As the DIS of theISO21434 is finally available. This is a collection of the insights anddiscussions we had while reading it. Read now inside the ISO/SAE 21434.

Work Products

The DIS of ISO21434distinguishes the three kinds of product phases conceptphase, development phase, and operation phase. The general endeavorof performing a TARA is described in chapter 8. The concept phase, asdescribed in chapter 9, consists of defining the item (9.3 Item Definition),finding Cybersecurity Goals (section 9.4) and bundling them into a wholeCybersecurity Concept (section 9.5). The major part of identifyingCybersecurity Goals is to invoke the TARA that is described in chapter 8.

The main steps whenperforming an ISO21434-conform TARA are (in order of an idealized linearexecution):

ItemDefinition (section 9.3)

AssetIdentification (section 8.3)

ThreatScenario Identification (section 8.4)

ImpactRating (section 8.5)

AttackPath Analysis (section 8.6)

AttackFeasibility Rating (section 8.7)

RiskDetermination (section 8.8)

RiskTreatment Decision (section 8.9)

CybersecurityGoals [RQ-09-07]

CybersecurityClaims [RQ-09-08]

CybersecurityConcept (section 9.5)

Insights

As this place is aliving document, we are continuously adding the questions and discussions thatarise. Here you go with some of them.

How toidentify relevant Assets according to ISO 21434?

In Clause 8.3, the DISof ISO21434 allows to enumerate the relevant assets with a variety of methods.As examples, it suggests to enumerate them by their impact rating, or threatscenarios, or even using predefined catalogues.

Notably, ISO21434includes the Damage Scenarios as a result of the Asset Identification. As aresult, in our figure above between Asset Identification, Threat ScenarioIdentification and Damage Scenario Identification; the arrows can actually goin various ways, depending on the applied method.

转载于：https://www.security-analyst.org/inside-the-iso-sae-21434

如果有ISO/SAE 21434标准相关的技术或认证问题，大家可以随时与我联系