Functional Safety with ISO 26262 Webinar - Vector...Functional Safety: Methods required to minimize the risk down to residual risk, that a mal-function of the EE system violates a

V1.10 | 2020-05-27

Dr. Arnulf Braatz/Andreas Horn, May 27th 2020

Automotive Cybersecurity for Safety Experts - ISO 26262 & ISO SAE 21434Webinar

© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.10 | 2020-05-27

Webinar: Automotive Cybersecurity for Safety Experts

Welcome and Introduction

Technical Notes

Audio

There should be music to hear.

If the audio transmission over the Internet is not

working, ask for the participation in a conference call.

Contact the "host" in the "chat" window.

Screen

Disable your screen saver.

Feedback & communication

Open and review the "chat" window to get all organizational messages of the "hosts".

Use the "chat" window to the "host" to contact all organizational WebEx and transfer requests or disturbances.

Use the "Q & A" window instead of the "chat" window for substantive questions about the webinar.

Ask your questions at "All Panelists". Questions are answered online during and after the presentation.

Slides & Presentation

Within 1-2 days after the webinar, you will receive a link to the slides and additional information.

After the webinar a link will guide you to a feedback form.

We are looking forward to receiving your feedback to continuously improve our services.

Speaker: Q&A:Dr. Arnulf Braatz Andreas Horn

2/24


Vector Group


ItalyMilano

USADetroit

FranceParis

GermanyStuttgart, Brunswick, Hamburg, Karlsruhe, Munich, Regensburg

JapanTokyo, Nagoya

KoreaSeoul

SwedenGothenburg

ChinaShanghai

IndiaPune

Great BritainBirmingham

AustriaVienna

BrazilSão Paulo

DevelopmentVector provides tools for developing, testing, calibration and diagnostics as well as software components and development services.

NetworkingVector provides components and engineering services for the networking of electronic systems.

OptimizationVector provides a comprehensive consulting portfolio as well as suitable tools support.

Vector Consulting ServicesWorldwide, 20 consultants

Vector Group

2978 employees

Date: Jan. 2020

@VectorVCS

3/24


Safety & Security

Vector provides tailored consulting solutions to keep OEM and suppliers competitive:

Efficiency – Quality – Competences


Vector Client Survey 2020: Risk of vicious circle

Vector Client Survey 2020. Details: www.vector.com/trends.

Horizontal axis shows short-term challenges; vertical axis shows mid-term challenges.

Sum > 300% due to 5 answers per question. Strong validity with 4% response rate of 2000 recipients from

different industries worldwide.

Vicious cycle: > cost pressure > lack of competences > less innovation and quality

Innovative productsCompetencesand knowledge

Cost andefficiency

Flexibility

Distributeddevelopment

Complexity

Digital transformation

Quality

Others

0%

10%

20%

30%

40%

50%

60%

70%

0% 10% 20% 30% 40% 50% 60% 70%

Lo

ng

-term

ch

all

en

ges

Short-term Challenges

4/24

http://www.vector.com/trends



Main Concepts of Safety & Security

Similarities of Functional Safety & Cybersecurity

Differences between Functionals Safety & Cybersecurity

Conclusions and Outlook

Agenda

5/24


Typical Vehicle Scenarios


Unreliable Scenarios

Unsafe Scenarios

Triggering Event

e.g. pedestrian not detected

Internal Failure

Unsecure Scenarios

Attack

To avoid such scenarios is one goal of automotive system engineering activities.

6/24


Emergent System Property: Availability, Safety & Security


Unsecure Scenarios

(Security)

Unreliable Scenarios

(Availability)

Unsafe Scenarios

(Safety)

According: Engineering a Safer World, The MIT Press, Nancy G. Leveson, 2011

Functional Safety

ISO 26262

Security-related but QM

ISO SAE 21434/SAE J3061-2016

International engineering standards are available to cover E/E emergent system properties.

SOTIF

ISO/PAS 21448

QM

SPICE

IATF 16949

ISO 9001

…

Cybersecurity attacks on Safety

ISO SAE 21434/SAE J3061-2016

Privacy as an security property is also part of ISO SAE 21434

7/24


Relationship of Cybersecurity & Functional Safety


By Design: Management & Engineering methods of Functional-safety & Cybersecurity are overlapping

FS Management & FS Engineering Methods

(ISO 26262)

Cybersecurity Management & Cybersecurity Engineering

Methods

(SAE J3061, ISO SAE 21434)

Systems Engineering

System Attributes: Functional-safety related system is part of Cybersecurity related system

Functional-safety (FS) related (ISO 26262)

Cybersecurity related

(SAE J3061, ISO SAE 21434)

8/24


Vehicle Level: Cybersecurity & Functional Safety


= systematic & random faults of HW &SW (ISO 26262) = Cybersecurity Attacks (ISO SAE 21434)

Functional Safety: Methods required to minimize the risk down to residual risk, that a mal-function of the EE system violates a safety goal.

Cybersecurity: Methods to manage cybersecurity risks (threads) for road vehiclesthroughout engineering, production, operation, maintenance and decommissioning.

