Automotive SPICE for Cybersecurity – MAN.7 Cybersecurity Risk Management and TARA

Richard Messnarz; Damjan Ekert; Georg Macher; Svatopluk Stolfa; Jakub Stolfa; Alexander Much

doi:10.1007/978-3-031-15559-8_23

Automotive SPICE for Cybersecurity – MAN.7 Cybersecurity Risk Management and TARA

Richard Messnarz^*, Damjan Ekert, Georg Macher, Svatopluk Stolfa, Jakub Stolfa, Alexander Much

^*Corresponding author for this work

Institute of Technical Informatics (4480)

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

The Automotive SPICE for Cybersecurity Assessor Course has been developed in Q4/2021 and launched in Jan. 2022. From 6^th July 2022 onwards Automotive projects need to declare the coverage of cybersecurity norms (UNECE 155, UNECE 156, ISO 21434) for the homologation of the vehicles in the EU. All car makers request in their customer requirements documents the performance of a TARA (Cybersecurity Threat and Risk Analysis) and all ASPICE assessments for cybersecurity need to evaluate the capability of the process MAN.7 Risk management for Cybersecurity. The Base Practices of MAN.7 are related to the steps of performing and tracking a TARA. In the EU project CyberENG a training for cybersecurity managers and cybersecurity assessors is currently developed which explains how such a TARA is performed and what steps and attributes need to be considered. For the development of the iNTACS ASPICE for cybersecurity assessor training the SOQRATES group contributed practical examples for MAN.7, and SEC.1 to SEC.4 to the course development. This paper outlines how the TARA based on ISO 21434 and ASPICE for cybersecurity is structured and uses the example from the CyberENG project to explain it in practice.

Original language	English
Title of host publication	Systems, Software and Services Process Improvement
Subtitle of host publication	29th European Conference, EuroSPI 2022, Proceedings
Editors	Murat Yilmaz, Paul Clarke, Richard Messnarz, Bruno Wöran
Place of Publication	Cham
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	319-334
Number of pages	16
ISBN (Print)	9783031155581
DOIs	https://doi.org/10.1007/978-3-031-15559-8_23
Publication status	Published - 2022
Event	29th European Systems, Software and Services Process Improvement: EuroSPI 2022 - Salzburg, Austria Duration: 31 Aug 2022 → 2 Sept 2022 Conference number: 29 https://conference.eurospi.net/index.php/en/

Publication series

Name	Communications in Computer and Information Science
Volume	1646 CCIS
ISSN (Print)	1865-0929
ISSN (Electronic)	1865-0937

Conference

Conference	29th European Systems, Software and Services Process Improvement
Abbreviated title	EuroSPI 2022
Country/Territory	Austria
City	Salzburg
Period	31/08/22 → 2/09/22
Internet address	https://conference.eurospi.net/index.php/en/

Keywords

Cybersecurity assessment
Cybersecurity threat and risk analysis
MAN.7 risk management for Cybersecurity
TARA

ASJC Scopus subject areas

Computer Science(all)
Mathematics(all)

Access to Document

10.1007/978-3-031-15559-8_23

Cite this

Messnarz, R., Ekert, D., Macher, G., Stolfa, S., Stolfa, J., & Much, A. (2022). Automotive SPICE for Cybersecurity – MAN.7 Cybersecurity Risk Management and TARA. In M. Yilmaz, P. Clarke, R. Messnarz, & B. Wöran (Eds.), Systems, Software and Services Process Improvement : 29th European Conference, EuroSPI 2022, Proceedings (pp. 319-334). (Communications in Computer and Information Science; Vol. 1646 CCIS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-15559-8_23

Automotive SPICE for Cybersecurity – MAN.7 Cybersecurity Risk Management and TARA. / Messnarz, Richard; Ekert, Damjan; Macher, Georg et al.
Systems, Software and Services Process Improvement : 29th European Conference, EuroSPI 2022, Proceedings. ed. / Murat Yilmaz; Paul Clarke; Richard Messnarz; Bruno Wöran. Cham: Springer Science and Business Media Deutschland GmbH, 2022. p. 319-334 (Communications in Computer and Information Science; Vol. 1646 CCIS).

