Towards a security‐driven automotive development lifecycle

• Published in: Journal of software : evolution and process Vol. 35; no. 8
• Main Authors: Dobaj, Jürgen, Macher, Georg, Ekert, Damjan, Riel, Andreas, Messnarz, Richard
• Format: Journal Article
• Language: English
• Published: Chichester Wiley Subscription Services, Inc 01.08.2023; John Wiley & Sons, Ltd
• Subjects: automotive SPICE; Computer Science; Cryptography and Security; Cybersecurity; development lifecycle model; Electric steering; Embedded Systems; ISO/SAE 21434; Power steering; risk assessment; Subsystems; threat modeling
• ISSN: 2047-7473; 2047-7481; 2047-7481; 2047-7473
• DOI: 10.1002/smr.2407

Cybersecurity has become one of the most crucial challenges in the automotive development lifecycle. The upcoming ISO/SAE 21434 standard provides only a generic framework that is insufficient to derive concrete design methods. This article proposes an actionable cybersecurity development lifecycle model that provides concrete action and work product guidance aligned with the ISO/SAE 21434 and Automotive SPICE® extension for cybersecurity. The model has been inspired by action research in “next” industry practice pilot projects, which ensures that it is actionable. It has been augmented by insights gained from literature research in cybersecurity development for embedded systems. The proposed lifecycle model complements the ISO/SAE 21434 standard and provides the basis for the company‐specific process and practice specifications. It has been validated through the integration of cybersecurity‐related aspects in an electric power steering system. A core characteristic of the model is the central role of threat modeling, vulnerability analyses, and cybersecurity requirements derivation on both system and subsystem levels. Without concrete practice guidelines, the ISO/SAE 21434 is very difficult to understand and apply at this stage. This contribution aims to fill this gap through a model inspired by cutting‐edge embedded cybersecurity practices interpreted for the current and near‐future automotive electronic architectures. Cybersecurity has become one of the most crucial challenges in the automotive development lifecycle. The upcoming ISO/SAE 21434 standard provides only a generic framework that is insufficient to derive concrete design methods. At this stage, the ISO/SAE 21434 is very difficult to understand and apply without concrete practice guidelines. This contribution aims to fill this gap by proposing an actionable cybersecurity development lifecycle model with concrete action and work product guidance aligned with the ISO/SAE 21434 and ASPICE®.