6.1: SEC.1 Cybersecurity Requirements
Process Definition
Purpose
SEC.1 Purpose: To specify cybersecurity goals from threat scenarios and derive cybersecurity requirements from those goals to address identified threats and achieve risk reduction.
Outcomes
| Outcome | Description |
|---|---|
| O1 | Cybersecurity goals specified from threat scenarios |
| O2 | Cybersecurity requirements derived from goals |
| O3 | Bidirectional traceability between requirements, goals, and threats maintained |
| O4 | Cybersecurity requirements agreed and communicated to stakeholders |
Base Practices with AI Integration
Note: ASPICE-CS-PAM-v2.0 defines 3 base practices for SEC.1. The implementation details in this chapter (STRIDE analysis, threat patterns, automated derivation) are practical extensions that demonstrate how AI tooling supports these normative practices.
| BP | Base Practice | AI Level | AI Application |
|---|---|---|---|
| BP1 | Specify cybersecurity goals and cybersecurity requirements | L2 | AI-assisted threat analysis → goal derivation → requirement generation with human validation |
| BP2 | Ensure consistency and establish bidirectional traceability | L2-L3 | Automated traceability matrices, consistency checking across threats-goals-requirements |
| BP3 | Communicate agreed cybersecurity requirements | L1 | Distribution automation, stakeholder notification |
Cybersecurity Requirements Framework
The diagram below shows how cybersecurity requirements are derived from threat analysis and cybersecurity goals, tracing from assets and attack scenarios through to specific security controls.
AI-Assisted Threat Analysis
STRIDE Automation
"""
AI-assisted STRIDE threat analysis for automotive systems.
"""
from dataclasses import dataclass
from typing import List, Dict, Optional
from enum import Enum
class StrideCategory(Enum):
SPOOFING = "S"
TAMPERING = "T"
REPUDIATION = "R"
INFORMATION_DISCLOSURE = "I"
DENIAL_OF_SERVICE = "D"
ELEVATION_OF_PRIVILEGE = "E"
@dataclass
class Asset:
"""System asset to protect."""
id: str
name: str
type: str # function, data, interface
security_properties: List[str] # CIA triad
criticality: str # high, medium, low
@dataclass
class Threat:
"""Identified threat."""
id: str
category: StrideCategory
asset: str
description: str
attack_vector: str
likelihood: str
impact: str
risk_level: str
@dataclass
class CybersecurityGoal:
"""Cybersecurity goal derived from threats."""
id: str
description: str
addressed_threats: List[str]
security_property: str
cal: str # Cybersecurity Assurance Level
@dataclass
class CybersecurityRequirement:
"""Specific security requirement."""
id: str
goal_id: str
description: str
type: str # functional, performance, constraint
verification_method: str
component: str
class AIThreatAnalyzer:
"""AI-assisted threat analysis.
Note: Pattern-based approach shown here; production use benefits from
LLM integration for more comprehensive threat identification.
"""
def __init__(self):
self.threat_patterns = self._load_threat_patterns()
def _load_threat_patterns(self) -> Dict:
"""Load known threat patterns for automotive systems."""
return {
'can_bus': {
StrideCategory.SPOOFING: [
"Attacker sends forged CAN messages",
"Replay attack on CAN communication"
],
StrideCategory.TAMPERING: [
"Man-in-the-middle modification of CAN frames",
"Injection of malicious CAN messages"
],
StrideCategory.DENIAL_OF_SERVICE: [
"CAN bus flooding attack",
"Bus-off attack on target ECU"
]
},
'diagnostic_port': {
StrideCategory.SPOOFING: [
"Unauthorized diagnostic tool connection"
],
StrideCategory.INFORMATION_DISCLOSURE: [
"Extraction of calibration data",
"Memory dump via diagnostic services"
],
StrideCategory.ELEVATION_OF_PRIVILEGE: [
"Bypass of security access",
"Firmware extraction and modification"
]
},
'wireless_interface': {
StrideCategory.SPOOFING: [
"Relay attack on key fob",
"Signal amplification attack"
],
StrideCategory.INFORMATION_DISCLOSURE: [
"Eavesdropping on RF communication",
"Rolling code prediction"
]
}
}
def analyze_asset(self, asset: Asset) -> List[Threat]:
"""Generate threats for an asset using AI + patterns."""
