Quality Management Frameworks for Automotive Cybersecurity 

Today’s vehicles contain multiple computers and hundreds of millions of lines of code that control the workings of interconnected mechanical, electrical, media and infotainment systems. As automation and in-vehicle technologies become more connected, the number of attack vectors and vulnerabilities increases. As a result, original equipment manufacturers (OEMs) and their suppliers must address complex cybersecurity risks as part of their quality and security management practices.

Among the standards and best practices for automotive cybersecurity, ISO/SAE 21434 specifies cybersecurity risk management requirements for road vehicles with electrical and electronic (E/E) systems, components, interfaces and communications. These requirements cover the product’s entire lifecycle — from concept, design, threat analysis and risk assessment (TARA) framework and development through production, operation, maintenance and decommissioning.

An often-overlooked aspect of automotive cybersecurity specified in Clause 5.3.2 of ISO/SAE 21434 — “existing evidence of conformity with standards that support quality management” — is later expressed as a requirement (RQ-05-11) in Clause 5.4.4. In other words, cybersecurity system developers are expected to follow a quality-managed process as part of system development. Overlooking the quality management requirement can diminish a product’s quality, security and reliability. Ignoring quality management can also expose the manufacturer to liability risks and prevent the product from being accepted in specific regions of the world (such as the European Union) with regulatory requirements for automotive cybersecurity.

A quality-managed process demonstrates the completion of product development while meeting a set of quality criteria. First and foremost, this means meeting or exceeding customer expectations, which are captured as requirements. The quality management framework reflects the fundamental engineering process for developing systems. Conformance to the process is a crucial way of determining whether a product is being developed correctly. 

Quality management frameworks for system development

Clause 5.3.2 in ISO/SAE 21434 suggests a variety of standards developers could use to set up quality management frameworks for system development, including:  

• ISO 9001 coupled with IATF 16949
• ISO 10007
• Automotive SPICE® (ASPICE)
• The ISO/IEC 330XX family of standards
• ISO/IEC/IEEE 15288
• ISO/IEC/IEEE 12207  

Developers can apply verification measures to demonstrate that their development processes are followed rigorously. Each verification measure applies to a different stage in the overall development and indicates that the relevant stage is complete to a sufficient level of quality. Once developers have applied all the verification measures, they can validate their products according to the requirements to demonstrate that they are complete. (Verification refers to building the product correctly, whereas validation refers to building the correct product.)

ISO/SAE 21434 specifies requirements for audits and assessments to address the quality-managed product development process. Clause 5.4.7 requires a cybersecurity audit by which compliance with a quality-based cybersecurity development lifecycle is determined at an organizational level. Clause 6.4.8 requires a cybersecurity assessment by which it is determined how the product complies with the cybersecurity specification within the development framework. Through the quality-managed process, an organization demonstrates that the appropriate cybersecurity analyses and evaluations have taken place at the appropriate time in the overall development lifecycle and that there is an effective quality metric for each of those cybersecurity activities and their corresponding work products. Both process and product metrics are revealed through the quality management framework, demonstrating that the organization has developed a product that is sufficiently protected against threats.

Automotive SPICE® (ASPICE) for cybersecurity

As mentioned earlier, ASPICE for cybersecurity is an established quality management framework and industry standard that helps assess and improve processes in the software-based development of automotive electronics. The ASPICE model supports automotive OEMs and suppliers as they navigate the challenges of developing increasingly complex systems. The model helps OEMs and suppliers establish effective processes, manage development timeline pressures and handle the changes requested by their customers.

ASPICE provides a way to measure capability level in adhering to critical sequences of tasks or processes in the development of automotive software. Automotive companies can also use ASPICE to assess their suppliers, which must confirm whether they have achieved a certain level of process maturity in relevant areas. ASPICE specialists can examine suppliers’ strengths and weaknesses and recommend potential improvements.

UL Solutions automotive cybersecurity services

With Kugler Maag Cie by UL Solutions, kVA by UL Solutions, and Method Park by UL Solutions, we bring together widely trusted names in automotive safety and cybersecurity to offer comprehensive services for OEMs and their tier suppliers. We can provide guidance and support to help OEMs, as well as automotive component and system manufacturers navigate complexity and develop a framework for automotive cybersecurity standards and best practices. Through expert gap analysis, training and process excellence,* we help you identify and manage software vulnerabilities and cyber risk, empowering you to develop more trustworthy and secure innovations and to achieve acceptance in your global target markets.

Training offerings for automotive safety and security

UL Solutions offers a variety of automotive safety and security training programs. For more information, please visit our automotive training page.

*This article is an adaptation and expansion of “How Systems Engineering Applies to Cybersecurity” by Pete Brink. Brink is a functional safety engineering leader at kVA by UL Solutions and a member of the kVA by UL Solutions Cybersecurity team. He works with customers to create work products and processes that comply with automotive safety and cybersecurity standards. He has 36 years of experience as a software engineer working on safety-critical systems, is active in the Enabling Linux In Safety Applications (ELISA) project and is a program evaluator (PEV) in software engineering for Accreditation Board for Engineering and Technology (ABET).

Within the UL family of companies, we provide a broad portfolio of offerings for the automotive industry. This includes testing, inspection, assessment, certification and consulting services. In order to protect and prevent any conflict of interest, perception of conflict of interest and protection of both our brand and our customers' brands, UL Solutions has processes in place to identify and manage any potential conflicts of interest and maintain impartiality.