CEPE WP.29 para R155 y R156

An organizational cybersecurity audit is an independent evaluation of an organization's cybersecurity processes, procedures, and policies to judge whether they achieve the objectives outlined in relevant international cybersecurity standards.

Information sharing means exchanging relevant information about cybersecurity risks, threats, hazards, and conflicting requirements within and outside of an organization.

Cybersecurity governance is a set of rules and policies that organizations put in place to manage and address cybersecurity risks.

A management system is a set of processes, procedures, and policies that an organization puts in place to manage and address cybersecurity risks and requirements.

Establishing and maintaining a strong cybersecurity culture involves ensuring that everyone with assigned cybersecurity roles has the necessary training, certifications, and awareness to fulfill their responsibilities. This includes providing risk management, functional safety, and privacy training and implementing continuous improvement processes for all cybersecurity activities.

OEMs must establish rules and implement processes that adhere to national and international cybersecurity requirements, including assigning cybersecurity responsibilities, providing resources to address cybersecurity risks, and establishing a cybersecurity management system for relevant activities.

Information sharing requirements include defining situations and circumstances under which cybersecurity information sharing is relevant, permitted, and prohibited, as well as specifying information types to be shared, establishing approval processes, and defining relevant parties.

To meet cybersecurity governance requirements, organizations must define a cybersecurity policy that both acknowledges road vehicle cybersecurity risks and commits to managing those risks. They also need to assign responsibilities and organizational authority to achieve comprehensive cybersecurity, as well as provide resources for cybersecurity risk management, development, and incident management.

To meet organizational cybersecurity audit requirements, organizations must perform periodic audits, provide evidence and documentation of all procedures, processes, incidents, and remediations, and judge whether their processes achieve the objectives outlined in relevant national and international cybersecurity standards.

A strong cybersecurity culture means that everyone in the organization shares the same beliefs, values, and behaviors that promote and support cybersecurity best practices.

To meet management system requirements, organizations must establish a quality cybersecurity management system in accordance with international standards, make configuration information available for maintaining vehicle cybersecurity, establish a cybersecurity management system for production processes, and manage tools that can influence the cybersecurity of a product or component.

A cybersecurity case is a document that provides evidence to ensure the cybersecurity of the product or component in question is per national and international standards. It is important to create a cybersecurity case to comply with cybersecurity requirements.

A reuse analysis is an evaluation conducted when a product or component is developed and meets certain criteria such as planned modifications or reuse in a different operational environment.

The first requirement is to assign, communicate, and share cybersecurity activity responsibilities with relevant parties based on information security requirements and best practices. A cybersecurity plan must also be created for each product, which includes objectives, dependencies, responsible personnel, resources, starting and endpoints, intended outcome, and required activities for concept and product development phases per relevant requirements. Cybersecurity plans must be assigned to personnel with the necessary training, certifications, and awareness. They must be updated for any changes or refinements, and adhere to configuration and documentation management procedures.

To release the product or component for post-development, the cybersecurity case must provide a valid and thorough argument, the cybersecurity assessment must confirm or agree with the cybersecurity case, and the post-development cybersecurity requirements must be accepted. All of these must be available before product release for post-development.

A responsible party must be appointed to oversee the planning and performance of a cybersecurity assessment. The assessment must include the cybersecurity plan and include all products and components in the plan, processes and procedures utilized to address cybersecurity risks, a review of the appropriateness and effectiveness of the implemented cybersecurity controls and activities, and rationales that demonstrate compliance with the requirements outlined in International Standards, such as ISO 21434. The assessment report must also include a recommendation for acceptance, conditional acceptance, or rejection of the product or component's cybersecurity.

Yes, cybersecurity activities can be tailored. The rationale behind why an activity is tailored must be sufficient to achieve relevant protection objectives as outlined in ISO 21434.

When requesting a quotation from a potential supplier, a formal request to conform with national and international cybersecurity requirements, expectations of cybersecurity responsibilities, and any cybersecurity goals requirements relevant to the specified product or component should be included.

A cybersecurity interface agreement specifies how cybersecurity activities will be distributed between the customer and supplier, including cybersecurity activity responsibilities, joint tailoring of activities (if applicable), information and documentation to be shared, distributed cybersecurity activity milestones, and a clear definition of the end of cybersecurity support for the product or component in question. It is important for both the customer and supplier to mutually agree upon the agreement prior to the start of distributed cybersecurity activities.

When evaluating potential suppliers, their capacity to develop and/or perform post-development activities in accordance with national and international cybersecurity engineering standards should be taken into consideration. Evidence of organizational cybersecurity preparedness and adequacy, continual maintenance and improvement of cybersecurity activities and incident responses, and a summary of previous cybersecurity assessment reports may be included.

The customer and supplier should communicate to determine the appropriate course of action to remedy the issue. Responsibilities for the customer and supplier should also be specified using a responsibility assignment matrix.

Processes and procedures required for cybersecurity activity maintenance and monitoring include: comprehensive collection of cybersecurity information from internal and/or external sources, definition and maintenance of triggers for cybersecurity information triage, assessment of collected cybersecurity information to determine if any cybersecurity events have taken place, assessment of any cybersecurity events for product or component weaknesses, vulnerability analysis to identify potential attack paths and feasibility, and vulnerability management to treat cybersecurity risks in accordance with national and international standards.

Attack feasibility rating is the process of determining the feasibility of an attack path using various rating methods such as an attack potential-based approach, a common vulnerability scoring system (CVSS)-based approach, or an attack vector-based approach.

Attack path analysis is the process of analyzing potential threat scenarios for the identification of potential attack paths.

Impact rating is the process of analyzing potential damage scenarios and assessing their impact on road users. This includes safety, financial, operational, and privacy categories.

Asset identification is the process of identifying potential damage scenarios that could result from the compromise of the cybersecurity properties of a specific product or component.

A risk treatment decision is the process of selecting one or more risk treatment options. These might include risk avoidance, risk reduction, division of risk through sharing, and risk retention.

Risk value determination is the process of assigning a risk value between 1 and 5 to each threat scenario based on its impact and attack feasibility.

Threat scenario identification is the process of identifying potential threat scenarios, including the targeted product or component, which cybersecurity property is compromised, and the source or cause of compromise.

TARA stands for Threat Analysis and Risk Assessment. It is a method used to analyze potential threats to the cybersecurity properties of a specific product or component and assess the risk of each threat scenario.

Examples include ransomware attacks, compromise of internal user credentials + MFA, and compromise of security framework (for example Rippling).