Security Architecture Map

Product and cybersecurity architecture understanding package generated from Markdown-derived requirements.

Security Capability Matrix

This table is horizontally scrollable. Use the bottom scrollbar to view all columns.

Security CapabilityProtectsApplied ToMechanismEvidenceOpen Decision
Secure Diagnostics and RBACDiagnostic access state and privileged servicesDiagnostic Tester Interface / Diagnostic ServerUDS Auth 0x29, authorization, lockout and auditStrongConfirm final role model and service list
Secure Software UpdateECU software and firmware authenticityBootloader / Update LogicSigned packages, integrity validation, rollback control and update loggingStrongConfirm signing chain, rollback and campaign ownership
Data Authenticity and Integrity VerificationSecurity-relevant vehicle dataVehicle Network / Secure Data Transfer InterfaceSecOC/SDT-style MAC, freshness and replay rejectionModerateConfirm protected signal allocation
Key and Certificate HandlingKeys, certificates and trust anchorsSecurity Services / Hardware Platform / PKIProvisioning, validation, protected storage and renewal/revocationStrongConfirm HSM capability and PKI ownership
Communication Boundary ControlVehicle and offboard interface boundariesExternal Interfaces / Security ServicesInput validation, boundary filtering and fail-safe discard behaviourModerateConfirm exact boundaries and failure policy
Security LoggingSecurity event evidenceLogging / Event Reporting InterfaceEvent capture, retention, integrity and reportingModerateConfirm event set and reporting channel
Vulnerability and Incident HandlingField security postureSecurity Operations / Compliance ProcessVulnerability intake, triage, mitigation and incident workflowStrongConfirm reporting channels and responsibilities
Cybersecurity Evidence and DIAApproval and residual-risk caseEngineering Toolchain / OEM Approval InterfaceTraceability, V&V evidence, decision logging and residual-risk approvalStrongConfirm DIA split and authority

Security Capability Map

flowchart LR subgraph Protect["Protected areas"] Data["Vehicle data"] Software["ECU software"] Diag["Diagnostic access"] Trust["Keys and certificates"] Evidence["Security evidence"] end subgraph Capabilities["Security capabilities"] Comms["Secure communication"] UpdateSec["Secure update"] RBAC["Diagnostics RBAC"] KeyMgmt["Key / certificate management"] Audit["Logging and evidence"] end Comms --> Data UpdateSec --> Software RBAC --> Diag KeyMgmt --> Trust Audit --> Evidence
Mermaid source 
flowchart LR
  subgraph Protect["Protected areas"]
    Data["Vehicle data"]
    Software["ECU software"]
    Diag["Diagnostic access"]
    Trust["Keys and certificates"]
    Evidence["Security evidence"]
  end
  subgraph Capabilities["Security capabilities"]
    Comms["Secure communication"]
    UpdateSec["Secure update"]
    RBAC["Diagnostics RBAC"]
    KeyMgmt["Key / certificate management"]
    Audit["Logging and evidence"]
  end
  Comms --> Data
  UpdateSec --> Software
  RBAC --> Diag
  KeyMgmt --> Trust
  Audit --> Evidence

Protected Asset Table

This table is horizontally scrollable. Use the bottom scrollbar to view all columns.

AssetThreat ExposureProtection StrategyEvidenceOpen Decision
Clutch control behaviourCommand spoofing, unsafe state or malformed dataCommand validation, authenticated/fresh messages where allocated, diagnostic authorizationConfirmed function; security allocation inferredConfirm protected signal set
ECU software and firmwareTampered or wrong software installedSigned update, IVD/integrity checks, secure boot/platform integrityStrong update/flash evidenceConfirm signing chain and rollback
Keys, certificates and trust anchorsCredential theft or invalid trust decisionsProtected storage, certificate validation, lifecycle managementStrong key/certificate evidenceConfirm HSM and PKI owner
Diagnostic access stateUnauthorized privileged service accessUDS Auth 0x29, RBAC, lockout and auditStrong diagnostic evidenceConfirm role model
Security evidence and decisionsUntrusted evidence or unapproved residual riskTraceability, review workflow and decision loggingStrong process evidenceConfirm approval authority

Attack Surface Table

This table is horizontally scrollable. Use the bottom scrollbar to view all columns.

Attack SurfaceEntry PointRequired ControlsEvidenceStatus
Vehicle networkCAN / PWM command and status pathMessage validation, authenticity/freshness where allocated, safe discardCAN/PWM requirements and SecOC/SDT evidenceRequires confirmation
Diagnostic accessUDS tester and programming servicesAuthentication, authorization, lockout, rate limiting and auditUDS/Auth 0x29 evidenceRequires confirmation
Software update / flashProgramming/update package pathSignature validation, IVD/integrity checks, rollback and loggingFlash/update evidenceRequires confirmation
PKI / provisioningKey and certificate injection or renewal pathProtected storage, certificate validation, ownership and revocation controlsKey/certificate evidenceRequires confirmation
Supplier engineering evidenceALM, CI/test and evidence repositoryAccess control, artifact integrity and audit trailCybersecurity concept/evidence requirementsRequires confirmation

Security Decision Table

This table is horizontally scrollable. Use the bottom scrollbar to view all columns.

ConclusionStatusEvidenceImpactDecision Needed
ECA ECU product identity and AMT platform contextConfirmed3299216_1.md function statements; system_identity.mdStabilizes review-board namingConfirm final product designation/variant
Cybersecurity concept and evidence package are in scopeConfirmedCybersecurity and process requirementsMakes this an architecture/security baseline, not a brochureConfirm approval workflow
Secure diagnostics, update and key/certificate handling apply to the ECUInferredUDS, flash/IVD and certificate/key requirementsDrives security services and trust-boundary designConfirm exact allocation
SecOC/SDT-style protection is needed for selected data flowsRequires ConfirmationSecure communication requirementsBlocks final interface-security allocationCustomer must identify protected signals
Asset Model

Asset: Vehicle function data

Classification: Inferred from Requirements

Why It Needs Protection

Compromise affects product security goals, customer evidence, or lifecycle operations.

