The Convergence of Automotive SPICE® and Cybersecurity
The automotive industry is currently facing a significant challenge where two crucial aspects of software development must be brought together – quality and cybersecurity. Merging Automotive SPICE® (Software Process Improvement and Capability Determination) with cybersecurity practices is not just a matter of enhancing process quality.
Instead, it is a critical strategic alliance that will reinforce the foundation of automotive software development against the increasing threats of the digital age. Automotive SPICE® provides a comprehensive and structured approach to evaluating software development processes. This model guarantees that the processes are capable of providing high-quality software consistently.
This process assessment model outlines the best practices throughout the software development lifecycle. By integrating Automotive SPICE® with cybersecurity practices, the automotive industry can ensure that its software development meets the highest standards of quality and security, thereby securing the assets of the ECU.
Cybersecurity in the automotive domain is the shield against digital threats. It encompasses a set of strategies, technologies, and practices designed to protect vehicles from cyber-attacks. The importance of cybersecurity today has multiplied tenfold in the automotive industry, thanks to connected and autonomous vehicles. It is safe to say that cybersecurity has become an integral part of automotive engineering. Starting in July 2024 UNECE R155 will be mandatory for all new vehicles in the EU. This UNECE 155 regulation requires a Cybersecurity management system in all new vehicle classes.
Integrating Automotive SPICE® with cybersecurity is crucial for the security of vehicles. Embedding cybersecurity strategy into the DNA of automotive software processes shows that security considerations are not an afterthought. But they are ingrained into the entire software development lifecycle.
The Automotive SPICE for the cybersecurity process reference model is shown below. The highlighted sections in green are added for cybersecurity compliance in a project.
In this diagram, taken from the Automotive SPICE® Process reference and assessment model for cybersecurity engineering by VDA, you see that the Cybersecurity Engineering Process Group (SEC), Acquisition Process Group (ACQ), and Management Process Group (MAN) are the process areas that are affected.
The SEC consists of processes performed to achieve cybersecurity goals. The ACQ consists of processes that are performed by the customer, or the supplier when acting as a customer for its own suppliers, to acquire a product and/or services. The MAN consists of processes that may be used by anyone who manages any type of project or process within the lifecycle.
Let us deep dive into how cybersecurity activities converge into the Automotive SPICE® process by understanding each of these additional cybersecurity steps:
Enhanced Requirements Management (SEC.1)
The cybersecurity requirements elicitation step in the cybersecurity engineering process group is performed with the sole purpose of deriving cybersecurity goals and requirements from the outcomes of risk management. This is also done to ensure consistency between requirement analysis report, cybersecurity goals, and cybersecurity system requirement specification document.
Developing the Item for Defence (SEC.2)
In the cybersecurity implementation stage or the SEC.2 stage, the purpose remains to allocate the cybersecurity requirements to the elements of the system and software and ensure they are implemented. As a result of the successful implementation of this process, the system and software architectural design is refined. Software units are designed and implemented. It also includes the cybersecurity controls and vulnerability analysis report.
Rigorous Security Testing Practice (SEC.3)
The next step is the risk treatment verification. This process helps to confirm that the implementation and integration of the components comply with the cybersecurity requirements, the refined architectural design, and the detailed design. Key documents that are developed at this stage are cybersecurity verification strategy, test specifications, and test results.
Risk Treatment Validation (SEC.4)
In the next phase, the OEM validates and confirms that the integrated system achieves the associated cybersecurity goals. Important documents that are developed in the risk treatment validation phase are cybersecurity validation strategy, test specifications, and test results.
Cybersecurity Risk Management (MAN.7)
There is also a process that integrates cybersecurity risk handling into Automotive SPICE®, which is the cybersecurity risk management or MAN.7. The purpose of the process is to identify, prioritize, and analyze risks of damage to relevant stakeholders and as well as monitor and control respective risk treatment options continuously. The output work products of this stage are a risk management plan, recovery plan, cybersecurity scenario register, threat analysis and risk assessment (TARA), and risk status report.
Take Away
Now that we have understood the relationship between Automotive SPICE® and the cybersecurity process in the automotive industry, here are the work products that can be extended for cybersecurity. They are requirement, design, verification strategy, test specifications, test results, and others. It is important to know that these documents have synergies with Automotive SPICE, when cybersecurity framework is added to the project. As work products, these cybersecurity documents can be merged with existing ASPICE®-compliant documents as their added sections.
Certified Partner to Strengthen Your Automotive Project
APAGCoSyst prides itself on the unwavering commitment to building trust with our customers. We achieve this through the development of innovative automotive products and processes that meet the highest security standards. We cater to many clients, including multiple automotive OEMs and Tier 1 suppliers in Europe, North America, and Asia. We also serve customers in various industries, such as agriculture, industrial, and medical.
Our ISO 21434-certified cybersecurity experts work on every product adhering to the most robust security standards, ensuring that your vehicles remain protected against cyber threats in today’s interconnected landscape. We invite you to connect with our cybersecurity team to explore how we can assist you in creating a secure product. Contact us today to fortify your automotive innovations with our industry-leading security solutions.