The World’s First Standard on Automotive Cybersecurity_2

Prévia do material em texto

SAE INTERNATIONAL
A GLOBAL DISCUSSION ON SAE INTERNATIONAL J3061™ 
Parallels Between J3061TM
and Functional Safety Lifecycle
in ISO 26262
SPEAKER:
Dr. David Ward, HORIBA MIRA
Head of Functional Safety
J3061TM Task Force Member
MODERATOR:
Lisa Arrigo, SAE International
© HORIBA MIRA Ltd. 2015
© HORIBA MIRA Ltd. 2015
December 2015
Parallels between J3061TM
and functional safety 
lifecycle in ISO 26262
Dr David Ward
Head of Functional Safety
© HORIBA MIRA Ltd. 2015
Agenda
■ Recap: What is ISO 26262?
■ Systems engineering as the basis of the functional safety lifecycle
■ Comparisons between ISO 26262 and the J3061TM lifecycle
■ Parallel activities and contact points
■ Conclusions
December 2015
© HORIBA MIRA Ltd. 2015
What is ISO 26262?
■ ISO 26262 Road vehicles – Functional 
safety
■ An automotive specific functional safety 
standard
- Based on principles of systems 
engineering and “V” model
- Strong emphasis on requirements
- Significant current scope exclusions 
but new Edition 2 due Q1/2018 
(timescale subject to confirmation)
December 2015
© HORIBA MIRA Ltd. 2015
ISO 26262 basis in systems engineering
December 2015
Integration, testing 
and verification
Concept formulation
System design
Validation and system 
deployment
System implementation
Systems engineering V model
Flow-down and refinement 
of requirements
Verification (typically 
through analysis)
© HORIBA MIRA Ltd. 2015
ISO 26262 basis in systems engineering
December 2015
Requirements
specification
Safety goals and 
Functional Safety Concept
Element
integration 
(HW/SW)
System
integration
(element/element)
Item
integration
(item to vehicle)
HW and SW detailed design and 
implementation
HW and SW 
component design
Measures for fault
avoidance 
and mitigation
Architecture and 
system design
Technical Safety
concept
Traceability
Safety analysis
etc.
Verification
e.g. ECU 
testing
Verification
e.g. HIL test
Validation
e.g. vehicle driving tests
Requirements
Requirements
Requirements
AG1
Malicious
intentional
vehicle disable
AO1
Malicious remote
disable of vehicle
AO2
Malicious disable
of starting
Application of V model in ISO 26262
Traceability
Safety analysis
etc.
Traceability
Safety analysis
etc.
© HORIBA MIRA Ltd. 2015
Functional safety is a subset of
product integrity and assurance
Product 
assurance
Functional 
safety
Systems 
engineering
Failure mode 
analysis
Availability
Cybersecurity
December 2015
AG1
Malicious
intentional
vehicle disable
AO1
Malicious remote
disable of vehicle
AO2
Malicious disable
of starting
Source: Toyota
© HORIBA MIRA Ltd. 2015
Comparisons between ISO 26262 and the J3061TM lifecycle
Similarities Differences Additional in J3061TM
Based on systems engineering 
“V” model and flow-down of 
requirements
Additional requirements for 
security management e.g. 
