Discussion points for Interpretation Document on Cybersecurity Japan Coordination Meeting for Test Phase of CS &OTA TF 26-27, February, 2019

Discussion Topics from JAPAN 1. CS Annex A scope; 2. Test Phase scope; Preliminary Assessment (Process certification) Documents for evidence 3.Main Q & A example ‘demonstrate’ and supply chain 7.2.2.1. The vehicle manufacturers shall demonstrate to an Approval authority or Technical Service that their Cyber Security Management System considers the following phases: : 4. Schedule - Materials to the next coordination meeting - Input/output to/from next GRVA (May or June) - Final deadline date

Scope Issue This Regulation applies to vehicles of the categories: [L], M, N, [O, R, S and T] From TFCS-11-04 Used as a Reference Model (It can be used as a basis to identify cyber-attack surfaces and vectors.)

1.Scope : Boundary Phase Communication Common Carrier Outsourcing Backend Servers e.g. Ride-Hailing Service In-house Vehicle On-board Systems OEM Identify A’ A Protect Detect Respond Recover A: Apply (confirming evidences) A’: Apply (The required degree of detail of evidences which are used for the certification may be differed from the “A” boundary.) Reference: NIST Cybersecurity Framework

2.Test Phase Scope (AnnexA-clause7) Preliminary assessment ２．Type Approval

3. The issues of ‘supply chain’; - Cybersecurity management system : 7.2.2.1. The vehicle manufacturer shall demonstrate to an Approval Authority or Technical Service that their Cyber Security Management System considers the following phases: -> How much demonstrate the supply chain? Tier1 ? Tier2? 　　　　How deep is it? (Development phase/production phase/post production phase) It will not be the same evidence level as OEM 　　　　　For deeper entities than Tier 2 level in a supply chain, evidences shall be gathered in a best effort manner. Supply chain をどこまで彫っていくかが課題 　　プロセス 　　Demonstrate OEMと同様のApplyとはいかず、Refer程度になる 　　　　SupplierのEvidenceが歯抜けになってしまう 　　　　； 　　（以降日本語で理由を書く；国交省殿） 　　Tier2,3となると全ては揃わない 　　Coordination Meeting では　Refer程度と言ってみる

3-1. The purpose of 7.2.Required Process Clause7 OEM’s checkpoint ISO27000 ISO21434 a The processes used within the manufacturer’s organization to manage cyber security; Company management system((organization) Overview of company standards Information security policies Organization of information security Roles and responsibilities Internal audit Management of Cybersecurity (5.1,5.2,5.3,5.4) b The processes used for the identification of risks to vehicle types; Asset definition Identification of threat analysis Asset management Information security risk assessment Information security risk treatment Nonconformity and corrective action Risk assessment c The processes used for the assessment, categorization and treatment of the risks identified; Risk classification Treatment determination Technical vulnerability management Risk treatment d The processes in place to verify that the risks identified are appropriately managed; Risk management (Internal review, Quality gate,. Etc.) Verification and assessment of the residual risks of the system design e The processes used for testing the security of the system throughout its development and production phases; Testing /Testing results management(Internal review, Quality gate,. Etc.) Access control, Cryptography Operations and Communications security System acquisition, development and maintenance Verification and validation System integration and test f The processes used for ensuring that the risk assessment is kept current; Vulnerability monitoring Management of information security incidents Monitoring, measurement, analysis and evaluation Management review Continual improvement Cybersecurity monitoring g The processes used to monitor for, detect and respond to cyber-attacks on vehicle types; SIRT Activity（incident） Vulnerability handling and incident response h The processes used to identify new and evolving cyber threats and vulnerabilities to vehicle types; SIRT Activity Continuous improvement and lessons learned i The processes used to appropriately react to new and evolving cyber threats and vulnerabilities. SIRT Activity（Vulnerability） 　Would like to discuss each requirement to the purpose/justification ① 社内管理体制（組織） ② 社内規定の全体図 ③ 保護資産定義 ④ 脅威リスク特定 ⑤ リスク評価 ⑥ リスク分類 ⑦ 処置決定 ⑧ リスク管理（社内レビュー、品質ゲートなど） ⑨ テスト実施/テスト結果管理（社内レビュー、品質ゲートなど） ⑩ 脆弱性モニタリング ⑪ SIRT活動（インシデント） ⑫ SIRT活動 ⑬ SIRT活動（脆弱性） 　それぞれの要件に対してこの程度の深さで議論したい

Supplier’s process ‘demonstration’ issues. 3.2 How to “Demonstrate” Supplier’s process ‘demonstration’ issues.　 For Cyber Security Management System Manufacturer shall document that the processes used within their Cyber Security Management System ensure security is adequately considered. Technical Service shall acknowledge that the processes used within their Cyber Security Management System ensure security is adequately considered on the document basis. (This activity includes inspections with the presence of TS.) For Cyber Security Vehicle Type Manufacturer shall demonstrate that the manufacturer has taken the necessary measures relevant for the vehicle type by evidences. Technical Service shall verify that the manufacturer has taken the necessary measures relevant for the vehicle type by evidences.