1. Discussion points for Interpretation Document on Cybersecurity
Japan
Coordination Meeting for Test Phase of CS &OTA TF
26-27, February, 2019

2. Discussion Topics from JAPAN
1. CS Annex A scope;
2. Test Phase scope;
Preliminary Assessment (Process certification) Documents for evidence
3.Main Q & A example
‘demonstrate’ and supply chain
The vehicle manufacturers shall demonstrate to an Approval
authority or Technical Service that their Cyber Security Management
System considers the following phases: :
4. Schedule
- Materials to the next coordination meeting
- Input/output to/from next GRVA (May or June)
- Final deadline date

3. Scope Issue This Regulation applies to vehicles of the categories:
[L], M, N, [O, R, S and T]
From TFCS-11-04
Used as a Reference Model
(It can be used as a basis to identify cyber-attack surfaces and vectors.)

4. 1.Scope : Boundary Phase Communication Common Carrier Outsourcing
Backend
Servers
e.g. Ride-Hailing Service
In-house
Vehicle
On-board
Systems
OEM
Identify A’ A
Protect
Detect
Respond
Recover
A: Apply (confirming evidences)
A’: Apply (The required degree of detail of evidences which are used for the certification may be differed from the “A” boundary.)
Reference: NIST Cybersecurity Framework

5. 2.Test Phase Scope (AnnexA-clause7)
Preliminary assessment
２．Type Approval

6. 3. The issues of ‘supply chain’;
- Cybersecurity management system :
The vehicle manufacturer shall demonstrate to an Approval Authority or Technical Service that their Cyber Security Management System
considers the following phases:
-> How much demonstrate the supply chain? Tier1 ? Tier2?
　　　　How deep is it?
(Development phase/production phase/post production phase)
It will not be the same evidence level as OEM
　　　　　For deeper entities than Tier 2 level in a supply chain, evidences shall be gathered
in a best effort manner.
Supply chain をどこまで彫っていくかが課題
　　プロセス
　　Demonstrate
OEMと同様のApplyとはいかず、Refer程度になる
　　　　SupplierのEvidenceが歯抜けになってしまう
　　　　；
　　（以降日本語で理由を書く；国交省殿）
　　Tier2,3となると全ては揃わない
　　Coordination Meeting では　Refer程度と言ってみる

7. 3-1. The purpose of 7.2.Required Process
Clause7
OEM’s
checkpoint
ISO27000
ISO21434 a
The processes used within the manufacturer’s organization to manage cyber security;
Company management system((organization)
Overview of company standards
Information security policies
Organization of information security
Roles and responsibilities
Internal audit
Management of Cybersecurity
(5.1,5.2,5.3,5.4) b
The processes used for the identification of risks to vehicle types;
Asset definition
Identification of threat analysis
Asset management
Information security risk assessment
Information security risk treatment
Nonconformity and corrective action
Risk assessment c
The processes used for the assessment, categorization and treatment of the risks identified;
Risk classification
Treatment determination
Technical vulnerability management
Risk treatment d
The processes in place to verify that the risks identified are appropriately managed;
Risk management (Internal review, Quality gate,. Etc.)
Verification and assessment of the residual risks of the system design e
The processes used for testing the security of the system throughout its development and production phases;
Testing /Testing results management(Internal review, Quality gate,. Etc.)
Access control, Cryptography
Operations and Communications security
System acquisition, development and maintenance
Verification and validation
System integration and test f
The processes used for ensuring that the risk assessment is kept current;
Vulnerability monitoring
Management of information security incidents
Monitoring, measurement, analysis and evaluation
Management review
Continual improvement
Cybersecurity monitoring g
The processes used to monitor for, detect and respond to cyber-attacks on vehicle types;
SIRT Activity（incident）
Vulnerability handling and
incident response h
The processes used to identify new and evolving cyber threats and vulnerabilities to vehicle types;
SIRT Activity
Continuous improvement and lessons learned i
The processes used to appropriately react to new and evolving cyber threats and vulnerabilities.
SIRT Activity（Vulnerability）
　Would like to discuss each requirement to the purpose/justification
① 社内管理体制（組織）
② 社内規定の全体図
③ 保護資産定義
④ 脅威リスク特定
⑤ リスク評価
⑥ リスク分類
⑦ 処置決定
⑧ リスク管理（社内レビュー、品質ゲートなど）
⑨ テスト実施/テスト結果管理（社内レビュー、品質ゲートなど）
⑩ 脆弱性モニタリング
⑪ SIRT活動（インシデント）
⑫ SIRT活動
⑬ SIRT活動（脆弱性）
　それぞれの要件に対してこの程度の深さで議論したい

8. Supplier’s process ‘demonstration’ issues.
3.2 How to “Demonstrate”
Supplier’s process ‘demonstration’ issues.　
For Cyber Security Management System
Manufacturer shall document that the processes used within their Cyber Security Management System ensure security is adequately considered.
Technical Service shall acknowledge that the processes used within their Cyber Security Management System ensure security is adequately considered on the document basis. (This activity includes inspections with the presence of TS.)
For Cyber Security Vehicle Type
Manufacturer shall demonstrate that the manufacturer has taken the necessary measures relevant for the vehicle type by evidences.
Technical Service shall verify that the manufacturer has taken the necessary measures relevant for the vehicle type by evidences.