ISO/SAE 21434 The Guide For Cyber Physical Systems: The V Model Machine

The previous posts outlined how to think about what a security design for ISO/SAE 21434 might look like. ISO/SAE 21434 in it’s current state is vague, we want to be able to demystify what the standard is trying to achieve. It’s easy to forget that the automotive industry is a monolith of software and hardware which enables a platform for building vehicles. It’s an industry that produced a product that was not meant to be connected. It’s now going through digital transformation to electrify and connect forming a mobility ecosystem. On the otherside of this frontier lies a chain of suppliers whom are bound by requirements ensuring safety and security practices are enforced throughout their organization and the rest of the chain.
 
The issue lies within how such requirements are implemented, how these are iterated, improved, and what holds them accountable to supply for OEMs ISO/SAE 21434 is merely a stepping stone. As it develops and other standards are implemented, those who take action now are the pioneers the first movers to comply and set an example to work with manufacturers.
 
The writers of ISO/SAE 21434 themselves have mentioned that by no means does this standard provide an actionable list of items that suppliers and manufacturers can act upon currently. Our goal for this series is to decrypt this standard to drive a mindset towards iterative, secure design that will be seen in future mobility infrastructures.

Integration and Iteration for Secure Design

In secure design there’s a requirement to iterate, and iterate often. This kind of iteration is a natural process in hardening secure infrastructure and design. It’s an evolution of a sort. For any sort of product, there will be updates, versioning, 0-days discovered, supply chain attacks, and other unexpected events that occur, but it’s through this evolution that allows security to be flexible, and resilient.

In ISO/SAE 21434, there’s this concept known as the V Model. The V Model visualizes the iterative security design process mentioned previously. In hardware and software, there will be many components and features involved in it’s product lifecycle, with these components, underlie a supply chain of manufacturers, suppliers, contractors, and third-party software. As this chain grows, security becomes more fragmented and as a result, the whole system will start to fall apart.
 
ISO/SAE 21434 explains the refinement of design and verification process as a machine in which cybersecurity designs are the inputs and processed to produce a refine output. This process serves as a core tenet throughout cyber-physical ideology.

What ISO/SAE 21434 frames how the machine will function, but does not provide solutions for how the device is built and what model of management should be used to maintain the overall process.

Breaking Down The V Model

Now that we’re equipped with our cybersecurity concept and requirements, we need to beta test our requirements and verify how effective our initial cybersecurity design is. In ISO/SAE 21434, this phase is called Refinement of Requirements and Design.
 
Iteration of our cybersecurity requirements will begin at this phase. The goal of this phase is to ensure your requirements and design will hold up with your design processes. To help improve the design and requirements, the refinement is a means to improve the design over cycles of verification. 
 
For example, assume our system is a cloud based infrastructure using Amazon Web Services (AWS). A cybersecurity requirement for this infrastructure is to ensure all data at rest is kept private and secure. Under this requirement, a concept of readily detecting all bucket misconfigurations is implemented before deploying into production. This is because a misconfigured bucket with loose permissions can be readable by unauthenticated parties which, in turn, infringe on the Confidentiality of customer data. 
 
During the refinement and verification phase it was discovered that data in transit will need to be private and secure also. So the requirement is amended to ensure all data at rest and in transit is kept private and secure. 
 
A basic example, but this is an exercise to the reader to think about future-proofing their infrastructures through iteration.
 
The V model provides an encapsulating scope in the shape of a V, the model is used to follow a hardware and software product lifecycle such as RMS & S-SDLC. As stated previously, this model can be thought of a machine with input such as design and it leverages security controls to adhere to requirements. As the machine runs, will iterate over the inputs and produce an improved version of it.

Verification Reviews: The Catalyst for Iterative Design

Also known as Gate Reviews in J3061. This idea of gate/verification reviews and the V Model is pioneered by ISO 26262 The Road Vehicles — Functional safety standard. ISO/SAE 26262 and ISO/SAE 21434 go hand in hand due to the fact that cyber physical safety is at risk. The controls designed for ISO/SAE 21434 overlap with ISO/SAE 26262 and are implemented at the cost of it also. The verification reviews are a means to reference and iterate over design but also a process to open a communication channel for reviewing the effect of design on other ISO standards and regulation.
 
In your machine the verification reviews serve as the gatekeepers while the processes to which are reviewed is based on a principle known as Cybersecurity Assurance Levels. The V Model Machine will use these categorizations of security levels to derive whether a requirement was met or not.

Cybersecurity Assurance Level (CAL)

The Cybersecurity Assurance Level (CAL) are an umbrella of checks used to associate your cybersecurity goals to requirements. It provides a value of measure and scope of responsibility for the particular goal in question. According to ISO/SAE 21434, CALs can be assigned to multiple goals to which the highest CAL is 11. Goals are organized under each CAL umbrella and recorded on a verification report for review, and system iteration. 
 
Examples of CALs from ISO/SAE 21434
CAL1 – Developers or users require a low to moderate level of independently assured cybersecurity.
 
CAL2 – Developers or users require a moderate level of independently assured cybersecurity and require a thorough investigation of the item without substantial re-engineering.
 
One can assume that these are the core of the requirements that OEMs will pass down to suppliers where they are given a sheet of requirements with CALs associated with each requirement on the supplier’s list and is required to comply. 
 
In the next blog post we’ll look further into this approach, what we can expect with automotive and embedded based Cybersecurity Assurance Levels and how it all fits into the V Model.