Attack via GSM and cloud services on TCU

Attack via Bluetooth on OBD

Safety & Security on the vehicle following a risk based approach which impacts engineering

methods.

9/24


Today’s Situation: Engineering Lifecycle of Security & Functional Safety Standards


?

HW/SW

CyberSecurity according ISO SAE 21434 (Draft DIS)

Hazard & Risk

Assessment

Safety Goals

Functional Safety-Concept

Item Definition

Technical Safety-Concept

HW/SW safety

requirements

System Integration Test Safety

Item Integration Test Safety

Validate Safety Goals

Safety Case

Safety ActivityVerification on Unit Level

Production, operation, service &

decommissioning

Automotive Functional Safety:

ISO 26262:2018

Cybersecurity Concept

System cybersecurity requirements

HW/SW cybersecurity requirements

System Integration

Test Security

Item Integration

Test Security

Cybersecurity Validation, Pen

Tests

Approval of the release for post-

development

Cybersecurity Activity

Verification on Unit Level

Production, operations, maintenance &

decommissioningAutomotive Cybersecurity:

ISO 21434 (Draft Standard)

SAE J3061-2016 (Guideline)

General Cybersecurity:

ISO 15408 (Common Criteria)

ISO 27001, TISAX (IT Security)

Books: e.g. Threat Modelling, Adam Shostack, Wiley 2014

Item Definition & Asset

Identification

Threat & Risk

Assessment

Cybersecurity Goals

10/24


Comparison: ISO 26262 & ISO SAE 21434


9. ASIL-oriented and safety-oriented analyses

3. Concept phase

4. Product development at the system level

5. Product development

at the hardware

level

6. Product development

at the software

level

12. Adaption of ISO 26262

for motorcycles

1. Vocabulary

2. Management of functional safety

Chapter 3: Terms and abbreviations

Chapter 5: Overall cybersecurity management

Chapter 6: Project dependent cybersecurity management

Chapter 7: Continuous cybersecurity activities

Cybersecurity events & Vulnerabilities

8. Supporting processes Chapter 15: Distributed cybersecurity activities

10. Guideline on ISO 26262 11. Application of ISO 26262 to semiconductor

Annex A-J: informative

Chapter 8:Risk

assessment methods

Chapter 9:Concept Phase

Chapter 10:Product

Development

Chapter 11:

Cyber-security

validation

SW/HW

level

Chapter 13:Operations

and maintenance

Chapter 14:Decommis-

sioning

7. Production

and operation

Chapter 12:Production

Overlap of same System engineering approach.

11/24







Agenda

12/24


Cybersecurity management & Safety management


Pla

nnin

g

Tracking

Cybersecurity Plan

Plans Code Test-reportsDesign

Project ManagerCybersecurity Responsible

Safety- & Cybersecurity-related Development TeamCoordination

Cybersecurity Case

Evidence of process adherence

Capture

Require-ments

The safety/cybersecurity case is a collection of all security relevant work products.

Input for a safety/cybersecurity assessment and release for production/post-development.

The safety/cybersecurity case provides a structured argument for the achieved degree of safety/cybersecurity

Assessment-reports

ISO SAE 21434 (Draft DIS), chapter 6.1

Safety Manager

Safety Plan

Safety Case

13/24


ISO 26262 Part 3

ISO 26262 Part 4

Safety Goals

SG1 HZ1, HZ3 ASIL B Safety Goal 1

SG2 HZ2 ASIL D Safety Goal 2

... ... ... ...

Functional Safety Requirements

FSR 1 SG1 ASIL B Funct. Safety Req. 1

FSR 2 SG1 ASIL B Funct. Safety Req. 2

... ... ... ...

Functional Safety Concept

Cybersecurity Concept

Flow and sequence of the cybersecurity & safety requirements


Allocation of FSRs to architectural elements

Allocation of CSRs to architectural elements

Technical Safety Requirements

TSR 1.1 FSR 1 ASIL B Comp1 Tech. Safety Req. 1.1

TSR 1.2 FSR 1 ASIL B Comp1 Tech. Safety Req. 1.2

... ... ... ... ...

Cybersecurity Controls

CSC 1.1 CSR 1 CAL 1 Comp1 Cybersecurity Control 1.1

CSC 1.2 CSR 1 CAL 1 Comp1 Cybersecurity Control 1.2

... ... ... ... ...

Technical SafetyConcept

Allocation of TSRs to architectural elements

Refinement of Architectural Design

System Architectural Design

Item DefinitionHARA

TARA

ISO SAE 21434, 8-9

Cybersecurity Requirements

CSR 1 SecG1 CAL 1 Cybersecurity Req. 1

CSR 2 SecG1 CAL 1 Cybersecurity Req. 2

... ... ... ...

Cybersecurity Goals

SecG1 Asset 1 CAL 1Cybersecurity Goal 1

SecG2 Asset 2 CAL 3Cybersecurity Goal 2

... ... ... ...

Tra

ceability

Tra

ceability

Allocation of CSCs to architectural elements

ISO SAE 21434, 10

14/24



Your Questions

Remark: If we are not able to answer your question within the hour we will send you the answer via mail in the coming days!

?

??

? ?