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Messnarz, R, Ekert, D, Macher, G, Stolfa, S, Stolfa, J & Much, A 2022, Automotive SPICE for Cybersecurity – MAN.7 Cybersecurity Risk Management and TARA. in M Yilmaz, P Clarke, R Messnarz & B Wöran (eds), Systems, Software and Services Process Improvement : 29th European Conference, EuroSPI 2022, Proceedings. Communications in Computer and Information Science, vol. 1646 CCIS, Springer Science and Business Media Deutschland GmbH, Cham, pp. 319-334, 29th European Systems, Software and Services Process Improvement, Salzburg, Austria, 31/08/22. https://doi.org/10.1007/978-3-031-15559-8_23

Messnarz R, Ekert D, Macher G, Stolfa S, Stolfa J, Much A. Automotive SPICE for Cybersecurity – MAN.7 Cybersecurity Risk Management and TARA. In Yilmaz M, Clarke P, Messnarz R, Wöran B, editors, Systems, Software and Services Process Improvement : 29th European Conference, EuroSPI 2022, Proceedings. Cham: Springer Science and Business Media Deutschland GmbH. 2022. p. 319-334. (Communications in Computer and Information Science). doi: 10.1007/978-3-031-15559-8_23

Messnarz, Richard ; Ekert, Damjan ; Macher, Georg et al. / Automotive SPICE for Cybersecurity – MAN.7 Cybersecurity Risk Management and TARA. Systems, Software and Services Process Improvement : 29th European Conference, EuroSPI 2022, Proceedings. editor / Murat Yilmaz ; Paul Clarke ; Richard Messnarz ; Bruno Wöran. Cham : Springer Science and Business Media Deutschland GmbH, 2022. pp. 319-334 (Communications in Computer and Information Science).

@inproceedings{873583d23d7441f3adb50fab06557929,

title = "Automotive SPICE for Cybersecurity – MAN.7 Cybersecurity Risk Management and TARA",

abstract = "The Automotive SPICE for Cybersecurity Assessor Course has been developed in Q4/2021 and launched in Jan. 2022. From 6th July 2022 onwards Automotive projects need to declare the coverage of cybersecurity norms (UNECE 155, UNECE 156, ISO 21434) for the homologation of the vehicles in the EU. All car makers request in their customer requirements documents the performance of a TARA (Cybersecurity Threat and Risk Analysis) and all ASPICE assessments for cybersecurity need to evaluate the capability of the process MAN.7 Risk management for Cybersecurity. The Base Practices of MAN.7 are related to the steps of performing and tracking a TARA. In the EU project CyberENG a training for cybersecurity managers and cybersecurity assessors is currently developed which explains how such a TARA is performed and what steps and attributes need to be considered. For the development of the iNTACS ASPICE for cybersecurity assessor training the SOQRATES group contributed practical examples for MAN.7, and SEC.1 to SEC.4 to the course development. This paper outlines how the TARA based on ISO 21434 and ASPICE for cybersecurity is structured and uses the example from the CyberENG project to explain it in practice.",

keywords = "Cybersecurity assessment, Cybersecurity threat and risk analysis, MAN.7 risk management for Cybersecurity, TARA",

author = "Richard Messnarz and Damjan Ekert and Georg Macher and Svatopluk Stolfa and Jakub Stolfa and Alexander Much",

note = "Publisher Copyright: {\textcopyright} 2022, Springer Nature Switzerland AG.; 29th European Systems, Software and Services Process Improvement : EuroSPI 2022, EuroSPI 2022 ; Conference date: 31-08-2022 Through 02-09-2022",

year = "2022",

doi = "10.1007/978-3-031-15559-8_23",

language = "English",

isbn = "9783031155581",

series = "Communications in Computer and Information Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "319--334",

editor = "Murat Yilmaz and Paul Clarke and Richard Messnarz and Bruno W{\"o}ran",

booktitle = "Systems, Software and Services Process Improvement",

address = "Germany",

url = "https://conference.eurospi.net/index.php/en/",

}

TY - GEN

T1 - Automotive SPICE for Cybersecurity – MAN.7 Cybersecurity Risk Management and TARA

