This content is not included in your SAE MOBILUS subscription, or you are not logged in.
Challenges in Integrating Cybersecurity into Existing Development Processes
ISSN: 0148-7191, e-ISSN: 2688-3627
Published April 14, 2020 by SAE International in United States
Annotation ability available
For an established development process and a team accustomed to this process, adding cybersecurity features to the product initially means inconvenience and reduced productivity without perceivable benefits. Adapting development processes to take cybersecurity into account introduces challenges not present in engineering divisions so far. Strategies designed to deal with these challenges differ in the way in which added duties are assigned and cybersecurity topics are integrated into the already existing process steps. Cybersecurity requirements often clash with existing system requirements or established development methods, leading to low acceptance among developers, and introducing the need to have clear policies on how friction between cybersecurity and other fields is handled. A cybersecurity development approach is frequently perceived as introducing impediments, that bear the risk of cybersecurity measures receiving a lower priority to reduce inconvenience. Moreover, this leads to frustration among cybersecurity developers when their proposals are not accepted, and they feel their work is not appreciated. On the other hand, putting too much emphasis on cybersecurity leads to feature creep and makes the development unnecessarily complicated without producing appropriate results. It seems natural to orientate oneself by how safety topics are handled in the development process and adjust this to accommodate cybersecurity. It is, however, not clear in which way these added responsibilities should be assigned, as conflicts of interest occur when a single person must additionally take cybersecurity goals into account, which might be clashing with other project goals this person is responsible for. Ideally, cybersecurity aspects are considered and integrated into development processes not only to fulfill customer and legal requirements, but also to enable developers of functionalities not directly related to cybersecurity to produce better and more robust results as shortcuts are no longer easily possible.
CitationLenhart, P., Arndt, P., von Wedel, J., Beul, C. et al., "Challenges in Integrating Cybersecurity into Existing Development Processes," SAE Technical Paper 2020-01-0144, 2020, https://doi.org/10.4271/2020-01-0144.
- SAE International , “Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices,” https://saemobilus.sae.org/cybersecurity/feature/2019/03/special-report-securing-the-modern-vehicle-a-study-of-automotive-industry-cybersecurity-practices (accessed Oct. 2019).
- Jabil Inc. , “Automotive Industry Life Cycles - Trends Point to Shorter Product Development Timelines,” https://www.jabil.com/insights/blog-main/automotive-industry-trends-point-to-shorter-product-development-cycles.html (accessed Oct. 2019).
- SAE International Surface Vehicle Recommended Practice , “Cybersecurity Guidebook for Cyber-Physical Vehicle Systems,” SAE Standard J3061, Rev. Jan. 2016.
- Automotive News , “Auto Recall Bill Grew 26% to $22 billion in 2016, Study Says,” https://www.autonews.com/article/20180130/RETAIL05/180139974/auto-recall-bill-grew-26-to-22-billion-in-2016-study-says (accessed Oct. 2019).
- Wired , “After Jeep Hack, Chrysler Recalls 1.4M Vehicles for Bug Fix,” https://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix (accessed Oct. 2019).
- von Wedel, J. and Arndt, P. , Safe and Secure Development: Challenges and Opportunities, SAE Technical Paper 2018-01-0020 , 2018, https://doi.org/10.4271/2018-01-0020.
- AUTOSAR , “Specification of Secure Onboard Communication,” AUTOSAR Standard Classic Platform, Release 4.4.0.