Cybersecurity Guidebook for Cyber-Physical Vehicle Systems

<div class="section abstract"> <div class="htmlview paragraph">This recommended practice provides guidance on vehicle Cybersecurity and was created based off of, and expanded on from, existing practices which are being implemented or reported in industry, government and conference papers. The best practices are intended to be flexible, pragmatic, and adaptable in their further application to the vehicle industry as well as to other cyber-physical vehicle systems (e.g., commercial and military vehicles, trucks, busses). Other proprietary Cybersecurity development processes and standards may have been established to support a specific manufacturer’s development processes, and may not be comprehensively represented in this document, however, information contained in this document may help refine existing in-house processes, methods, etc.</div> <div class="htmlview paragraph">This recommended practice establishes a set of high-level guiding principles for <b><i>Cybersecurity</i></b> as it relates to <b><i>cyber-physical vehicle systems</i></b>. This includes:</div> <ul class="list disc"> <li class="list-item"> <div class="htmlview paragraph">Defining a complete lifecycle process framework that can be tailored and utilized within each organization’s development processes to incorporate Cybersecurity into cyber-physical vehicle systems from concept phase through production, operation, service, and decommissioning.</div></li> <li class="list-item"> <div class="htmlview paragraph">Providing information on some common existing tools and methods used when designing, verifying and validating <b><i>cyber-physical vehicle systems.</i></b></div></li> <li class="list-item"> <div class="htmlview paragraph">Providing basic guiding principles on Cybersecurity for vehicle systems.</div></li> <li class="list-item"> <div class="htmlview paragraph">Providing the foundation for further standards development activities in vehicle Cybersecurity.</div></li></ul> <div class="htmlview paragraph">The appendices provide additional information to be aware of and may be used in helping improve Cybersecurity of feature designs. Much of the information identified in the appendices is available but some experts may not be aware of all of the available information. Therefore, the appendices provide an overview of some of this information to provide further guidance on building Cybersecurity into cyber-physical vehicle systems. The objective of the overviews is to encourage research to help improve designs and identify methods and tools for applying a company’s internal Cybersecurity process.</div> <ol class="list nostyle"> <li class="list-item"> <div class="htmlview paragraph"><span class="xref">Appendices A</span>-<span class="xref">C</span> - Describe some techniques for Threat Analysis and Risk Assessment, Threat Modeling and Vulnerability Analysis (e.g., Attack Trees) and when to use them.</div></li> <li class="list-item"> <div class="htmlview paragraph"><span class="xref">Appendices D</span>-<span class="xref">I</span> - Provide awareness of information that is available to the Vehicle Industry.</div></li> <li class="list-item"> <div class="htmlview paragraph"><span class="xref">Appendix D</span> - Provides an overview of sample Cybersecurity and privacy controls derived from NIST SP 800-53 that may be considered in design phases.</div></li> <li class="list-item"> <div class="htmlview paragraph"><span class="xref">Appendix E</span> - Provides references to some available vulnerability databases and vulnerability classification schemes.</div></li> <li class="list-item"> <div class="htmlview paragraph"><span class="xref">Appendix F</span> - Describes vehicle-level considerations, including some good design practices for electrical architecture.</div></li> <li class="list-item"> <div class="htmlview paragraph"><span class="xref">Appendix G</span> -Lists current Cybersecurity standards and guidelines of potential interest to the vehicle industry.</div></li> <li class="list-item"> <div class="htmlview paragraph"><span class="xref">Appendix H</span> - Provides an overview of vehicle Cybersecurity-related research projects starting from 2004.</div></li> <li class="list-item"> <div class="htmlview paragraph"><span class="xref">Appendix I</span> - Describes some existing security test tools of potential interest to the vehicle industry.</div></li></ol> <div class="htmlview paragraph">Refer to the definitions section to understand the terminology used throughout the document.</div> </div>