How do you manage the holistic organization of all the things that need to be done in terms of cybersecurity within an automotive development project? A major hub for this is the setting up of the so-called Cybersecurity plan. In this article we want to explain (in addition to our related learning video courses) why the Cybersecurity plan is of such enormous importance for the structuring, execution and documentation of all cybersecurity related activities in a development project.
++ Update end of 2023 ++
In the meantime, the ISO/SAE 21434:2021 Workbook Ebook/PDF has been published (CYRES Consulting, 2023), which contains formulated templates, background information and checklists for specific work products of the standard, including the Cybersecurity Plan [WP-06-01].
++ Update end of 2023 ++
First of all, it is important to set the boundaries: This article deals solely with the so-called Cybersecurity Plan as it is intended to ensure cybersecurity in the context of automotive development. Any general consideration of cybersecurity planning, for example with a view to IT security or similar, will be left out here.
Here we go.
In the following, we will, of course, refer to the theory of the ISO/SAE 21434 standard, which generally outlines the requirements for the Cybersecurity plan, but we will also include a somewhat more concrete perspective from the field and given best practices.
What is the Cybersecurity plan in automotive development?
In addition to the organizational matters of cybersecurity in the automotive context, which relate to structures, processes, management and the very general handlings, there are specific cybersecurity aspects and activities that are particularly important for each individual development project, especially with a view to the entire lifecycle until the finished component or vehicle.
They concern the entire development of a (new) item or component that falls under the relevance criteria of automotive cybersecurity.
For this development work, the so-called Cybersecurity plan is considered to be the most important document with regard to the holistic integration, comprehensive planning and documented execution of Cybersecurity activities within an automotive development project.
In addition to the actual Cybersecurity objectives to be accomplished for the respective item or component, the Cybersecurity plan should provide an overview of dependencies, as well as responsibilities, resources, and the planned and factual timeline of implementation. And, most importantly, the Cybersecurity plan should identify which particular ISO/SAE 21434 activities and the resulting Work products required by the standard in terms of cybersecurity for the respective item or component (this must be analyzed and argued in a comprehensible manner!) are to be implemented, and what the status of these activities is.
The Cybersecurity plan as Work product of the ISO/SAE 21434 standard
At the same time, it is important to be clear: The Cybersecurity plan itself is actually already a Work product of ISO/SAE 21434. This means that setting up the Cybersecurity plan is not an optional endeavor, but a concrete document defined by ISO/SAE 21434 (see Clause 6 in the standard), which must be set up in such a way that all the required contents are covered along the requirements in the standard.
Clarity about resources, responsibilities and areas of accountability
Anyone who has been involved not only in theoretical discussions but also in the very practical implementation of Cybersecurity activities knows that Cybersecurity demands time. And competence. And resources.
So, it is obvious that a very rigorous planning structure is required to ensure exactly these allocations for each and every required activity to be implemented in terms of cybersecurity for the respective development project. It should be similarly obvious that it becomes indispensable to consistently maintain and update the Cybersecurity plan, for example, in the event of changing framework conditions. (Which can be extremely multifaceted: from new suppliers, to restructuring of the cybersecurity organization, and many more. – This is why it is so important to have a clear view of the interrelationships).
The Cybersecurity plan as a working tool: recognizing when things are overdrawn
Almost nothing is more important in the realization of Cybersecurity activities than a consistent focus on time, quality and cost. Any shortfalls and time overruns in the completion and implementation of cybersecurity can be uncovered with an accurately and continuously maintained Cybersecurity plan.
It is important to always keep in mind: Cybersecurity implementation is always closely linked to the progress of the overall product development process. Delays in the Cybersecurity plan can have a direct impact on the entire development process, which is what makes the close linking so indispensable.
The importance of documenting progress
The Cybersecurity plan does not only contain static information. In fact, as a living document, the Cybersecurity plan provides an excellent source of information to holistically present achieved progress. For example, Cybersecurity activities can be tracked along the phases of the lifecycle of the item (or the component), with their required maturity levels (and how they are progressing towards achievement).
Often, the Cybersecurity plan is also used as a shared reporting tool to present the milestones achieved to external stakeholders in the development work beyond organizational boundaries.
In automotive development: Project plan vs. the Cybersecurity plan?
In any case, the Cybersecurity plan always needs a direct link to the higher-level Project Plan of a development project. It is usually irrelevant whether the Cybersecurity plan is
- integrated holistically into the given Project plan,
- or whether the Project plan refers to the corresponding Cybersecurity plan.
This close connection between the classical project management of the development project on the one hand and the challenges of cybersecurity on the other hand already makes clear that in practice it cannot be possible to look at cybersecurity as if the entire domain can be detached from project management and can be considered as a separate feature only. (Read also our blog article How to integrate cybersecurity throughout development projects in automotive).
In-depth support around the Cybersecurity plan
Please contact us for further discussions regarding the Cybersecurity plan. For example, on the preparation of specific work templates and/or the respective assistance from a cybersecurity perspective in development projects.
Learn more about the Cybersecurity plan and its importance in our related learning videos:
Planning of cybersecurity the project (learning video)
What is a Cybersecurity Plan (learning video)
Philipp Veronesi is founder and managing director of CYRES Consulting, one of the leading automotive cybersecurity consultancies. He has many years of practical experience not only in engineering but also in the management of technically challenging development projects for leading players in the automotive industry, including BMW, Audi, Rolls Royce, and others.
Comments are closed.