AU - Messnarz, Richard

AU - Ekert, Damjan

AU - Macher, Georg

AU - Stolfa, Svatopluk

AU - Stolfa, Jakub

AU - Much, Alexander

N1 - Conference code: 29

PY - 2022

Y1 - 2022

N2 - The Automotive SPICE for Cybersecurity Assessor Course has been developed in Q4/2021 and launched in Jan. 2022. From 6th July 2022 onwards Automotive projects need to declare the coverage of cybersecurity norms (UNECE 155, UNECE 156, ISO 21434) for the homologation of the vehicles in the EU. All car makers request in their customer requirements documents the performance of a TARA (Cybersecurity Threat and Risk Analysis) and all ASPICE assessments for cybersecurity need to evaluate the capability of the process MAN.7 Risk management for Cybersecurity. The Base Practices of MAN.7 are related to the steps of performing and tracking a TARA. In the EU project CyberENG a training for cybersecurity managers and cybersecurity assessors is currently developed which explains how such a TARA is performed and what steps and attributes need to be considered. For the development of the iNTACS ASPICE for cybersecurity assessor training the SOQRATES group contributed practical examples for MAN.7, and SEC.1 to SEC.4 to the course development. This paper outlines how the TARA based on ISO 21434 and ASPICE for cybersecurity is structured and uses the example from the CyberENG project to explain it in practice.

AB - The Automotive SPICE for Cybersecurity Assessor Course has been developed in Q4/2021 and launched in Jan. 2022. From 6th July 2022 onwards Automotive projects need to declare the coverage of cybersecurity norms (UNECE 155, UNECE 156, ISO 21434) for the homologation of the vehicles in the EU. All car makers request in their customer requirements documents the performance of a TARA (Cybersecurity Threat and Risk Analysis) and all ASPICE assessments for cybersecurity need to evaluate the capability of the process MAN.7 Risk management for Cybersecurity. The Base Practices of MAN.7 are related to the steps of performing and tracking a TARA. In the EU project CyberENG a training for cybersecurity managers and cybersecurity assessors is currently developed which explains how such a TARA is performed and what steps and attributes need to be considered. For the development of the iNTACS ASPICE for cybersecurity assessor training the SOQRATES group contributed practical examples for MAN.7, and SEC.1 to SEC.4 to the course development. This paper outlines how the TARA based on ISO 21434 and ASPICE for cybersecurity is structured and uses the example from the CyberENG project to explain it in practice.

KW - Cybersecurity assessment

KW - Cybersecurity threat and risk analysis

KW - MAN.7 risk management for Cybersecurity

KW - TARA

UR - http://www.scopus.com/inward/record.url?scp=85137985749&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-15559-8_23

DO - 10.1007/978-3-031-15559-8_23

M3 - Conference paper

AN - SCOPUS:85137985749

SN - 9783031155581

T3 - Communications in Computer and Information Science

SP - 319

EP - 334

BT - Systems, Software and Services Process Improvement

A2 - Yilmaz, Murat

A2 - Clarke, Paul

A2 - Messnarz, Richard

A2 - Wöran, Bruno

PB - Springer Science and Business Media Deutschland GmbH

CY - Cham

T2 - 29th European Systems, Software and Services Process Improvement

Y2 - 31 August 2022 through 2 September 2022

ER -

Automotive SPICE for Cybersecurity – MAN.7 Cybersecurity Risk Management and TARA

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this