threats = []
# Pattern-based threat identification
if asset.type == 'interface':
interface_patterns = self.threat_patterns.get(
asset.name.lower().replace(' ', '_'), {}
)
for category, descriptions in interface_patterns.items():
for desc in descriptions:
threat = Threat(
id=f"THR-{asset.id}-{category.value}-{len(threats)+1:03d}",
category=category,
asset=asset.id,
description=desc,
attack_vector=self._determine_attack_vector(desc),
likelihood=self._estimate_likelihood(asset, category),
impact=self._estimate_impact(asset, category),
risk_level=""
)
threat.risk_level = self._calculate_risk(
threat.likelihood, threat.impact
)
threats.append(threat)
return threats
def _determine_attack_vector(self, description: str) -> str:
"""Determine attack vector from description."""
if "remote" in description.lower() or "wireless" in description.lower():
return "remote"
elif "physical" in description.lower() or "diagnostic" in description.lower():
return "physical"
else:
return "local"
def _estimate_likelihood(self, asset: Asset, category: StrideCategory) -> str:
"""Estimate threat likelihood."""
# Simplified estimation
if asset.criticality == 'high':
return 'high'
elif asset.criticality == 'medium':
return 'medium'
else:
return 'low'
def _estimate_impact(self, asset: Asset, category: StrideCategory) -> str:
"""Estimate threat impact."""
safety_impact = category in [
StrideCategory.TAMPERING,
StrideCategory.DENIAL_OF_SERVICE
]
if safety_impact and asset.criticality == 'high':
return 'severe'
elif asset.criticality == 'high':
return 'major'
else:
return 'moderate'
def _calculate_risk(self, likelihood: str, impact: str) -> str:
"""Calculate risk level from likelihood and impact."""
matrix = {
('high', 'severe'): 'critical',
('high', 'major'): 'high',
('high', 'moderate'): 'medium',
('medium', 'severe'): 'high',
('medium', 'major'): 'medium',
('medium', 'moderate'): 'low',
('low', 'severe'): 'medium',
('low', 'major'): 'low',
('low', 'moderate'): 'low'
}
return matrix.get((likelihood, impact), 'unknown')
def derive_goals(self, threats: List[Threat]) -> List[CybersecurityGoal]:
"""Derive cybersecurity goals from threats."""
goals = []
goal_templates = {
StrideCategory.SPOOFING: "Ensure authenticity of {asset}",
StrideCategory.TAMPERING: "Ensure integrity of {asset}",
StrideCategory.REPUDIATION: "Ensure non-repudiation of {asset}",
StrideCategory.INFORMATION_DISCLOSURE: "Ensure confidentiality of {asset}",
StrideCategory.DENIAL_OF_SERVICE: "Ensure availability of {asset}",
StrideCategory.ELEVATION_OF_PRIVILEGE: "Ensure proper authorization for {asset}"
}
# Group threats by category and asset
grouped = {}
for threat in threats:
key = (threat.category, threat.asset)
if key not in grouped:
grouped[key] = []
grouped[key].append(threat)
# Generate goals
for (category, asset), threat_list in grouped.items():
# Determine CAL based on highest risk
max_risk = max(t.risk_level for t in threat_list)
cal_map = {'critical': 'CAL 4', 'high': 'CAL 3', 'medium': 'CAL 2', 'low': 'CAL 1'}
goal = CybersecurityGoal(
id=f"CSG-{len(goals)+1:03d}",
description=goal_templates[category].format(asset=asset),
addressed_threats=[t.id for t in threat_list],
security_property=category.name.replace('_', ' ').title(),
cal=cal_map.get(max_risk, 'CAL 1')
)
goals.append(goal)
return goals
def derive_requirements(self, goals: List[CybersecurityGoal],
threat_db: Dict[str, Threat]) -> List[CybersecurityRequirement]:
"""Derive cybersecurity requirements from goals."""
