If you’re in the automotive or semiconductor industries – cybersecurity is likely top of mind.
During this informative session Effectively Managing Cybersecurity in Jama Connect for Automotive and Semiconductor Industries, Kevin Dibble, Principal Consultant at Reinnovate Consulting, and Matt Mickle, Director of Automotive Solutions at Jama Software®, offer insights on how the right tooling solution can make a difference in managing a cybersecurity case.
In this webinar, attendees will see exactly how to:
- Define cybersecurity goals, requirements, and concepts
- Conduct threat analysis and risk assessment
- Establish traceability to the architecture design and verification/validation of cybersecurity measures
- Document the cybersecurity case and manage changes
- Identify and classify assets for the subject of the cybersecurity case
- Discover how Jama Connect can help you optimize your cybersecurity processes and stay ahead in the Automotive and Semiconductor industries.
Below is an abbreviated transcript of our webinar.
Effectively Managing Cybersecurity in Jama Connect® for Automotive and Semiconductor Industries
Kevin Dibble: Well, first I’m going to talk about what we’re going to talk about, so these are the topics that we’re going to cover. And without reading this slide, really we’re going to cover the development life cycle of creating, the example we’re going to use is a 48-volt power assist system. You might also think of it as a battery management system. And so I’ll go over the agenda, but what you can see on the is we’re going to cover everything from the planning in the case through the TARA work and down through the left side of the V and some of the right side of the V activities as well. And here’s how we’re going to do it. First, to get everyone oriented to 21434, we’re going to talk about the standard itself briefly and highlight some of the benefits of implementing a cybersecurity case in a tool, in a requirement management tool.
Then we’ve got some workflows to look at, the steps of the development life cycle for 21434 from the perspective of an OEM and then again from the perspective of a tier one. And then Matt is going to show the work products, the traceability, and what we’ve talked about at the beginning actually in the tool in a built-out project for a 40 volt power assist system. And then we’ll finish with some takeaways. So that’s what’s on tap for today. And so I want to make the case for managing cybersecurity and the cybersecurity case and the work products in a requirements management tool. So I’m going to just look at each one of these points. The first item is to improve collaboration between OEMs, tier ones, and tier twos.
Jama Connect supports ReqIF, which can be used for bidirectional communication of requirements, item definitions, et cetera, as well as updates to those assets. And so it supports better collaboration. One thing that Jama promotes is this idea of trace as you go. So traceability is not an afterthought handled by a requirement engineer at the end of the project that takes weeks to implement on a complex project. It’s something that the engineers are doing as they’re creating the requirements tracing to parent requirements, design blocks for requirement allocation, et cetera. And so this tool supports that traces you go methodology along with some views of the progress of tracing.
RELATED: Buyer’s Guide: Selecting a Requirements Management and Traceability Solution for Automotive
Dibble: The impact analysis is a powerful tool when you trace as you go and the requirements left and right side V model assets are linked together. Then running impact analysis reports as changes come in midstream in programs, which they do in automotive for sure. You get that as a benefit. Like I mentioned earlier, requirements allocation. So allocating requirements to design blocks or interconnecting the requirement management system to design tools and doing allocation in those tools like Design Architect gives you some powerful analytics like test coverage reports automatically generated. Also connecting the tools through connectors gives you a toolchain view instead of disjointed tool. And finally, Jama Connect offers some analytics that we’ll see some of these in the demo that will give you a very clear indication of where you are in the project, especially in terms of requirements that are allocated, tests that have been covering requirements, and so on and so forth.
So with that, I’m going to orient everybody to 21434 in terms of the V model, which it’s centered on, and two other standards that you may be more familiar with. ISO 26262 and Automotive ASPICE. And so just a couple things here. If you are familiar with these other two standards, you’ll see that 21434 fits nicely alongside and that was intended by the ISO folks that did the standard. They very much aligned it with ISO 26262, and really even in nomenclature. So whereas in safety we have safety goals, in security we have security goals, in safety, we have the HARA, the hazard and risk assessment. In cybersecurity, we have the TARA, threat, and risk assessment, and so on and so forth. And also the common supporting processes like configuration management, change management, project management, document management, even confidence in use of software tools that all of these standards rely on are again repeated and required in 21434.
RELATED: A Guide to Road Vehicle Cybersecurity According to ISO 21434
Dibble: So just some basic organization of the standard in terms of the V model and then we’ll look at it in one more view in terms… this is directly out of ISO. And at Jama, we’ve added some color coding and I’m going to explain that. And so if you’re not familiar with this view, 21434 is oriented by clauses and sub-clauses. And so you can see the clause here like clause five is organizational, that’s policy and tool management and quality management and things. And then clause six, et cetera, and on down, that’s how this is organized. Jama has capabilities that support these sub-clauses. And so we’ve used a color system here to highlight that. The sub-clauses that are colored in green are fully supported and in fact, recommended to implement in Jama. The yellow are optional, they could be implemented in Jama.
And for most of these, we have customers that are implementing these types of things in Jama, but they also use other systems to implement them. And then this kind of yellow-green is partially supported. Jama can support some of the requirements but not all. And then of course red is not recommended for support in Jama and it’s usually house and other tools or things like production tools, et cetera. Okay, so what Jama brings to the table in terms of capabilities to support these green and yellow items are document building and generation. So the document management functionality as well as the exporting functionality. As you’ll see in the demo, you can export what has been entered in a requirements tree or in one view can be exported into a more of a document-style view that perhaps suppliers or other people might want to consume.
It has built-in collaboration tools for reviewing, which is very important because 21434, like 26262 requires review records, and all the work products are reviewed. Traceability and impact analysis, I already talked about. VNV verification and validation with the test manager tool as well as interconnections to other tools and analytics. There’s a nice support for the right side of the V activities. Using a common tool does bring alignment between different engineering disciplines, whether it’s hardware, software in systems, or if it’s QA tests and V&V activities versus development activities. Release planning and coverage through dashboards and status metrics and then of course baselining and reuse and whatnot.
And so this slide shows all of the items from the previous slide that were recommended or are optional and just shows how they would look in a project tree format. Again, Matt’s going to go through most of these items for our 48-volt power assist item that we’ve built out. Okay, one of the important features of Jama Connect as well as any requirement management tool is the ability to develop traceability. Here we’re showing the traceability model, which is their traceability models come with the product, but they also can be customized. And then I’ve got a little animation here to show for cybersecurity, some of those standard parts and tying them back to the standard. So for instance, in the model, I don’t know, it’s small print, but you can probably see cybersecurity asset, attack path, damage scenario, threat scenario. Those all correspond to the TARA and here are the sections that those are discussed in.
To watch the entire webinar, visit:
Effectively Managing Cybersecurity in Jama Connect® for Automotive and Semiconductor Industries