Common Criteria in the Automotive Security Regulatory Domain—CC-Based Automotive Risk Assessment (D13c)
Since July 2022, vehicle manufacturers who aim to place their new vehicles in countries including the EU, UK, Japan, South Korea and others, need to have their vehicles type-approved in line with the new UNECE Cybersecurity (R155) regulation. The regulation is asking vehicle manufacturers to implement a set of mature vehicle development and post-development processes, and at the same time demonstrate the applicability of these processes on the vehicle in scope.
Part of the required regulatory evidence includes determining security risks associated with the vehicle. Here, the method that is backed by most automotive Approval Authorities is based on the Common Criteria AVA attack rating methodology.
The proposed talk will present the concrete automotive security requirements in terms of risk assessment, as well as provide case studies of applying Common Criteria methodology in order to determine and rate the applicable security attack trees. The talk will highlight a practical way in which Common Criteria can be used at system-level: focusing on the entire vehicle.