requirements = []
mitigation_patterns = {
'Spoofing': [
("Implement message authentication", "functional"),
("Use secure key storage", "constraint")
],
'Tampering': [
("Implement integrity verification", "functional"),
("Use secure boot chain", "constraint")
],
'Information Disclosure': [
("Encrypt sensitive data at rest", "functional"),
("Encrypt sensitive data in transit", "functional")
],
'Denial Of Service': [
("Implement rate limiting", "functional"),
("Implement resource quotas", "performance")
],
'Elevation Of Privilege': [
("Implement access control", "functional"),
("Apply least privilege principle", "constraint")
]
}
for goal in goals:
patterns = mitigation_patterns.get(goal.security_property, [])
for desc, req_type in patterns:
req = CybersecurityRequirement(
id=f"CSR-{len(requirements)+1:03d}",
goal_id=goal.id,
description=f"{desc} for {goal.id}",
type=req_type,
verification_method="test" if req_type == "functional" else "inspection",
component="TBD"
)
requirements.append(req)
return requirements
Cybersecurity Requirement Specification
Requirement Template
Note: CAL (Cybersecurity Assurance Level) assignment is per ISO 21434; see Section Chapter 10.4 for CAL determination criteria.
# Cybersecurity Requirement (illustrative example)
cybersecurity_requirement:
id: CSR-BCM-001
title: "CAN Message Authentication"
version: 1.0
status: approved
derivation:
cybersecurity_goal: CSG-001
threats_addressed:
- THR-CAN-S-001
- THR-CAN-T-001
cal: CAL 3
specification:
description: |
The BCM SHALL authenticate all incoming door lock/unlock
commands received via CAN bus using SecOC with AES-128-CMAC.
security_property: authenticity, integrity
attack_surface: CAN bus interface
functional_requirements:
- "Verify MAC on each received lock/unlock message"
- "Reject messages with invalid MAC within 10ms"
- "Log authentication failures with timestamp"
performance_requirements:
- "Authentication SHALL complete within 5ms"
- "System SHALL handle 100 authenticated messages/second"
constraints:
- "Use HSM for MAC computation"
- "Key length SHALL be minimum 128 bits"
verification:
method: test
test_types:
- unit_test
- penetration_test
acceptance_criteria:
- "100% valid messages accepted"
- "100% invalid MAC messages rejected"
- "No false rejections in normal operation"
allocation:
component: BCM_Security_Module
implementation_reference: SWE-BCM-SEC-010
traceability:
derives_from:
- CSG-001 (Cybersecurity Goal)
satisfies:
- ISO21434-RQ-08-01
verified_by:
- SEC-TEST-001
AI-Generated Requirements Example
AI Cybersecurity Requirements Generation
Input: Asset "Door Lock Control via CAN"
The diagram below shows the AI-generated STRIDE analysis results for the door lock CAN interface, mapping each threat category to derived cybersecurity requirements and their assigned CAL levels.
Human Review Required:
- Validate threat completeness
- Confirm CAL assignments
- Review requirement feasibility
- Approve security architecture
Traceability Matrix
Requirements Traceability
The following diagram presents the cybersecurity traceability matrix, linking threats to cybersecurity goals, requirements, and verification activities for end-to-end audit evidence.
Work Products
| WP ID | Work Product | AI Role |
|---|---|---|
| 17-51 | Cybersecurity goals | AI derivation from threats |
| 17-00 | Cybersecurity requirements | AI generation with review |
| 13-51 | Consistency evidence | Automated consistency checking |
| 15-51 | Analysis results | AI STRIDE analysis, traceability matrices |
Summary
SEC.1 Cybersecurity Requirements:
- AI Level: L1-L2 (AI assists, human approves)
- Primary AI Value: Threat enumeration, requirement generation
- Human Essential: Goal validation, risk decisions
- Key Outputs: Cybersecurity goals, requirements, traceability
- ISO 21434 Alignment: Concept phase + Development phase