《2备用-12539-ISO21434_challenges_solutions_EW_China_v2_handout.pdf》由会员分享,可在线阅读,更多相关《2备用-12539-ISO21434_challenges_solutions_EW_China_v2_handout.pdf(25页珍藏版)》请在三个皮匠报告上搜索。
1、Dennis Kengo OkaSenior Principal Automotive Security Strategist and Executive AEmbedded World China 2023,Shanghai,China2023/6/15Adopting ISO/SAE 21434 Overcoming Organizational Cybersecurity Challenges and Handling Cross-Cutting Concerns between Cybersecurity and Functional Safety 2023 Synopsys,Inc.
2、2Synopsys Confidential InformationDennis Kengo OkaSenior Principal Automotive Security Strategist and Executive AdvisorPh.D.in Automotive Security from Chalmers University of Technology,SwedenStarted working on automotive security in 2006Contributed to improving security at multiple OEMs and supplie
3、rsStandardization and best practices activities:JASPAR,LTA TR-68,OpenChain Automotive WG,Uptane,70+publications and presentations at,e.g.,SAE World Congress,JSAE,escar,Embedded World,Code Blue,Author of the book:“Building Secure Cars:Assuring the Automotive Software Development Lifecycle”2023 Synops
4、ys,Inc.3Synopsys Confidential InformationIntroduction to automotive securityReal-world challenges in adopting ISO/SAE 21434How to overcome the challenges and handle cross-cutting concerns Agenda 2023 Synopsys,Inc.4Synopsys Confidential InformationIntroduction to automotive securityReal-world challen
5、ges in adopting ISO/SAE 21434How to overcome the challenges and handle cross-cutting concernsAgenda 2023 Synopsys,Inc.5Synopsys Confidential InformationMajor TrendsConnectivityAutonomous DrivingShared and ServicesElectrificationCybersecurity 2023 Synopsys,Inc.6Synopsys Confidential InformationOvervi
6、ewRef:wireless car by Popular from the Noun Project,cloud server by Philipp Petzka from the Noun Project Wi-Fi,BluetoothCellularConnected PlatformConnected CarTCU/IVIGatewayECUsCellularTCU:Telematics Control UnitIVI:In-Vehicle InfotainmentECU:Electronic Control Unit 2023 Synopsys,Inc.7Synopsys Confi
7、dential Information ISO/SAE 21434 Road Vehicles Cybersecurity Engineering Jointly published standard by ISO and SAE in August 2021 Contents:Organizational cybersecurity management Continual cybersecurity activities Concept Product development Cybersecurity validation Production,Operations&Maintenanc
8、e Threat analysis and risk assessment methodsISO/SAE 21434 2023 Synopsys,Inc.8Synopsys Confidential InformationIntroduction to automotive securityReal-world challenges in adopting ISO/SAE 21434How to overcome the challenges and handle cross-cutting concernsAgenda 2023 Synopsys,Inc.9Synopsys Confiden
9、tial InformationFirst Steps1.Analyze existing organization structure,policies,processes,documents etc.identify missing pieces for ISO/SAE 214342.Create a framework for ISO/SAE 21434 based on key processes and activities3.Identify and engage with stakeholders(product teams,etc.),related disciplines(s
10、afety,legal etc.)to increase awareness and collaboration4.Create and review missing processes,guidelines,templates5.Use pilot product teams to deploy ISO/SAE 21434 activities and collect feedback 2023 Synopsys,Inc.10Synopsys Confidential InformationPoliciesProcessesRoles and responsibilitiesCybersec
11、urity cultureManagement systemsAuditOrganizational Cybersecurity Management 2023 Synopsys,Inc.11Synopsys Confidential InformationPolicies Define new cybersecurity policy Spread awareness and enforcement of policy Management buy-in Policy awareness sessionsChallengesProposalsAuditManagement SystemsCy
12、bersecurity CultureRoles and ResponsibilitiesProcessesPoliciesPolicyProcessesRoles and responsibilitiesResourcesEnforced byEnabled byEnsured by 2023 Synopsys,Inc.12Synopsys Confidential InformationProcesses Multiple similar processes FuSa(Functional Safety)Secure SDLC ASPICE IT/Corporate security pr
13、ocesses New processes for ISO/SAE 21434 Align/consolidate processes Consolidate or reuse systems,procedures,guidelines,templates:Requirements management Continuous improvement process Information sharing Risk management Vulnerability disclosure Code reviewChallengesProposalsAuditManagement SystemsCy
14、bersecurity CultureRoles and ResponsibilitiesProcessesPoliciesSDLC:Software development lifecycle 2023 Synopsys,Inc.13Synopsys Confidential InformationRoles and responsibilities New security roles Security Manager Security Architect Security Engineer Security Tester Limited security team members Pro
15、duct team and security team relationship is immature or not well defined Role definition Assignment of roles Establish dedicated security team Establish relationship between product team and security teamChallengesProposalsAuditManagement SystemsCybersecurity CultureRoles and ResponsibilitiesProcess
