Towards a security-driven automotive development lifecycle

Cybersecurity has become one of the most crucial challenges in the automotive development lifecycle. The upcoming ISO/SAE 21434 standard provides only a generic framework that is insufficient to derive concrete design methods. This article proposes an actionable cybersecurity development lifecycle model that provides concrete action and work product guidance aligned with the ISO/SAE 21434 and Automotive SPICE (R) extension for cybersecurity. The model has been inspired by action research in "next" industry practice pilot projects, which ensures that it is actionable. It has been augmented by insights gained from literature research in cybersecurity development for embedded systems. The proposed lifecycle model complements the ISO/SAE 21434 standard and provides the basis for the company-specific process and practice specifications. It has been validated through the integration of cybersecurity-related aspects in an electric power steering system. A core characteristic of the model is the central role of threat modeling, vulnerability analyses, and cybersecurity requirements derivation on both system and subsystem levels. Without concrete practice guidelines, the ISO/SAE 21434 is very difficult to understand and apply at this stage. This contribution aims to fill this gap through a model inspired by cutting-edge embedded cybersecurity practices interpreted for the current and near-future automotive electronic architectures.