Convergence Security Journal (융합보안논문지)

Korea convergence Security Association (한국융합보안학회)
권호 표지
DOI QR코드

DOI QR Code

Designing an evaluation model for cyber security management system implementation for companies participating in the automobile supply chain (based on ISO/SAE 21434 standard and TISAX assessment requirements)

자동차 공급망 참여기업 대상 사이버보안 관리체계 구현 평가모델설계 (ISO/SAE 21434 표준 및 TISAX 평가 요구사항을 기반으로)

  • 백은호 (중앙대학교 대학원 융합보안학과 산업보안전공)
  • Received : 2022.12.11
  • Accepted : 2022.12.31
  • Published : 2022.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

Cyber security in the automobile sector is a key factor in the life cycle of automobiles, and cyber security evaluation standards are being strengthened worldwide. In addition, not only manufacturers who design and produce automobiles, but also due to the nature of automobiles consisting of complex components and various parts, the safety of cybersecurity can be secured only when the implementation level of the cybersecurity management system of companies participating in the entire supply chain is evaluated and managed. In this study, I analyzed the requirements of ISO/SAE 21434 and TISAX, which are representative standards for evaluating automotive cybersecurity. Through a survey conducted on domestic/overseas company security officers and related experts, suitability and feasibility were reviewed according to priorities and industries, so 6 areas and 45 evaluation criteria were derived and presented as final evaluation items. This study is meaningful as a study in that it presented a model that allows companies participating in the automotive supply chain to evaluate the current cybersecurity management level of the company by first applying ISO/SAE 21434 and TISAX overall control processes before uniformly introducing them.

자동차 분야의 사이버보안은 자동차 생애주기 중 핵심적인 요소로서 전 세계적으로 사이버보안 평가 기준이 강화되고 있다. 또한 자동차의 설계 및 생산을 수행하는 제조사만이 아니라 복잡한 컴포넌트와 다양한 부품으로 이루어진 자동차의 특성상 전체 공급망에 참여하는 기업들의 사이버보안 관리체계 구현 수준이 평가되고 관리되어야만 사이버보안의 안전성을 확보할 수 있다. 이에 본 연구에서는 자동차 사이버보안을 평가하는 대표적인 기준인 ISO/SAE 21434와 TISAX의 요구사항을 분석하여 총 7개 영역, 54개 사이버보안 관리체계를 평가할 수 있는 항목을 도출하였고 이를 국내/외 기업 보안담당자 및 유관 전문가 대상으로 진행한 설문조사를 통해 우선순위 및 업종에 따른 적합성, 타당성 검토를 거쳐서 6개 영역, 45개 평가 기준을 도출하여 최종 평가항목으로 제시하였다. 본 연구는 자동차 공급망에 참여하는 기업이 ISO/SAE 21434와 TISAX 전반의 통제 프로세스를 일률적으로 도입하기 전에 우선 적용하여 해당 기업의 현재 사이버보안 관리 수준을 평가할 수 있는 모델을 제시했다는 점에서 연구로서의 의의가 있다고 할 수 있다.

Keywords

References

  1. Zhendong Ma and Christoph Schmittner (2016), Threat Modeling for Automotive Security Analysis, Advanced Science and Technology Letters ,Vol. 139, 334-335. 
  2. EINSA,(Dec. 2016), "Cyber Security and Resilience of smart cars" 
  3. ALJOSCHA LAUTENBACH (2016), On Cyber-Security for In-Vehicle Software, CHALMERS UNIVERSITY OF TECHNOLOGY, 5. 
  4. Christoph Schmittner and Georg Macher (2019), Auto motive Cybersecurity Standards - Relation and Overview, 4-6. 
  5. Matan Levi,Yair Allouche, and Aryeh Kontorovich (2017), Advanced Analytics for Connected Cars Cyber Security, 2. 
  6. Stefan Marksteiner and Zhendong Ma (2019), Approaching the Automation of Cyber Security Testing of Connected Vehicles," 1. 
  7. Florian Sommer, Jurgen Durrwang, and Reiner Kriesten (2019), Survey and Classification of Automotive Security Attacks, 17-18. 
  8. Jay Kennedy, Thomas Holt & Betty Cheng(2019), Automotive cybersecurity: assessing a new platform for cybercrime and malicious hacking, JOURNAL OF CRIME AND JUSTICE Vol 42, 638. 
  9. UNECE(2018), Draft recommendation on Cyber Security of the task force on cyber security and over-the-air isses of UNECE WP.29 GRVA. 
  10. Christoph Schmittner, Georg Macher (2020), A Preliminary View on Automotive Cyber Security Management Systems, Conference paper, 3 
  11. W. Kerber and D. Moeller (2019), "Access to data in connected cars and the recent reform of the motor vehicle type approval regulation. 
  12. UNECE WP.29 GRVA, Draft recommendation on cyber security of the task force on cyber security and over-the-air issues of unece wp.29 grva., https://wiki.unece.org/pages/viewpage.action?pageId=60362218, 2022-10-21 
  13. Escrypt(2019), Security Special2019/2020, 4 
  14. ENX(2021), Participants handbook, https://www.enx.com/handbook/tisax-participant-handbook.html 
  15. Escrypt(2019), Cybersecurity full speed ahead2019/2020, 4 
  16. ENISA, 2019, good practices for security of Smart Cars 
  17. ENISA, 2016, Cyber Security and Resilience of smart cars 
  18. Christof Ebert, Jerome John, 김승훈, 2022, ISO 21434 통한 실질적 사이버 보안 대응, Automotive Electronics Magazine 
  19. Navigating New Automotive Cybersecurity Regulations, ESCRYPT 
  20. VDA ISA Checklist 5.0(2021), ENX 
  21. TISAX Participants handbook(2021), ENX 
  22. ybersecurity Best Practices for Modern Vehicles(2016), NHTSA