ISO/SAE 21434 The Guide For Cyber Physical Systems: Cybersecurity Goals and Cybersecurity Concept

TARA completed, now what?  Below is an outline of the subsequent steps taken after completing a TARA within the organization. TARA documents will provide crucial information in determining how security can be implemented as well as maintained through the product lifecycle.  TARA has some deliverable items that outline security vectors, risk derivatives and a holistic approach that is transparent to allow visualization of complete entirety of attack surfaces
 
Completing a TARA requires effort when focusing on appropriate actionable items to pursue.  J3061 mentions goals can be determined from the findings of the TARA and then are paired up with an associated risk of the TARA to paint the whole picture or in this case come together in order to form the content that will be the cybersecurity concept and strategy to minimize risk. Once completed the focus will shift to functional security requirements in order to implement risk reduction efforts.

Cybersecurity Goals According to J3061

Although J3061 is a guiding light, the document does fall short in some categories. Primarily related to specifics in how to develop cybersecurity goals or how to implement transformational concepts and requirements throughout an organization.  Once risk levels for each feature associated with risk is obtained through the use of a TARA, the items rated with the highest risk should be of priority.

By Example

For the sake of this example a TARA was already completed, we now have a list of risk ratings and possible attack scenarios that may be derived from these attacks. Once such attack with a relatively high risk rating is an unsigned Firmware Over The Air (FOTA) update, the risk is analyzed by the cybersecurity model and infringes on confidentiality of the information being sent and integrity of a signed firmware image being sent to the connected fleet of vehicles. A cybersecurity goal is to ensure FOTA updates are signed by an accredited authority and encrypted while-in-transit. Another goal that may be associated with this can be ensuring the FOTA pipeline is immune to tampering and/or disruption. It’s often that these cybersecurity goals will overlap with many other attack scenarios. 

Another attack scenario can be a Man-In-The-Middle attack between connected fleets and cloud servers. The cybersecurity goal is to prevent MITM attacks on infrastructure, this can be accomplished by using DNSCrypt, DNSSEC, TLS, MQTT-over-TLS and so on. These can then bubble into the concept of securing data in transit internally and externally across the entire organization.

Cybersecurity Goals According to ISO/SAE 21434

ISO/SAE 21434 and J3061 have a similar collections of best practices with ISO/SAE 21434 being a little bit more defined.  In ISO/SAE 21434 a cybersecurity goal would include the protection of assets that if compromised would lead to a damage scenario. Goals can be defined for operations maintenance and decommissioning. ISO/SAE 21434 adds a few more processes not referenced in J3061. One such process is called cybersecurity claims which are risks that cybersecurity goals do not account for but are still applicable to the scenario. Claims are a means for a fail-safe mechanism when the accounted risks occur. 

 These claims include the transferring or sharing of risk to another party. In terms of the example above transferring the FOTA update to a third-party such as RedBend, Mformation, instead of an in-house FOTA team is a cybersecurity claim. This process allows for the expected risk to be reduced, upholding the claim for FOTA updates as long as the third-party abides by requirements set by the contract. ISO/SAE 21434 cybersecurity goals also includes a section for maintenance of these claims to ensure their weight will still hold to the cybersecurity goal over time.

The appropriate next step leads to converging cybersecurity goals and the cybersecurity requirements in order to validate the cybersecurity concept.

How J3061 Defines a Cybersecurity Concept

According to J3061, a cybersecurity concept describes a high-level cybersecurity strategy defined into engineering terms.
 
This is where the energy of cybersecurity goals will sit and will be cross-referenced throughout the product lifecycle. J3061 will also define a cybersecurity concept as a Technical Cybersecurity Concept.

How ISO/SAE 21434 Defines a Cybersecurity Concept

While J3061 provided a high level description of a cybersecurity concept. It’s described as a process that encompasses all the requirements, and goals under one umbrella. In ISO/SAE 21434, the concept is verified to ensure conformance with the cybersecurity goals; and consistency and compatibility with the functionality of the item.
 
If you can think of this concept as a gatekeeper to the product’s lifecycle at each and every step of the way. The deliverable for maintaining cybersecurity concepts is with a report that verifies goals and requirements are being maintained.
The concept as seen from the figure is a holistic and actionable overview but it does not specify what in particular is required to maintain it in a clear and concise way. That’s when the cybersecurity plan comes into play.
 
To dive into this further, we can use our example with the infotainment system previously. We breakdown the infotainment system to its core components so that each can have a tailored cybersecurity plan.
 
As new features are proposed and developed through the lifecycle it will go down the cybersecurity plan pipeline ensuring it stays within the bounds of the concept. For an infotainment unit that extends its capability to connect to the internet, this feature would need to funnel into the cybersecurity plan.

Block Harbor Infotainment Unit Example

Assuming the TARA is finished for our Block Harbor Infotainment Unit we receive the following deliverable from our TARA. 
 
For all intents and purposes the deliverable items are simplified

Risk assessments and analysis provides prioritized lists of risk and below are the top three to keep an eye out for. The following examples are real exploits and vulnerabilities seen in infotainment units due to the work from Pwn2Own, Keen Security Lab, and independent security researchers across the space.

Vulnerable Ports on WiFi Hotspots

Attack Description
Attackers scan device for open ports, discovers certain services running on the infotainment unit that are vulnerable to remote code execution. 
 
Attack Classification
Remote Code Execution – Attacker was able to exploit a vulnerable service and execute code on the device
 
Mitigation
On production, close ports that are unnecessary. There are interfaces that may open them such as USB or Hotspot but these should be closed or filtered. Only in development should these debug/development ports open. 

Malicious Firmware Update via USB

Attack Description
Finding an old download image on the internet or logging into a customer portal to download another image, an attacker manipulates the firmware update in a way that leads to a compromised device.
 
Attack Threat
Unsigned Code Install – Attacker was able to use an image to leverage an unsigned code install that compromised the device. This opens the possibilities for attackers to flash a vehicle with their malicious package and sell it to another user, collecting information throughout the vehicle lifetime. 
 
Mitigation
Ensure firmware updates are signed before installing

Unauthorized Vehicle Commands via Connected Application

Attack Description
A vulnerability via an API on mobile devices allows an attacker to control any connected fleet of vehicles via an OBDII dongle to connected application on a mobile device.
 
Attack Threats
Unauthorized Commands on Vehicle – Exploiting an application allowed the attacker for executing commands on the CAN network.
 
Mitigation
Harden authorization on the mobile application and the cloud backend to prevent unnecessary commands on the CAN.

Cybersecurity Goals and Concepts are then formed to maintain the security posture of these features and products over it’s lifetime.

For the sake of the example we will use summarized cybersecurity goals and cybersecurity concepts derived from the examples above

Vulnerable Ports on WiFi Hotspot

Cybersecurity Goals
Enforce least privilege on throughout the software and hardware stack on the Device
 
Cybersecurity Concepts
All services the user interacts with on the device will us executed under the user and group iviuser

Malicious Firmware Update via USB

Cybersecurity Goals
Ensure the integrity and confidentiality of all updates on the device
 
Cybersecurity Concepts
Sign any software updates with private keys and prevent any update mechanism to the user of the vehicle.

Unauthorized Vehicle Commands via Connected Application

Cybersecurity Goals
Implement DevSecOps throughout software and hardware
 
Cybersecurity Concepts
Secure code reviews is required after each major version deployment with automated security tests run in parallel.
  
In the next section we will discuss how this process is implemented in hardware, software and break down the V-shaped model discussed in J3061 and ISO/SAE 21434.