Evidence Basis:

  • Requirement IDs: REQ-AUTO-00066; REQ-AUTO-00141; req-6.3; REQ-AUTO-00146; REQ-AUTO-00193; REQ-AUTO-00196; REQ-AUTO-00199; REQ-AUTO-00289; REQ-AUTO-00334; REQ-AUTO-00452 (showing 10 of 36)
  • Source Markdown sections/pages: converted/markdown-cleaned/3299216_1.md page 4; converted/markdown-cleaned/3299216_1.md page 22; converted/markdown-cleaned/3299216_1.md page 23; converted/markdown-cleaned/3299216_1.md page 31; converted/markdown-cleaned/3299216_1.md page 33; converted/markdown-cleaned/CVS123-2.md page 6; converted/markdown-cleaned/CVS123-2.md page 12; converted/markdown-cleaned/CVS123-2.md page 39 (showing 8 of 27)
  • Confidence level: Medium
  • Classification: Inferred from Requirements

Asset: ECU software and firmware

Classification: Explicit Requirement

Why It Needs Protection

Compromise affects product security goals, customer evidence, or lifecycle operations.

Evidence Basis:

  • Requirement IDs: REQ-AUTO-00006; REQ_SEC_0003; REQ_SEC_0007; REQ_SEC_0008; REQ_SEC_0009; REQ_SEC_0043; REQ-AUTO-00051; REQ-AUTO-00129; REQ-AUTO-00178; REQ-AUTO-00180 (showing 10 of 242)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 5; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 6; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 7; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 9; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 11; converted/markdown-cleaned/3299216_1.md page 19; converted/markdown-cleaned/3299216_1.md page 27; converted/markdown-cleaned/3299216_1.md page 34 (showing 8 of 110)
  • Confidence level: Medium
  • Classification: Explicit Requirement

Asset: Cryptographic keys and certificates

Classification: Explicit Requirement

Why It Needs Protection

Compromise affects product security goals, customer evidence, or lifecycle operations.

Evidence Basis:

  • Requirement IDs: REQ_SEC_0016; REQ_SEC_0019; REQ-AUTO-00335; REQ-AUTO-00340; REQ-AUTO-00445; REQ_UDS-0038; REQ_UDS-0068; REQ_UDS-0070; REQ_UDS-0071; REQ_UDS-0072 (showing 10 of 69)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 9; converted/markdown-cleaned/CVS123-2.md page 14; converted/markdown-cleaned/CVS123-2.md page 16; converted/markdown-cleaned/CVS123-2.md page 37; converted/markdown-cleaned/CVS124.md page 22; converted/markdown-cleaned/CVS124.md page 34; converted/markdown-cleaned/CVS124.md page 40; converted/markdown-cleaned/CVS151.md page 11 (showing 8 of 29)
  • Confidence level: Medium
  • Classification: Explicit Requirement

Asset: Diagnostic access state

Classification: Explicit Requirement

Why It Needs Protection

Compromise affects product security goals, customer evidence, or lifecycle operations.

Evidence Basis:

  • Requirement IDs: REQ_SEC_0010; REQ_SEC_0011; req-6.20; REQ-AUTO-00282; REQ-AUTO-00284; REQ-AUTO-00290; REQ_UDS-0051; REQ_UDS-0051; REQ-AUTO-00298; REQ-AUTO-00299 (showing 10 of 344)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 8; converted/markdown-cleaned/3299216_1.md page 23; converted/markdown-cleaned/CVS123-2.md page 4; converted/markdown-cleaned/CVS123-2.md page 6; converted/markdown-cleaned/CVS123-2.md page 7; converted/markdown-cleaned/CVS123-2.md page 9; converted/markdown-cleaned/CVS123-2.md page 10; converted/markdown-cleaned/CVS123-2.md page 11 (showing 8 of 120)
  • Confidence level: Medium
  • Classification: Explicit Requirement

Asset: Cybersecurity concept and evidence

Classification: Explicit Requirement

Why It Needs Protection

Compromise affects product security goals, customer evidence, or lifecycle operations.

Evidence Basis:

  • Requirement IDs: REQ-AUTO-00001; REQ_SEC_0001; REQ-AUTO-00005; REQ_SEC_0003; REQ_SEC_0024; REQ_SEC_0004; REQ_SEC_0005; REQ_SEC_0007; REQ_SEC_0041; REQ-AUTO-00076 (showing 10 of 48)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 3; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 5; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 6; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 7; converted/markdown-cleaned/3299216_1.md page 5; converted/markdown-cleaned/3299216_1.md page 23; converted/markdown-cleaned/3299216_1.md page 27; converted/markdown-cleaned/3299216_1.md page 50 (showing 8 of 31)
  • Confidence level: Medium
  • Classification: Explicit Requirement

Asset: Backend/update and security operations data

Classification: Inferred from Requirements

Why It Needs Protection

Compromise affects product security goals, customer evidence, or lifecycle operations.

Evidence Basis:

  • Requirement IDs: REQ_SEC_0002; REQ_SEC_0044; REQ_SEC_0045; REQ_SEC_0046; REQ_SEC_0032; REQ_SEC_0033; REQ_SEC_0034; REQ_SEC_0035; REQ-AUTO-00051; REQ_SEC_0036 (showing 10 of 365)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 5; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 10; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 11; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 12; converted/markdown-cleaned/3299216_1.md page 9; converted/markdown-cleaned/3299216_1.md page 10; converted/markdown-cleaned/3299216_1.md page 11; converted/markdown-cleaned/3299216_1.md page 12 (showing 8 of 138)
  • Confidence level: Medium
  • Classification: Inferred from Requirements

Asset: Hardware platform integrity

Classification: Inferred from Requirements

Why It Needs Protection

Compromise affects product security goals, customer evidence, or lifecycle operations.

