Security & Safety

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.

——————————————————————————————

Jede Umstände oder Ereignisse, die das Potenzial haben, betriebliche Abläufe (einschließlich Mission, Funktionen, Image oder Ruf), betriebliche Assets (Vermögenswert, Ressources) oder Individuen durch ein Informationssystem mittels unberechtigtem Zugang, Zerstörung, Offenlegung, Modifizierung von Informationen und/oder Dienstverweigerung negativ zu beeinflussen. Auch das Potenzial für eine Bedrohungsquelle, eine bestimmte Informationssystem-Schwachstelle erfolgreich auszunutzen.

[Source: https://www.synopsys.com/blogs/software-security/applying-automotive-tara-method.html]

Impact analysis in the context of ISO/SAE 21434 involves identifying and evaluating the potential consequences of threats and vulnerabilities on automotive systems.

It begins with asset identification, where security properties of each asset are determined, and damage scenarios along with their impacts are analyzed.

These impacts are measured in terms of safety, financial, operational, and privacy and are viewed from the road user's perspective.

The method further involves identifying threats and vulnerabilities, calculating the risk based on maximum composite ratings of the assets and the geometric mean of the vulnerable conditions, and making risk treatment decisions​.

——————————————————————————————

Die Auswirkungsanalyse im Kontext von ISO/SAE 21434 beinhaltet die Identifizierung und Bewertung der möglichen Konsequenzen von Bedrohungen und Schwachstellen auf Automobilsysteme.

Es beginnt mit der Identifizierung von Assets (Vermögenswerten), bei der die Sicherheitseigenschaften jedes Vermögenswertes bestimmt werden, und Schadensszenarien sowie deren Auswirkungen analysiert werden.

Diese Auswirkungen werden in Bezug auf Sicherheit, Finanzen, Betrieb und Privatsphäre gemessen und aus der Perspektive der Straßenbenutzer betrachtet.

Die Methode umfasst weiterhin die Identifizierung von Bedrohungen und Schwachstellen, die Berechnung des Risikos auf Basis maximaler Zusammensetzungen der Vermögenswerte und den geometrischen Mittelwert der anfälligen Bedingungen sowie die Treffen von Entscheidungen zur Risikobehandlung.

A fault tree is a graphical representation of a system's possible failure modes, and the causal relationships between them. It is a visual tool that helps to identify the root causes of potential failures and to develop corrective actions. Fault trees are used in a variety of industries, including automotive, aerospace, and medical device manufacturing.

Fault Tree Analysis (FTA) is a systematic and logical procedure for identifying and evaluating the causes of potential hazards and system failures.

It is typically used in conjunction with other safety analysis methods, such as Hazard and Operability (HAZOP) studies and Failure Mode and Effects Analysis (FMEA).

In ISO 21434, the attack feasibility rating (AFR) is a component used to determine the risk level value, with categories being "High", "Medium", "Low", or "Very low". The AFR is derived from combining identified attack paths for each threat scenario and is based on attack potential, CVSS, or attack vectors. The selection among these depends on available information and the current lifecycle phase of the product or system

A cybersecurity goal is a concept-level cybersecurity requirement associated with one or more threatscenarios.

If the risk treatment decision for a threat scenario involves risk reduction or risk avoidance, oneor more cybersecurity goals must be defined.

A cybersecurity claim provides a justification forkeeping or sharing a risk.

A CAL determines with level of rigor security activities have to be conducted.

A cybersecurity control is a security measure that helps to prevent cyber attacks or to minimise the risk of an active attack. UN R155 list 24 cybersecurity controls that have to be considered in the context of the approval of a vehicle manufacturer's CSMS.