Automotive SPICE for Cybersecurity – MAN.7 Cybersecurity Risk Management and TARA

Abstract

The Automotive SPICE for Cybersecurity Assessor Course has been developed in Q4/2021 and launched in Jan. 2022. From 6th July 2022 onwards Automotive projects need to declare the coverage of cybersecurity norms (UNECE 155, UNECE 156, ISO 21434) for the homologation of the vehicles in the EU. All car makers request in their customer requirements documents the performance of a TARA (Cybersecurity Threat and Risk Analysis) and all ASPICE assessments for cybersecurity need to evaluate the capability of the process MAN.7 Risk management for Cybersecurity. The Base Practices of MAN.7 are related to the steps of performing and tracking a TARA. In the EU project CyberENG a training for cybersecurity managers and cybersecurity assessors is currently developed which explains how such a TARA is performed and what steps and attributes need to be considered. For the development of the iNTACS ASPICE for cybersecurity assessor training the SOQRATES group contributed practical examples for MAN.7, and SEC.1 to SEC.4 to the course development. This paper outlines how the TARA based on ISO 21434 and ASPICE for cybersecurity is structured and uses the example from the CyberENG project to explain it in practice.