Evidence Basis:

  • Requirement IDs: REQ_SEC_0003; REQ_SEC_0040; REQ_SEC_0025; REQ_SEC_0009; REQ_SEC_0010; REQ_SEC_0011; REQ_SEC_0026; REQ-AUTO-00051; REQ_SEC_0047; REQ_SEC_0049 (showing 10 of 69)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 5; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 6; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 7; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 8; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 11; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 12; converted/markdown-cleaned/3299216_1.md page 4; converted/markdown-cleaned/3299216_1.md page 7 (showing 8 of 51)
  • Confidence level: Medium
  • Classification: Inferred from Requirements
Security Capability Model

Security Capability: Identity and Access Control

Purpose

Ensure only authorized tools, systems, users, and software actors can perform security-relevant actions.

Threat / Risk Addressed

Unauthorized actor gains privileged access.

Requirement Basis

Protected Assets

  • Vehicle function data
  • ECU software and firmware
  • Cryptographic keys and certificates
  • Diagnostic access state
  • Cybersecurity concept and evidence
  • Backend/update and security operations data
  • Hardware platform integrity

Interfaces Protected

  • OEM/customer cybersecurity approval and evidence interface
  • Secure update, flash, and IVD interface
  • Certificate and key provisioning interface
  • Development, ALM, and evidence tooling interface
  • Security operations and vulnerability reporting interface
  • Hardware platform and key storage interface

Architecture Elements Involved

  • Security Services
  • Diagnostic Server
  • Backend/PKI

Expected Mechanisms

  • Authentication
  • Authorization
  • Secure sessions
  • Role or certificate validation

Explicit vs Inferred Status

Explicit Requirement

Confidence Level

Medium

Open Decisions

  • Confirm concrete mechanisms, ownership, parameters, and verification evidence.

Evidence Basis:

  • Requirement IDs: REQ_SEC_0008; REQ_SEC_0015; REQ-AUTO-00175; REQ-AUTO-00290; REQ-AUTO-00333; REQ-AUTO-00334; REQ-AUTO-00376; REQ-AUTO-00496; REQ_UDS-0030; REQ_UDS-0045 (showing 10 of 149)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 7; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 9; converted/markdown-cleaned/3299216_1.md page 27; converted/markdown-cleaned/CVS123-2.md page 6; converted/markdown-cleaned/CVS123-2.md page 12; converted/markdown-cleaned/CVS123-2.md page 23; converted/markdown-cleaned/CVS124.md page 7; converted/markdown-cleaned/CVS124.md page 20 (showing 8 of 54)
  • Confidence level: Medium
  • Classification: Explicit Requirement

Security Capability: Cryptographic Protection

Purpose

Provide authenticity, integrity, confidentiality, and non-repudiation where required.

Threat / Risk Addressed

Data, software, or credentials are modified, disclosed, or forged.

Requirement Basis

Protected Assets

  • Vehicle function data
  • ECU software and firmware
  • Cryptographic keys and certificates
  • Diagnostic access state
  • Cybersecurity concept and evidence
  • Backend/update and security operations data
  • Hardware platform integrity

Interfaces Protected

  • See interface catalog; exact allocation needs confirmation.

Architecture Elements Involved

  • Security Services
  • Hardware Platform / HSM
  • Application Software

Expected Mechanisms

  • Encryption
  • Signatures/MACs
  • Integrity checks
  • Key isolation

Explicit vs Inferred Status

Inferred from Requirements

Confidence Level

Medium

Open Decisions

  • Confirm concrete mechanisms, ownership, parameters, and verification evidence.

Evidence Basis:

  • Requirement IDs: REQ_SEC_0008; REQ_SEC_0020; REQ_SEC_0016; REQ_SEC_0019; REQ-AUTO-00089; REQ-AUTO-00321; REQ-AUTO-00323; REQ-AUTO-00324; REQ-AUTO-00339; REQ-AUTO-00340 (showing 10 of 117)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 7; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 9; converted/markdown-cleaned/3299216_1.md page 10; converted/markdown-cleaned/CVS123-2.md page 11; converted/markdown-cleaned/CVS123-2.md page 16; converted/markdown-cleaned/CVS123-2.md page 19; converted/markdown-cleaned/CVS123-2.md page 25; converted/markdown-cleaned/CVS123-2.md page 26 (showing 8 of 56)
  • Confidence level: Medium
  • Classification: Inferred from Requirements

Security Capability: Secure Communication

Purpose

Protect vehicle, diagnostic, backend, and service data exchanges against tampering, spoofing, and replay.

Threat / Risk Addressed

Attacker injects, replays, modifies, or observes security-relevant traffic.

Requirement Basis

Protected Assets

  • Vehicle function data
  • ECU software and firmware
  • Cryptographic keys and certificates
  • Diagnostic access state
  • Cybersecurity concept and evidence
  • Backend/update and security operations data
  • Hardware platform integrity

Interfaces Protected

  • Vehicle network secure data communication interface
  • Secure update, flash, and IVD interface

Architecture Elements Involved

  • External Interfaces
  • Application Software
  • Security Services

Expected Mechanisms

  • SecOC/SDT-style protection
  • Freshness counters
  • Replay protection
  • Fail-closed discard rules

Explicit vs Inferred Status

Inferred from Requirements

Confidence Level

Medium

Open Decisions

  • Confirm concrete mechanisms, ownership, parameters, and verification evidence.

