The automotive cybersecurity standard ISO/SAE 21434 contains a reference that often goes overlooked — Clause 5.3.2, “…existing evidence of conformity with standards that support quality management…” — which Clause 5.4.4 also expresses as a requirement, RQ-05-11. This means that the developer of a secure system is expected to follow a quality-managed process as part of the system development process.
Clause 5.3.2 in ISO/SAE 21434 suggests a variety of standards the developer could use:
- ISO 9001 coupled with IATF 16949
- ISO 10007
- Automotive SPICE (ASPICE)
- The ISO/IEC 330XX family of standards
- ISO/IEC/IEEE 15288
- ISO/IEC/IEEE 12207
The above standards all have one thing in common: They all describe a basic systems engineering process that the organization should follow as part of the quality management framework for system development. Although this applies at the system level, ASPICE, ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207 are all explicitly software engineering-based standards. The key takeaway from this observation is that software engineering and systems engineering have enough in common that they are almost interchangeable from a process perspective.
The real question, then, is, “What is a quality-managed process?” Better yet, “What does this mean for the cybersecurity development process?”
A quality-managed process is a development model designed to demonstrate the completion of a product according to a set of quality criteria. First and foremost, this means meeting or exceeding customer expectations, which are captured as requirements. Then the organization following the systems engineering standard can apply verification measures to demonstrate that they are rigorously following the development process.
Each verification measure applies to a different stage in the overall development and indicates that each stage is complete to a sufficient quality level. Once they’ve applied all the verification measures, the organization can validate the product per the requirements to demonstrate that it is, in fact, complete. Remember, verification is about building the product correctly; validation is about building the correct product.
The key reason for having the quality management framework as the baseline is that it reflects the fundamental engineering process for developing systems. Conformance to the process is one of the main ways by which we can determine whether a product is being developed correctly.
ISO/SAE 21434 conforms to that reasoning in the form of requirements for audits and assessments:
- 4.7 – Cybersecurity Audit – An audit determines compliance with the development model at an organizational level. In this case, the development model is a quality-based cybersecurity development life cycle.
- 4.8 – Cybersecurity Assessment – An assessment determines product compliance with the development framework. In this instance, we determine how the product complies with the cybersecurity specification.
The quality process allows the organization to demonstrate that the appropriate cybersecurity analyses and evaluations can take place at the appropriate time in the overall development life cycle and that there is an effective quality metric for each of those cybersecurity activities and their corresponding work products.
Ultimately, we get both process and product metrics through the quality framework to demonstrate measures taken to protect a product against cybersecurity threats.