15/24







Agenda

16/24


Terms & Concepts: Attack Path vs. Path of Effects


= Cybersecurity Attacks (ISO SAE 21434/SAE J3061-2016)

Attack: Attempted action or interaction with the vehicle or its environment that has the potential to result in an

adverse consequence.

Attack Path: Set of actions that could lead to the accomplishment of the

threat scenario

Asset: Anything that has value to the product’s stakeholders (and is

contained by SW or HW)

= systematic & random faults of HW &SW (ISO 26262)

Safety requirements are allocated along path of effects, security requirements along the attack path.

itemitem

Path of effects: Set of elements cascades the

fault to item level.

S

A

17/24


Terms & Concepts: Vulnerability vs. Failure


Failure: Random/systematic fault which leads with a certain probability to a violation of a Safety Goal.

Safety Mechanism: Reducesprobability of safety goal violation.

Vulnerability: Weakness (unknown), which can be exploited by an attacker.

Security Control: Reduces probability of unauthorized access (known) by the attacker.

… Vulnerability detected during testing.

… a how-to to create the exploit is published.

… exploit can be downloaded from a black market.

Vulnerability Analysis & Management are specific to the cybersecurity approach.

Path

of eff

ects

Sensor

ECU

Actuator

Failure

Asset

Att

ack P

ath

ECU

nodeVulnerability

18/24


Methods: Attack Tree vs. Fault Tree Analysis (FTA)


Threat ScenarioThreat Scenario: Is realizing a sequence of actions (attack path) requiring an underlying vulnerabilities.

Attack Action (AA) 1.1.1 AA 1.1.2 AA 2.1.1 AA 2.1.2

…

Attack Action 2.1

or

Attack Action 1.2Attack Action 1.1

or and

and

Value: Possible/impossible

Attack Action 1 Attack Action 2

or

Attack path according ISO SAE 21434 (Draft DIS), Chapter 8.6.2

FTA & Attack tree can be integrated as a method, but semantics are different.

Attack Path

Atomic Actions

…

and

FTA as Safety Analysis:

FTA and Attack Tree applying same tree-based approach.

Semantics of probability concerning faults/failures is different:

ISO 26262: Two independent faults at the same time are significantly more unlikely compared to a single fault with same FIT rate.

Vulnerability 1 Vulnerability 2

ISO 21434: Two independent vulnerabilities, which are known, do not necessarily reduce likelihood of a successful attack.

ISO 21434: TheAttack Tree covers System, SW & HW level (architecture & Implementation)

ISO 26262: Safety analysis for system, SW & HW are applied on architecture level.

…

19/24


Comparison : Established Engineering Methods Safety & Security

FTA

HARA

Requirements-based testing

FMEASystem- & SW Architecture

…

Utilizing shared methods & keeping different approaches focused is the key for efficiency.

HARA= Hazard Analysis & Risk Assessment (ISO 26262-3)

TARA= Threat Analysis & Risk Assessment (SAE J3061-2016)


Vulnerability Analysis (e.g. Attack Tree)

TARA

…Fuzz- & PEN Testing

Requirements-based testing

System- & SW Architecture

20/24







Agenda

21/24


ISO SAE 21434 & ISO26262 Experience


Increasing cybersecurity demand …

Most of OEM´s include ISO26262 compliance in their contracts

… more and more requirements specifications pointing also to ISO SAE 21434

Overlap with ISO 26262 helps to understand the upcoming standard

… but there are a few significant differences concerning concepts and methods

Efficient integration of functional safety & cybersecurity is the efficiency key for OEMs and suppliers.

Cybersecurity has to be built on solid Functional safety processes together with a

competent partner.

22/24


Vector: Comprehensive Portfolio for Security and Safety


Vector Cyber Security and Safety Solutions

Security and Safety Consulting

AUTOSAR Basic Software Tools

(PLM, Architecture, Test, Diagnosis etc.)

Engineering Services for Safety and Security

HW based Security

www.vector.com/safety www.vector.com/security www.vector.com/consulting

23/24

http://www.vector.com/safetyhttp://www.vector.com/securityhttp://www.vector.com/consulting


Trainings and media

Training “Functional Safety with ISO 26262”Stuttgart, continuouslywww.vector.com/training-safety

Trainings tailored to your needs available worldwide

Virtual trainings

Free white papers… www.vector.com/media-safety

Vector Forum – Automotive systems & Software for Tomorrow(25 June 2020), on your computer – It is a virtual eventhttps://consulting.vector.com/int/en/company/vector-forum/2020/

Further free Webinars:> 2020-06-16 Functional Safety and SOTIF - Principles and Practice

> 2020-06-17 Automotive Cybersecurity – Challenges and Practical Guidance

https://www.vector.com/int/en/events/webinars/

Vector Safety Solutions


24/24
http://www.vector.com/training-safetyhttp://www.vector.com/media-safetyhttps://consulting.vector.com/int/en/company/vector-forum/2020/https://www.vector.com/int/en/events/webinars/

Documents

Functional Safety with ISO 26262 Webinar - Vector...Functional Safety: Methods required to minimize the risk down to residual risk, that a mal-function of the EE system violates a