How to evidence consideration of the threats, mitigations and principles identified To demonstrate that organisations have taken note of the recommendations in this paper it would be necessary for them to evidence how they have done so. This section describes what evidence could be used for this purpose.
The section does not distinguish to whom it might be necessary to share this information. It is possible it may be used internally within an organisation, between different organisations in a supply chain (for example manufacturer and supplier), or between manufacturers and relevant authorities (for example type approval bodies). Similarly the section does not state the technical depth that would be needed. This should be determined by the organisations involved and proportionate to the purpose they are using it for.
Initial assessment (Design and development stage). Organizations should be able to provide justifications of the security measures employed in their systems and/or vehicles and how they are addressing cyber security.
Organisations should be able to describe how they have considered the threats, mitigations and principles identified in this paper during the design and production of their systems/vehicles and the rationale for their choices. Within this they should be able to document:
How they have considered the threats and vulnerabilities identified (as detailed in annex 1) within their risk assessments, as well as consideration of any risks or vulnerabilities that were not identified.
How they are implementing the key mitigations and cyber security principles identified in this paper (as described in annexes 1 and 2)
What specific technical mitigations have been implemented and the rational for their choices.
How organisations should achieve this is not specified as it will be dependent on the organisation, the system or vehicle design and the applicability of the threats or mitigations to that design.
Organisations may consider the threats, mitigations and principles in terms of systems and in terms of the whole vehicle type approval. For type approved systems the design of the system should ensure that the availability and safety of the system cannot be compromised through cyber threats or vulnerabilities. There may also be a need to consider this for non-type approved systems that could affect the safe operation, or availability, of the vehicle should they fail or be compromised. Finally, as some mitigations may be hard to incorporate into the type approval processes, there will be a need to consider cyber security at a vehicle level, considering the interactions of the different vehicle systems and considering, at this level, the threats, mitigations and principles.