Standardization of Cybersecurity Concepts in Automotive Process Models: An Assessment Tool Proposal

In the world of high-tech and information communication domains, the usage of network communication and cloud services is an unavoidable need, which jeopardizes systems and software products to cyber-attacks, causing loss of money, vital information, or may be even causing safety hazards. Hence, cybersecurity is considered as an integral part of the development which grabbed a lot of focus in the late 20th century. This led some huge industries (e.g.: Automotive) and service providers to consider the release of specific standards and process models for Cybersecurity. In August 2021, the German Association for Automotive Industry “VDA” which holds the top car manufacturers worldwide as members to release a new process model appendix called: the Automotive SPICE for Cybersecurity, which focuses on Process Reference, Process Assessment Models for Cybersecurity Engineering, and on the Rating Guidelines of Process Performance for Cybersecurity Engineering. In this paper, a case study of the result of applying this new standard on a sample set of projects will be presented, showing the investigation of challenges and lessons learned by following the traditional methodology of process capability assessments in the new Cybersecurity process assessments, with an introduction of a few tool proposals to cope with the specific requirements and constraints of a Cybersecurity process model that can help practitioners in other domains (e.g.: SSE-CMM). The study also urges the VDA to officially consider those best practices into the newly released Cybersecurity process model of Automotive SPICE to ensure a secure product and threat-immune organizational infrastructure.