Evidence Basis:

  • Requirement IDs: REQ_SEC_0011; REQ_SEC_0012; REQ_SEC_0013; REQ-AUTO-00066; REQ-AUTO-00099; REQ-AUTO-00139; REQ-AUTO-00141; req-6.3; REQ-AUTO-00146; REQ-AUTO-00193 (showing 10 of 128)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 8; converted/markdown-cleaned/3299216_1.md page 4; converted/markdown-cleaned/3299216_1.md page 11; converted/markdown-cleaned/3299216_1.md page 22; converted/markdown-cleaned/3299216_1.md page 23; converted/markdown-cleaned/3299216_1.md page 31; converted/markdown-cleaned/3299216_1.md page 33; converted/markdown-cleaned/3299216_1.md page 40 (showing 8 of 50)
  • Confidence level: Medium
  • Classification: Inferred from Requirements

Security Capability: Secure Boot and Platform Integrity

Purpose

Ensure only valid and authorized software executes on an ECU with an integrity-preserving platform.

Threat / Risk Addressed

Unauthorized software or tampered platform state is trusted.

Requirement Basis

Protected Assets

  • ECU software and firmware
  • Diagnostic access state
  • Backend/update and security operations data
  • Hardware platform integrity

Interfaces Protected

  • Vehicle network secure data communication interface
  • Secure update, flash, and IVD interface

Architecture Elements Involved

  • Hardware Platform
  • Boot/Update Manager
  • Security Services

Expected Mechanisms

  • Secure boot
  • Platform integrity checks
  • Debug restrictions
  • Authentic software checks

Explicit vs Inferred Status

Inferred from Requirements

Confidence Level

Medium

Open Decisions

  • Confirm concrete mechanisms, ownership, parameters, and verification evidence.

Evidence Basis:

Security Capability: Secure Software Update

Purpose

Ensure update and flash content is authentic, intact, authorized, and traceable.

Threat / Risk Addressed

Malicious or wrong software is installed or update evidence is lost.

Requirement Basis

Protected Assets

  • Vehicle function data
  • ECU software and firmware
  • Diagnostic access state
  • Cybersecurity concept and evidence
  • Backend/update and security operations data
  • Hardware platform integrity

Interfaces Protected

  • Vehicle network secure data communication interface
  • Secure update, flash, and IVD interface
  • Application software to security services interface

Architecture Elements Involved

  • Backend and IT Systems
  • Boot/Update Manager
  • Security Services

Expected Mechanisms

  • Signed packages
  • IVD checks
  • Certificate validation
  • Update logging

Explicit vs Inferred Status

Inferred from Requirements

Confidence Level

Medium

Open Decisions

  • Confirm concrete mechanisms, ownership, parameters, and verification evidence.

Evidence Basis:

  • Requirement IDs: REQ-AUTO-00203; REQ-AUTO-00279; REQ-AUTO-00284; REQ-AUTO-00290; REQ_UDS-0051; REQ-AUTO-00297; REQ-AUTO-00298; REQ-AUTO-00302; REQ-AUTO-00303; REQ-AUTO-00306 (showing 10 of 81)
  • Source Markdown sections/pages: converted/markdown-cleaned/3299216_1.md page 34; converted/markdown-cleaned/CVS123-2.md page 1; converted/markdown-cleaned/CVS123-2.md page 4; converted/markdown-cleaned/CVS123-2.md page 6; converted/markdown-cleaned/CVS123-2.md page 7; converted/markdown-cleaned/CVS123-2.md page 9; converted/markdown-cleaned/CVS123-2.md page 10; converted/markdown-cleaned/CVS123-2.md page 11 (showing 8 of 47)
  • Confidence level: Medium
  • Classification: Inferred from Requirements

Security Capability: Secure Diagnostics

Purpose

Enable service access while preventing unauthorized diagnostic control.

Threat / Risk Addressed

Diagnostic service becomes a bypass for security controls.

Requirement Basis

Protected Assets

  • Vehicle function data
  • ECU software and firmware
  • Cryptographic keys and certificates
  • Diagnostic access state
  • Cybersecurity concept and evidence
  • Backend/update and security operations data
  • Hardware platform integrity

Interfaces Protected

  • Vehicle network secure data communication interface
  • Secure update, flash, and IVD interface

Architecture Elements Involved

  • Diagnostic Interface
  • Security Services
  • Application Software

Expected Mechanisms

  • UDS authentication
  • Access control
  • Rate limiting
  • Diagnostic audit

Explicit vs Inferred Status

Explicit Requirement

Confidence Level

Medium

Open Decisions

  • Confirm concrete mechanisms, ownership, parameters, and verification evidence.

Evidence Basis:

  • Requirement IDs: REQ_SEC_0010; REQ_SEC_0011; req-6.20; REQ-AUTO-00282; REQ-AUTO-00284; REQ-AUTO-00290; REQ_UDS-0051; REQ_UDS-0051; REQ-AUTO-00298; REQ-AUTO-00299 (showing 10 of 341)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 8; converted/markdown-cleaned/3299216_1.md page 23; converted/markdown-cleaned/CVS123-2.md page 4; converted/markdown-cleaned/CVS123-2.md page 6; converted/markdown-cleaned/CVS123-2.md page 7; converted/markdown-cleaned/CVS123-2.md page 9; converted/markdown-cleaned/CVS123-2.md page 10; converted/markdown-cleaned/CVS123-2.md page 11 (showing 8 of 119)
  • Confidence level: Medium
  • Classification: Explicit Requirement

Security Capability: Key and Certificate Management

Purpose

Maintain trustworthy cryptographic identities and secrets across lifecycle.

Threat / Risk Addressed

Compromised trust material invalidates multiple controls.

Requirement Basis

Protected Assets

  • Vehicle function data
  • ECU software and firmware
  • Cryptographic keys and certificates
  • Diagnostic access state
  • Cybersecurity concept and evidence
  • Backend/update and security operations data

Interfaces Protected

  • OEM/customer cybersecurity approval and evidence interface
  • Secure update, flash, and IVD interface
  • Certificate and key provisioning interface
  • Development, ALM, and evidence tooling interface
  • Security operations and vulnerability reporting interface
  • Hardware platform and key storage interface

Architecture Elements Involved

  • Security Services
  • PKI/Provisioning
  • Hardware Platform

Expected Mechanisms

  • PKI lifecycle
  • Trust-anchor management
  • Secure provisioning
  • Protected key storage

Explicit vs Inferred Status

Explicit Requirement

Confidence Level

Medium

Open Decisions

  • Confirm concrete mechanisms, ownership, parameters, and verification evidence.

