Standards Development

Scope

This standard provides security requirements and evaluation activities for connected vehicle devices following ISO/IEC 15408 framework. The framework also defines procedure to develop accurate security requirements and objective evaluation activities.

Connected vehicle devices in this standard are those components equipped in a vehicle and may have well-known vulnerabilities listed in WP.29 R155, especially ones that are remotely accessible and cause severe damage if successfully exploited.

Any parties, such as developers, information security service provider and ISO/IEC 15408 evaluation laboratories can test and evaluate the security functionalities of those devices based on security requirements and evaluation activities in this standard.

Purpose

This International Standard (IS) provides common security requirements and evaluation methods based on ISO/IEC 15408 and 18045 for components in connected vehicle devices, such as road vehicles or self-driving cars, especially those ones that provide network connection through which an attacker can gain access to the internal network. Damage of attacks to such devices so huge and independent security evaluations are necessary to reduce risks. This IS aims to support development of protection profiles and relevant supporting documents to facilitate ISO/IEC 15408 evaluations for those devices but it can also be used to supplement relevant standard such as ISO/SAE 21434 by providing more detail and specificity to the security requirements and evaluation activities. In order to ensure efficient applicability, this standard is also intended to satisfy the following requirement as described in WG3 N1799:

Requirements for connected vehicle assurance

The definition of an assurance scheme for connected vehicles must meet the following requirements when considering eco-system specific market needs:

• E1 - Adaptation to domain: The selected cybersecurity assurance approach for connected vehicles and their components must include the most appropriate assurance activities (e.g. engineering, assessment, certification) for the target and to meet the assurance needs of the stakeholders (vehicle manufacturers, suppliers, consumers, governments).

• E2 - Adaptation to supply chain: The selected cybersecurity assurance approach for connected vehicles and their components must take into account intellectual property constraints between stakeholders and further aspects of inter-organizational collaboration.

• E3 - Agile and cost-effective assurance process: The selected cybersecurity assurance approach for connected vehicles and their components has to be agile in order to accommodate fast turn-around and frequent update deployment. It must support more agile and flexible reaction time from stakeholders (industry, evaluation bodies, certification agencies, SOG-IS), in order to have fixed development planning and acceptable time to market.

• E4 - Appropriate laboratory competence: Evaluation laboratories conducting connected vehicle security evaluations must have capabilities (i.e. people, process and technology) in both cybersecurity and automotive technology.

• E5 - Appropriate accreditation: In order to answer the need for skilled experts with competence on both the automotive domain and security certification an accreditation scheme must be defined that ensures appropriate and consistent competence across laboratories.

• E6 - Integrated assurance lifecycle: Certification of elements containing components that are also certified must be feasible in a reasonable time. Timeline for defining a common PP must be anticipated so that it does not jeopardize time to market. When several organizations cooperate to a distributed development, overhead and costs brought by the assurance scheme shall be minimal.

• E7 - Compatibility with regulatory frameworks: The selected cybersecurity assurance approach for  connected vehicles and their components must be compatible with the relevant regulations.

When considering the type of system that is at stake, the following assurance requirements must be met • A1 - Complex system risk analysis: address the relation between global system and specific component risk analysis • A2 - Two aspects of assurance: address both system assurance and process assessment • A3 - Architecture variability: the definition of generic cybersecurity requirements profiles for connected vehicles must integrate in-vehicle architecture variability • A4 - No effect on safety: The selected cybersecurity assurance approach for connected vehicles and their components must validate that the implemented cybersecurity capabilities do not create side effect on safety.

When considering the use of common criteria, the following requirements must be met.

• C1 - Small ToEs: targets for common criteria evaluation must be small and critical systems, developed by a small number of companies (ideally one). Composition of evaluations should preferably be avoided.

• C2 - Suitable and well-defined ToEs: Targets of PPs must have similar architecture and functions. Large ToEs have to be avoided.

• C3 - Mutual recognition: The evaluation framework has to support smooth and fast negotiation and alignment processes for the selection and generation of ToEs and PPs (or more generally assurance requirements) and mutual recognition between relevant authorities has to be ensured

New joint WG between SC 27 and ISO/TC 22/SC 32 is supposed to be established after this NWIP is approved and this NWI will be developed under the joint WG. All relevant issues as described above will also be addressed by the joint WG.