Annex E of ISO/SAE 21434 provides a high-level overview of the Cybersecurity Assurance Level (CAL) classification scheme, outlining methods for determining and applying CAL during the product development lifecycle. While ISO/SAE 21434 does not mandate the use of CAL concepts, these concepts can be beneficial in streamlining discussions and improving consistency within the supply chain. However, a limitation of Annex E is that it lacks the necessary provisions for companies that choose to adopt the CAL classification scheme. To address this gap, a draft for a new standard, ISO/SAE CD PAS 8475 – Road Vehicles – Cybersecurity Assurance Levels and Targeted Attack Feasibility (TAF), has been introduced. In this article, we aim to simplify the CAL classification concept, the CAL determination process, and its usage, based on the two standards mentioned above, with appropriate examples.

Introduction to CAL

The Cybersecurity Assurance Level (CAL) specifies the criteria required to maintain security throughout a product’s (i.e. item/component) lifecycle. A CAL is determined during the concept phase of item or component development and remains fixed throughout specification, design, and implementation to provide a consistent assurance target. This consistency facilitates efficient communication across the supply chain. There are four levels of CAL (CAL1 to CAL4). Each increment in CAL level corresponds to an increase in the assurance of the item or component through design, verification, and cybersecurity assessment. Table 1 provides an overview of the application of CAL levels, with an example in the context of autonomous vehicle systems.

CAL Determination

CAL is indirectly related to risk because it cannot be directly determined from risk value derived from Threat Analysis and Risk Assessment (TARA). The risk value is dynamic, varying over time depending on specification, design, implementation and operational environment of the item or component, whereas the CAL expresses a level of assurance that remains constant over time. CAL can still be determined and applied to the items or components that were not developed with CAL originally. Although CAL remains constant throughout the product’s lifecycle, it can be changed during an update to the item/component or it may be adjusted based on consideration of other static risk factors with a rationale.  Note: Static risk factors are those which are stable and are unlikely to change for the duration of development of an item or component, such as architectural decisions. Table 2 below provides the CAL determination matrix based on the impact and attack vectors (ISO 21434: 2021, RQ-15-05 and G.4).

If the impact factor is negligible for a threat scenario, CAL can be omitted. Note: As per ISO 21434: 2021, [PM-06-08], for threat scenarios of risk value 1 that are determined from an analysis in accordance with 15.8, conformity with 9.5, Clause 10 and Clause 11 may be omitted. The impact factors of the above CAL determination matrix can be determined from the results of a TARA work product [WP-15-03] and [WP-15-04] of ISO/SAE 21434.

The attack vectors in the matrix are indicating the attack feasibility rating for the following criteria (ISO 21434: 2021, G.4) which are the result of TARA work product [WP-15-05] and [WP-15-06] of ISO/SAE 21434.

If the risk treatment decision for a threat scenario includes reducing the risk (as a result of [WP-15-08] of ISO/SAE 21434), then one or more corresponding cybersecurity goals shall be specified and if applicable, a CAL can be determined for each cybersecurity goal. If multiple threat scenarios with different CALs are related to a single cybersecurity goal, the CAL assigned to the cybersecurity goal shall be the maximum of all determined CALs for relevant threat scenarios. An item or component to which cybersecurity requirements are allocated shall inherit the highest CAL of all allocated cybersecurity requirements.

To summarize the CAL determination process, it begins at the concept phase during TARA by considering the threat scenario(s) and determining the impact rating and attack feasibility rating. CAL levels may vary for each threat scenario; however, the highest CAL level will be assigned to the item/component.

CAL Usage

The determined CAL shall be used to select appropriate methods to perform corresponding cybersecurity activities. The selection of methods may be tailored based on negotiation between customers and suppliers. Examples of CAL usage to select methods for performing cybersecurity activities are given below.

CAL can also be applied to the following verification methods, independent schemes, and completeness categories to provide confidence that the cybersecurity activities are performed with appropriate rigor and the actions taken are appropriate.

Verification Method

• Correct/consistent based:  Verifying cybersecurity specifications from higher levels of architectural abstraction.
• Checklist-based: Checklist-based method involves:
  • a checklist of best practices in architecture, design and implementation to achieve security by design, and
  • a checklist of known, relevant weaknesses/vulnerabilities.
• Risk reduction: Verification that cybersecurity controls achieve risk reduction through methods such as simulation or prototyping.

Notation for Independence (I):

Notations for independence are as follows for CAL:

• I1: the activity is performed by a different person in relation to the person(s) responsible for the creation of the considered work product(s);
• I2: the activity is performed by a person who is independent from the team that is responsible for the creation of the considered work product(s), i.e. by a person reporting to a different direct superior; and
• I3: the activity is performed by a person who is independent, regarding management, resources and release authority, from the department responsible for the creation of the considered work product(s).

Completeness:

This method maps cybersecurity controls and specifications to higher-level requirements.

• Mapping cybersecurity controls: It is done in the cybersecurity specification to higher level requirements and architectural components.
• Mapping all cybersecurity specifications: Mapping all elements of the cybersecurity specification (e.g. privilege level of a processor) to higher level requirements and architectural components.

The table below lists a few cybersecurity activities from ISO/SAE 21434 as an example and determines the level of independence using CAL.

Conclusion

The CAL framework provides a structured and consistent method for conveying the assurance that the protection of an item’s or component’s assets is adequately developed. By establishing clear criteria and maintaining fixed assurance levels throughout the development process, CAL not only enhances the security of individual items/components but also fosters trust and transparency within the supply chain. As industries continue to integrate advanced technologies like autonomous vehicles, adhering to CAL standards becomes essential for ensuring the reliability and security of these systems, ultimately contributing to safer and more secure technological ecosystems. In Block Harbor cybersecurity, we help our customers determine the CAL level of their item and/or component via our dedicated services like TARA and CSMS. To know more about these and/or other vehicle cybersecurity services, please don’t hesitate to contact us.

References

[1] ISO/SAE 21434:2021 Road vehicles — Cybersecurity engineering

[2] ISO/SAE CD PAS 8475 Road vehicles — Cybersecurity Assurance Levels (CAL) and Targeted Attack Feasibility (TAF)