Evidence Basis:

  • Requirement IDs: REQ_SEC_0016; REQ_SEC_0019; REQ-AUTO-00335; REQ-AUTO-00340; REQ-AUTO-00445; REQ_UDS-0038; REQ_UDS-0068; REQ_UDS-0070; REQ_UDS-0071; REQ_UDS-0072 (showing 10 of 69)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 9; converted/markdown-cleaned/CVS123-2.md page 14; converted/markdown-cleaned/CVS123-2.md page 16; converted/markdown-cleaned/CVS123-2.md page 37; converted/markdown-cleaned/CVS124.md page 22; converted/markdown-cleaned/CVS124.md page 34; converted/markdown-cleaned/CVS124.md page 40; converted/markdown-cleaned/CVS151.md page 11 (showing 8 of 29)
  • Confidence level: Medium
  • Classification: Explicit Requirement

Security Capability: Logging and Audit

Purpose

Record security-relevant activity for accountability, evidence, and investigation.

Threat / Risk Addressed

Security events cannot be investigated or evidenced.

Requirement Basis

Protected Assets

  • Vehicle function data
  • ECU software and firmware
  • Cryptographic keys and certificates
  • Diagnostic access state
  • Cybersecurity concept and evidence
  • Backend/update and security operations data
  • Hardware platform integrity

Interfaces Protected

  • OEM/customer cybersecurity approval and evidence interface
  • Secure update, flash, and IVD interface
  • Certificate and key provisioning interface
  • Development, ALM, and evidence tooling interface
  • Security operations and vulnerability reporting interface
  • Hardware platform and key storage interface

Architecture Elements Involved

  • Security Services
  • Backend/SecOps
  • Evidence Repository

Expected Mechanisms

  • Security event logging
  • Evidence retention
  • Audit trail
  • Traceability IDs

Explicit vs Inferred Status

Explicit Requirement

Confidence Level

Medium

Open Decisions

  • Confirm concrete mechanisms, ownership, parameters, and verification evidence.

Evidence Basis:

  • Requirement IDs: REQ-AUTO-00001; REQ_SEC_0004; REQ_SEC_0005; REQ_SEC_0041; REQ_SEC_0051; REQ-AUTO-00172; REQ-AUTO-00176; REQ-AUTO-00218; REQ-AUTO-00253; REQ-AUTO-00256 (showing 10 of 50)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 3; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 6; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 7; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 12; converted/markdown-cleaned/3299216_1.md page 27; converted/markdown-cleaned/3299216_1.md page 36; converted/markdown-cleaned/3299216_1.md page 49; converted/markdown-cleaned/3299216_1.md page 50 (showing 8 of 36)
  • Confidence level: Medium
  • Classification: Explicit Requirement

Security Capability: Security Monitoring and Detection

Purpose

Identify security-relevant anomalies or events that need response.

Threat / Risk Addressed

Attacks or control failures remain invisible.

Requirement Basis

Protected Assets

  • ECU software and firmware
  • Diagnostic access state
  • Backend/update and security operations data
  • Hardware platform integrity

Interfaces Protected

  • OEM/customer cybersecurity approval and evidence interface
  • Security operations and vulnerability reporting interface
  • Application software to security services interface

Architecture Elements Involved

  • Security Services
  • Backend/SecOps
  • Logging Path

Expected Mechanisms

  • Security event collection
  • Alert triage
  • Detection rules
  • Escalation path

Explicit vs Inferred Status

Inferred from Requirements

Confidence Level

Medium

Open Decisions

  • Confirm concrete mechanisms, ownership, parameters, and verification evidence.

Evidence Basis:

  • Requirement IDs: REQ_SEC_0036; REQ_SEC_0037; REQ_SEC_0051; REQ-AUTO-00177; REQ-AUTO-00180; REQ-AUTO-00183; REQ-AUTO-00194; REQ-AUTO-00220; REQ-AUTO-00298; REQ-AUTO-00345 (showing 10 of 17)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 11; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 12; converted/markdown-cleaned/3299216_1.md page 27; converted/markdown-cleaned/3299216_1.md page 28; converted/markdown-cleaned/3299216_1.md page 31; converted/markdown-cleaned/3299216_1.md page 36; converted/markdown-cleaned/CVS123-2.md page 7; converted/markdown-cleaned/CVS123-2.md page 20 (showing 8 of 14)
  • Confidence level: Medium
  • Classification: Inferred from Requirements

Security Capability: Vulnerability and Incident Handling

Purpose

Assess, treat, communicate, and track vulnerabilities and incidents over releases.

Threat / Risk Addressed

Known vulnerabilities or incidents remain untreated.

Requirement Basis

Protected Assets

  • ECU software and firmware
  • Backend/update and security operations data
  • Hardware platform integrity

Interfaces Protected

  • OEM/customer cybersecurity approval and evidence interface
  • Secure update, flash, and IVD interface
  • Certificate and key provisioning interface
  • Development, ALM, and evidence tooling interface
  • Security operations and vulnerability reporting interface
  • Hardware platform and key storage interface

Architecture Elements Involved

  • Compliance Process
  • Security Operations
  • Engineering Toolchain

Expected Mechanisms

  • Vulnerability intake
  • Risk treatment
  • Incident workflow
  • Mitigation verification

Explicit vs Inferred Status

Explicit Requirement

Confidence Level

High

Open Decisions

  • Confirm concrete mechanisms, ownership, parameters, and verification evidence.

Evidence Basis:

Security Capability: Development and Toolchain Security

Purpose

Protect the engineering environment and evidence chain that produce security-relevant artifacts.

