/requirements for compliance, processes to management of cybersecurity processes, and a global specification everyone will abide by. Til then, our series in Breaking Down The Guide For Cyber Physical Systems With ISO/SAE 21434 will fill this void of uncertainty. By the end of the series, expect to have a grasp on what it takes to implement J3061 for ISO 21434 compliancy. We’ll provide examples, frameworks, and processes that can be actualized as a business.
It any enterprise landscape, it’s common to see a bolt-on approach to cybersecurity. J3061 and SAE/ISO 21434 is reframing the argument by incorporating cybersecurity processes throughout the entire lifecycle instead of a reactive, bolt-on approach. It requires processes, management of security, and culture to sustain it. It develops a stable foundation so products cannot be tampered with or manipulated in any way that strays from it’s original purpose.
The issue we see time and time again is that technology and innovation move at such a rate that the security posture of a product or infrastructure will start to crumble due to it’s implementation (cybersecurity at the end approach). By using J3061 as a guide for cyberphysical security, products will be created on a foundation that is much more resilient to change and the dynamics of technology.
The area of mobility in particular, is a focal point to implement J3061 due to the idea that a breach or hack on mobility will steal much more than data, where the physical and cyber worlds start converging to cause physical harm and damage. The Automotive Industry in of itself has spent years developing a similar framework for properly testing it systems, Safety.
Safety vs. Cybersecurity.
e on the
Getting Started With J3061.
Questions to ask your teams in determining cybersecurity related risks:
- How is this data stored?
- How is this data exposed and written?
- Who are the players of your system and how do they interact with it?
- If breached, what mechanisms of safety and cybersecurity will it expose?
Implementing checkpoints (gate reviews) are another vital step in developing cybersecurity processes, what are the checkpoints in the product lifecycle where cybersecurity and safety teams communicate? Establishing these gate reviews will enable the two parties to exchange information on potential risks. The key is enabling the cybersecurity team to have an over-encompassing view of the product lifecycle while improving cybersecurity knowledge in parallel. Having this ability allows them to draft and improve their threat models and security processes indefinitely.
Product Development Phase