This document elaborates on the Cybersecurity Assurance Level (CAL) concept and introduces the Targeted Attack Feasibility (TAF) concept, both within the context of cybersecurity engineering for road vehicles in accordance with ISO/SAE 21434.
This document describes the conceptual models, main principles, and relationships between CAL, TAF and other concepts. It provides guidelines to determine and use CAL and TAF for cybersecurity engineering of items and components.
Rationale: ISO/SAE 21434 is an international standard intended to be applied to many types of items and components that contain assets with different risk concerns.
The cybersecurity engineering process needs to ensure that the rigour applied is commensurate with the criticality of the item or component while satisfying the requirements of ISO/SAE 21434.
The existing Cybersecurity Assurance Levels (CAL) concept described in ISO/SAE 21434 Annex E is a classification scheme to enable scaling of the cybersecurity engineering process based on the assurance needed for an item or component.
In addition, there is a need for an appropriate means of specifying the strength of cybersecurity controls expected to mitigate risks to an acceptable level.
The new concept of Targeted Attack Feasibility (TAF) describes the expected attack feasibility rating for a given item or component within a specific context, e.g. threat scenarios, cybersecurity assets, impact.
The automotive distributed development process requires a common means of communicating these requirements through the supply chain, and also within an organization, including for out-of-context development.