Threat / Risk Addressed

Compromised tooling produces compromised products or false evidence.

Requirement Basis

Protected Assets

  • ECU software and firmware
  • Cryptographic keys and certificates
  • Diagnostic access state
  • Cybersecurity concept and evidence
  • Backend/update and security operations data

Interfaces Protected

  • OEM/customer cybersecurity approval and evidence interface
  • Secure update, flash, and IVD interface
  • Certificate and key provisioning interface
  • Development, ALM, and evidence tooling interface
  • Security operations and vulnerability reporting interface
  • Hardware platform and key storage interface

Architecture Elements Involved

  • Engineering Toolchain
  • ALM/CI
  • Evidence Repository

Expected Mechanisms

  • Access control
  • Artifact integrity
  • Review workflow
  • Build/test evidence

Explicit vs Inferred Status

Inferred from Requirements

Confidence Level

Medium

Open Decisions

  • Confirm concrete mechanisms, ownership, parameters, and verification evidence.

Evidence Basis:

  • Requirement IDs: REQ_SEC_0041; REQ_SEC_0014; REQ_SEC_0044; REQ_SEC_0045; REQ_SEC_0046; REQ_SEC_0032; REQ_SEC_0037; REQ-AUTO-00092; REQ-AUTO-00093; REQ-AUTO-00094 (showing 10 of 80)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 7; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 8; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 10; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 11; converted/markdown-cleaned/3299216_1.md page 10; converted/markdown-cleaned/3299216_1.md page 11; converted/markdown-cleaned/3299216_1.md page 16; converted/markdown-cleaned/3299216_1.md page 25 (showing 8 of 49)
  • Confidence level: Medium
  • Classification: Inferred from Requirements

Security Capability: Backend/Cloud Security

Purpose

Protect offboard systems that influence update, evidence, monitoring, and operational security.

Threat / Risk Addressed

Offboard compromise affects products, updates, evidence, or operational data.

Requirement Basis

Protected Assets

  • Vehicle function data
  • ECU software and firmware
  • Cryptographic keys and certificates
  • Diagnostic access state
  • Cybersecurity concept and evidence
  • Backend/update and security operations data
  • Hardware platform integrity

Interfaces Protected

  • Backend/cloud/IT operational interface

Architecture Elements Involved

  • Backend and IT Systems
  • External Interfaces
  • Security Operations

Expected Mechanisms

  • Mutual authentication
  • Network segregation
  • API authorization
  • Backend audit logging

Explicit vs Inferred Status

Inferred from Requirements

Confidence Level

Medium

Open Decisions

  • Confirm concrete mechanisms, ownership, parameters, and verification evidence.

Evidence Basis:

  • Requirement IDs: REQ-AUTO-00001; REQ_SEC_0001; REQ_SEC_0002; REQ_SEC_0003; REQ_SEC_0022; REQ-AUTO-00009; REQ_SEC_0023; REQ-AUTO-00011; REQ_SEC_0024; REQ_SEC_0004 (showing 10 of 748)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 3; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 5; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 6; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 7; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 8; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 9; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 10; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 11 (showing 8 of 218)
  • Confidence level: Medium
  • Classification: Inferred from Requirements

Security Capability: Compliance and Evidence Management

Purpose

Demonstrate that requirements, controls, verification, validation, and residual risk remain traceable.

Threat / Risk Addressed

Customer cannot verify that security obligations are met.

Requirement Basis

Protected Assets

  • Vehicle function data
  • ECU software and firmware
  • Cryptographic keys and certificates
  • Diagnostic access state
  • Cybersecurity concept and evidence
  • Backend/update and security operations data
  • Hardware platform integrity

Interfaces Protected

  • OEM/customer cybersecurity approval and evidence interface
  • Secure update, flash, and IVD interface
  • Certificate and key provisioning interface
  • Development, ALM, and evidence tooling interface
  • Security operations and vulnerability reporting interface
  • Hardware platform and key storage interface

Architecture Elements Involved

  • Compliance Process
  • Engineering Toolchain
  • OEM/Customer Interface

Expected Mechanisms

  • Requirement traceability
  • Control mapping
  • V&V reports
  • Residual-risk approval records

Explicit vs Inferred Status

Explicit Requirement

Confidence Level

High

Open Decisions

  • Confirm concrete mechanisms, ownership, parameters, and verification evidence.

Evidence Basis:

  • Requirement IDs: REQ-AUTO-00001; REQ_SEC_0001; REQ-AUTO-00005; REQ_SEC_0003; REQ_SEC_0024; REQ_SEC_0004; REQ_SEC_0007; REQ_SEC_0041; REQ_SEC_0009; REQ_SEC_0044 (showing 10 of 113)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 3; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 5; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 6; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 7; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 10; converted/markdown-cleaned/3299216_1.md page 5; converted/markdown-cleaned/3299216_1.md page 10; converted/markdown-cleaned/3299216_1.md page 11 (showing 8 of 68)
  • Confidence level: High
  • Classification: Explicit Requirement

Additional PDF Security Evidence

Trust Boundary Model

Trust Boundary: Electric Clutch Actuator ECU boundary

Classification: Inferred from Requirements

Separates the in-scope clutch-actuator ECU hardware and software from vehicle, service, backend, customer, and supplier environments.

Evidence Basis:

  • Requirement IDs: REQ-AUTO-00001; REQ_SEC_0001; REQ_SEC_0002; REQ-AUTO-00006; REQ_SEC_0003; REQ_SEC_0022; REQ-AUTO-00009; REQ_SEC_0023; REQ-AUTO-00011; REQ_SEC_0024 (showing 10 of 406)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 3; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 5; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 6; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 7; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 8; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 9; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 10; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 11 (showing 8 of 158)
  • Confidence level: Medium
  • Classification: Inferred from Requirements

Trust Boundary: Vehicle/network boundary

Classification: Inferred from Requirements

Separates the ECU/application from other ECUs and vehicle networks carrying SecOC/SDT or function data.