incident response
Threat Analysis and Risk 
Assessment may be based on 
similar approach (see e.g. EVITA)
T&R needs extending
• Additional types of “harm”
• Possibility of affecting multiple 
stakeholders
Role of vulnerability analysis at 
various lifecycle stages
Use of analysis to specify and 
verify requirements
Attack trees are also used to help 
identify and classify threats
Need for specific 
countermeasures
Hardware and software 
development processes
Role of vulnerability analysis at 
various lifecycle stages
■ Note, not an exhaustive comparison
December 2015
© HORIBA MIRA Ltd. 2015
Parallel activities and contact points
■ Functional safety and cybersecurity use very similar processes, so alignment and 
synchronization is recommended
■ It is planned in ISO 26262 Edition 2 to identify the need for communication channels 
between functional safety and related disciplines (e.g. cybersecurity)
- Including examples of potential interface points
■ Two specific examples today
- Concept phase
- Product development at the software level
December 2015
© HORIBA MIRA Ltd. 2015
Potential communications channels
during the concept phase activities
December 2015
Source: draft document J3061TM
Copyright SAE International
Specific example: 
safety hazards resulting 
from cyber threat
Specific example: 
alignment of 
requirements
© HORIBA MIRA Ltd. 2015
Safety hazards risk management
■ ISO 26262 contains automotive specific requirements for hazard analysis and risk 
assessment
December 2015
Hazard analysis
Risk 
assessment
Safety goals
S Severity
E Exposure
C Controllability
© HORIBA MIRA Ltd. 2015
Extended risk management
■ Establishing functional safety requirements
■ Establishing cybersecurity requirements
December 2015
Hazard analysis
Risk 
assessment
Safety goals
Threat analysis
Risk 
assessment
Security 
requirements
Prioritize 
ASIL
TBD
© HORIBA MIRA Ltd. 2015
Threat analysis and risk assessment (T&R, TARA)
■ Analogous to H&R / HARA in functional safety but some key differences in approach
- Hazard identification  threat identification
o Includes consideration of dark side scenarios e.g. attackers and motivations
- Hazard classification (S, E, C)  threat classification (severity and risk)
- Risk assessment (ASIL)  risk assessment (TBD)
■ Work products are more interlinked, e.g.
- Attack trees feed into T&R but also are part of defining the dark side scenarios
- In cybersecurity understanding the asset attacks is fundamental to be able to assess risk
■ Order and timing of activities may also be different
- Attack trees are a specific example
December 2015
© HORIBA MIRA Ltd. 2015
Attack trees
■ Analogous to fault trees in reliability / safety engineering
■ Analysis of the tree possible through Boolean or continuous values
December 2015
Asset attacks
Attack methods
Attack objectives
Attack goal
Disable 
vehicle
Disable 
starting
Exploit internal 
communications
Malicious 
remote disable
Exploit service 
centre
Exploit remote 
communications
Inject 
malware
Impersonat
e request
Severity
Probability
RISK
© HORIBA MIRA Ltd. 2015
Potential communications channels during the
product development (software level) activities
December 2015
Source: draft document J3061TM
Copyright SAE International
Specific example: 
language subsets
Specific example: 
alignment of 
requirements
© HORIBA MIRA Ltd. 2015
Conclusions
■ SAE J3061TM and ISO 26262 have (purposely) very similar lifecycles
■ Key additional processes to help identify and mitigate system vulnerabilities include
- Attack trees
- Threat analysis and risk assessment (T&R)
- Cybersecurity-specific countermeasures and development methods
- Vulnerability testing
■ J3061TM provides the guidance and information to help organizations develop their own 
internal cybersecurity process
- Establish the relationships between cybersecurity and functional safety (and other disciplines)
- Sequence and timing of activities may be different between functional safety and cybersecurity
December 2015
© HORIBA MIRA Ltd. 2015
Contact details
December 2015
HORIBA MIRA Ltd.
Watling Street,
Nuneaton, Warwickshire,
CV10 0TU, UK
T: +44 24 7635 5000
F: +44 24 7635 8000
www.horiba-mira.com
Dr David Ward
MA, PhD, CEng, CPhys, MInstP, MIEEE, MSAE
Head of Functional Safety
Direct T: +44 24 7635 5430
E: david.ward@horiba-mira.com
SAE INTERNATIONAL
Our Sponsors
We thank our sponsorsfor making this Webinar possible
SAE INTERNATIONAL
Questions?
Send us your questions 
via the ‘Ask a Question’ Box
SAE INTERNATIONAL
Stay tuned for our next presentation
Hardware Protected Security
for Ground Vehicles
and SAE Draft Document J3101TM