16、esPolicies 2023 Synopsys,Inc.14Synopsys Confidential InformationCybersecurity Culture Security awareness/priority is low Focus on development Unfamiliar with security Limited security resources Improve security mindset Security training Establish security champions Hire security experts Collaborate
17、with third-party security companiesChallengesProposalsAuditManagement SystemsCybersecurity CultureRoles and ResponsibilitiesProcessesPolicies 2023 Synopsys,Inc.15Synopsys Confidential InformationManagement Systems Multiple similar systems FuSa(Functional Safety)Secure SDLC IT/Corporate security proc
18、esses Consolidate or reuse systems Change management Documentation management Configuration management Requirements management Tool managementChallengesProposalsAuditManagement SystemsCybersecurity CultureRoles and ResponsibilitiesProcessesPolicies 2023 Synopsys,Inc.16Synopsys Confidential Informati
19、onAudit New requirement for ISO/SAE 21434 Establish plan for audit Refer to ISO 5112ChallengesProposalsISO/PAS 5112:2022 Road vehicles Guidelines for auditing cybersecurity engineeringAuditManagement SystemsCybersecurity CultureRoles and ResponsibilitiesProcessesPolicies 2023 Synopsys,Inc.17Synopsys
20、 Confidential InformationIntroduction to automotive securityReal-world challenges in adopting ISO/SAE 21434How to overcome the challenges and handle cross-cutting concernsAgenda 2023 Synopsys,Inc.18Synopsys Confidential InformationProduct Development ProcessIT and Corporate Security ProcessFuSa(Func
21、tional Safety)Secure SDLCISO/SAE 21434Product Development ProcessRequirements ManagementVulnerability DisclosureRisk ManagementCode Review 2023 Synopsys,Inc.19Synopsys Confidential InformationFuSa and Cybersecurity Item definition(ISO 26262-3:WP 5.5.1)HARA(ISO 26262-3:WP 6.5.1)Safety goals Functiona
22、l safety concept(ISO 26262-3:WP 7.5.1)Safety plan(ISO 26262-2:WP 6.5.3)Safety case(ISO 26262-2:WP 6.5.4)Safety validation(ISO 26262-4:WP 8.5.1,8.5.2)Overall management and supporting processes:Safety culture Competence management Requirements management Configuration management Change management Doc
23、umentation management Item definition WP-09-01 TARA WP-09-02 Cybersecurity goals WP-09-03 Cybersecurity concept WP-09-06 Cybersecurity plan WP-06-01 Cybersecurity case WP-06-02 Cybersecurity validation WP-11-01 Overall management and supporting processes:Cybersecurity culture Competence management R
24、equirements management Configuration management Change management Documentation management Similar activities and work productsHARA:Hazard Analysis and Risk AssessmentTARA:Threat Analysis and Risk Assessment 2023 Synopsys,Inc.20Synopsys Confidential InformationAlign Safety and Security Processes Exa
25、mple Before Security Goals WP-09-03Security Requirements WP-10-01Security Concept WP-09-06Safety GoalsTechnical Safety Requirements(ISO 26262-4:WP 6.5.1)Functional Safety Concept(ISO 26262-3:WP 7.5.1)Conflicts or contradictions between safety and security 2023 Synopsys,Inc.21Synopsys Confidential In
26、formationAlign Safety and Security Processes Example After Security Goals WP-09-03Security Requirements WP-10-01Security Concept WP-09-06Safety GoalsTechnical Safety Requirements(ISO 26262-4:WP 6.5.1)Functional Safety Concept(ISO 26262-3:WP 7.5.1)ReviewOK?ReviewOK?ReviewOK?2023 Synopsys,Inc.22Synops
27、ys Confidential InformationSafe and Secure CodingDocumentation of the software development environment(ISO 26262-6:WP 5.5.1)MISRA C coding guidelinesDocumentation of the modelling,design or programming languages and coding guidelines WP-10-03CERT C coding guidelinesInternal safe and secure coding gu
28、idelines standardTrain developersConfigure checkers in static analysis tools 2023 Synopsys,Inc.23Synopsys Confidential InformationLessons Learned-Call to ActionChallenges to deploy ISO/SAE 21434 Challenge to implement ISO/SAE 21434 because of many different parties that need to align to develop a sa
29、fe and secure product Not only establishing policies and processes but need to gain acceptance from teams/managementConsider how to address challenges Requires to create new roles and changing processes/tasks in the organization Start with small pilot project to gain acceptance before rolling out En
30、gage with product teams,collect feedback and make improvementsThank You 2023 Synopsys,Inc.25Synopsys Confidential InformationSynopsys Automotive Software Cybersecurity&QualityFind critical defects and vulnerabilities in codeAutomotive compliance(MISRA,ISO26262)Security:CERT-C and CWE Top 25Generate
31、SBOM for supply chain managementFind known vulnerabilities in OSSAlerts for newly detected vulnerabilitiesFuzzing for automotive protocolsFind vulnerabilities before hackers CAN,Ethernet,WiFi,Bluetooth,IPv4,mp3,mp4Black DuckOSS ManagementDefensicsFuzz TestingCoverityStatic AnalysisSecurity ServicesSecurity testing servicesBest practices consultingGap analysis/remediation planning