Evidence Basis:

  • Requirement IDs: REQ_SEC_0002; REQ-AUTO-00004; REQ-AUTO-00005; REQ-AUTO-00006; REQ_SEC_0024; REQ_SEC_0040; REQ_SEC_0041; REQ_SEC_0042; REQ_SEC_0008; REQ-AUTO-00021 (showing 10 of 216)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 5; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 6; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 7; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 8; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 9; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 10; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 11; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 12 (showing 8 of 86)
  • Confidence level: Medium
  • Classification: Inferred from Requirements

Trust Boundary: Diagnostic access boundary

Classification: Explicit Requirement

Separates service tools and engineering testers from privileged ECU diagnostic functions.

Evidence Basis:

  • Requirement IDs: REQ_SEC_0010; REQ_SEC_0011; req-6.20; REQ-AUTO-00282; REQ-AUTO-00284; REQ-AUTO-00290; REQ_UDS-0051; REQ_UDS-0051; REQ-AUTO-00298; REQ-AUTO-00299 (showing 10 of 339)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 8; converted/markdown-cleaned/3299216_1.md page 23; converted/markdown-cleaned/CVS123-2.md page 4; converted/markdown-cleaned/CVS123-2.md page 6; converted/markdown-cleaned/CVS123-2.md page 7; converted/markdown-cleaned/CVS123-2.md page 9; converted/markdown-cleaned/CVS123-2.md page 10; converted/markdown-cleaned/CVS123-2.md page 11 (showing 8 of 119)
  • Confidence level: Medium
  • Classification: Explicit Requirement

Trust Boundary: Backend/cloud boundary

Classification: Inferred from Requirements

Separates offboard update, IT, evidence, monitoring, and supplier/OEM systems from product runtime.

Evidence Basis:

  • Requirement IDs: REQ-AUTO-00001; REQ_SEC_0001; REQ_SEC_0002; REQ_SEC_0003; REQ_SEC_0022; REQ-AUTO-00009; REQ_SEC_0023; REQ-AUTO-00011; REQ_SEC_0024; REQ_SEC_0004 (showing 10 of 756)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 3; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 5; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 6; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 7; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 8; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 9; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 10; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 11 (showing 8 of 219)
  • Confidence level: Medium
  • Classification: Inferred from Requirements

Trust Boundary: Development/tooling boundary

Classification: Explicit Requirement

Separates engineering tooling and evidence repositories from product artifacts and customer-facing evidence.

Evidence Basis:

  • Requirement IDs: REQ-AUTO-00001; REQ_SEC_0004; REQ_SEC_0005; REQ_SEC_0041; REQ_SEC_0014; REQ_SEC_0037; REQ-AUTO-00092; REQ-AUTO-00093; REQ-AUTO-00094; REQ-AUTO-00095 (showing 10 of 52)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 3; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 6; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 7; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 8; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 11; converted/markdown-cleaned/3299216_1.md page 10; converted/markdown-cleaned/3299216_1.md page 11; converted/markdown-cleaned/3299216_1.md page 27 (showing 8 of 33)
  • Confidence level: Medium
  • Classification: Explicit Requirement

Trust Boundary: Customer/OEM approval boundary

Classification: Explicit Requirement

Separates supplier-owned security engineering work products from OEM/customer approval and residual-risk acceptance.

Evidence Basis:

  • Requirement IDs: REQ_SEC_0001; REQ_SEC_0002; REQ-AUTO-00004; REQ-AUTO-00005; REQ-AUTO-00006; REQ_SEC_0003; REQ_SEC_0024; REQ_SEC_0004; REQ_SEC_0005; REQ_SEC_0040 (showing 10 of 122)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 5; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 6; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 7; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 8; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 9; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 10; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 11; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 12 (showing 8 of 55)
  • Confidence level: Medium
  • Classification: Explicit Requirement

Trust Boundary: Unknown assumed deployment boundary

Classification: Needs Customer Clarification

Marks deployment zones, ownership, and connectivity that cannot be confirmed from the extracted requirements alone.

Evidence Basis:

  • Requirement IDs: REQ-AUTO-00317; REQ-AUTO-00634
  • Source Markdown sections/pages: converted/markdown-cleaned/CVS123-2.md page 10; converted/markdown-cleaned/CVS124.md page 52
  • Confidence level: Medium
  • Classification: Needs Customer Clarification
Security Mechanisms

Security Mechanism Catalog

MechanismPurposeRelated capabilitiesClassificationEvidence
Authentication; Authorization; Secure sessions; Role or certificate validationEnsure only authorized tools, systems, users, and software actors can perform security-relevant actions.Identity and Access ControlExplicit RequirementREQ_SEC_0008; REQ_SEC_0015; REQ-AUTO-00175; REQ-AUTO-00290; REQ-AUTO-00333; REQ-AUTO-00334; REQ-AUTO-00376; REQ-AUTO-00496 (showing 8 of 149)
Encryption; Signatures/MACs; Integrity checks; Key isolationProvide authenticity, integrity, confidentiality, and non-repudiation where required.Cryptographic ProtectionInferred from RequirementsREQ_SEC_0008; REQ_SEC_0020; REQ_SEC_0016; REQ_SEC_0019; REQ-AUTO-00089; REQ-AUTO-00321; REQ-AUTO-00323; REQ-AUTO-00324 (showing 8 of 117)
SecOC/SDT-style protection; Freshness counters; Replay protection; Fail-closed discard rulesProtect vehicle, diagnostic, backend, and service data exchanges against tampering, spoofing, and replay.Secure CommunicationInferred from RequirementsREQ_SEC_0011; REQ_SEC_0012; REQ_SEC_0013; REQ-AUTO-00066; REQ-AUTO-00099; REQ-AUTO-00139; REQ-AUTO-00141; req-6.3 (showing 8 of 128)
Secure boot; Platform integrity checks; Debug restrictions; Authentic software checksEnsure only valid and authorized software executes on an ECU with an integrity-preserving platform.Secure Boot and Platform IntegrityInferred from RequirementsREQ-AUTO-00152; REQ-AUTO-00183; REQ-AUTO-00290; REQ-AUTO-00291; REQ-AUTO-00292; REQ-AUTO-00294; REQ-AUTO-00298; REQ-AUTO-00300 (showing 8 of 52)
Signed packages; IVD checks; Certificate validation; Update loggingEnsure update and flash content is authentic, intact, authorized, and traceable.Secure Software UpdateInferred from RequirementsREQ-AUTO-00203; REQ-AUTO-00279; REQ-AUTO-00284; REQ-AUTO-00290; REQ_UDS-0051; REQ-AUTO-00297; REQ-AUTO-00298; REQ-AUTO-00302 (showing 8 of 81)
UDS authentication; Access control; Rate limiting; Diagnostic auditEnable service access while preventing unauthorized diagnostic control.Secure DiagnosticsExplicit RequirementREQ_SEC_0010; REQ_SEC_0011; req-6.20; REQ-AUTO-00282; REQ-AUTO-00284; REQ-AUTO-00290; REQ_UDS-0051; REQ_UDS-0051 (showing 8 of 341)
PKI lifecycle; Trust-anchor management; Secure provisioning; Protected key storageMaintain trustworthy cryptographic identities and secrets across lifecycle.Key and Certificate ManagementExplicit RequirementREQ_SEC_0016; REQ_SEC_0019; REQ-AUTO-00335; REQ-AUTO-00340; REQ-AUTO-00445; REQ_UDS-0038; REQ_UDS-0068; REQ_UDS-0070 (showing 8 of 69)
Security event logging; Evidence retention; Audit trail; Traceability IDsRecord security-relevant activity for accountability, evidence, and investigation.Logging and AuditExplicit RequirementREQ-AUTO-00001; REQ_SEC_0004; REQ_SEC_0005; REQ_SEC_0041; REQ_SEC_0051; REQ-AUTO-00172; REQ-AUTO-00176; REQ-AUTO-00218 (showing 8 of 50)
Security event collection; Alert triage; Detection rules; Escalation pathIdentify security-relevant anomalies or events that need response.Security Monitoring and DetectionInferred from RequirementsREQ_SEC_0036; REQ_SEC_0037; REQ_SEC_0051; REQ-AUTO-00177; REQ-AUTO-00180; REQ-AUTO-00183; REQ-AUTO-00194; REQ-AUTO-00220 (showing 8 of 17)
Vulnerability intake; Risk treatment; Incident workflow; Mitigation verificationAssess, treat, communicate, and track vulnerabilities and incidents over releases.Vulnerability and Incident HandlingExplicit RequirementREQ_SEC_0002; REQ-AUTO-00006; REQ-AUTO-00009; REQ_SEC_0040; REQ_SEC_0044; REQ_SEC_0045; REQ_SEC_0046; REQ_SEC_0032 (showing 8 of 13)
Access control; Artifact integrity; Review workflow; Build/test evidenceProtect the engineering environment and evidence chain that produce security-relevant artifacts.Development and Toolchain SecurityInferred from RequirementsREQ_SEC_0041; REQ_SEC_0014; REQ_SEC_0044; REQ_SEC_0045; REQ_SEC_0046; REQ_SEC_0032; REQ_SEC_0037; REQ-AUTO-00092 (showing 8 of 80)
Mutual authentication; Network segregation; API authorization; Backend audit loggingProtect offboard systems that influence update, evidence, monitoring, and operational security.Backend/Cloud SecurityInferred from RequirementsREQ-AUTO-00001; REQ_SEC_0001; REQ_SEC_0002; REQ_SEC_0003; REQ_SEC_0022; REQ-AUTO-00009; REQ_SEC_0023; REQ-AUTO-00011 (showing 8 of 748)
Requirement traceability; Control mapping; V&V reports; Residual-risk approval recordsDemonstrate that requirements, controls, verification, validation, and residual risk remain traceable.Compliance and Evidence ManagementExplicit RequirementREQ-AUTO-00001; REQ_SEC_0001; REQ-AUTO-00005; REQ_SEC_0003; REQ_SEC_0024; REQ_SEC_0004; REQ_SEC_0007; REQ_SEC_0041 (showing 8 of 113)
TARA Input Candidates

These are candidates only, not final TARA results.

  • REQ-AUTO-00001: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_SEC_0001: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_SEC_0002: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_SEC_0003: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_SEC_0022: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00009: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_SEC_0023: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00011: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_SEC_0024: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_SEC_0004: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_SEC_0005: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_SEC_0042: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_SEC_0008: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_SEC_0009: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_SEC_0027: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_SEC_0016: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_SEC_0019: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_SEC_0015: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_SEC_0043: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_SEC_0030: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_SEC_0045: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00051: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_SEC_0051: derive threat scenario candidates from source wording. Tag: Inferred
  • req-6.20: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00169: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00282: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00290: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00298: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00299: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00310: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00315: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00318: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00333: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00334: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00335: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00350: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00370: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00372: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00377: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00411: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00412: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00413: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00442: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00450: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00455: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00496: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_UDS-0008: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_UDS-0040: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_UDS-0041: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_UDS-0042: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_UDS-0043: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_UDS-0045: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_UDS-0055: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_UDS-0063: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_UDS-0068: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_UDS-0070: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_UDS-0076: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_UDS-0344: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_UDS-0092: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_UDS-0107: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_UDS-0223: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ_UDS-0224: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00788: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00808: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00818: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00821: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00832: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00839: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00843: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00875: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00892: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00895: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00907: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00933: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00934: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00935: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00937: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00938: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00939: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00940: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00942: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00943: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00944: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00947: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00950: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00951: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00953: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00955: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00956: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00957: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00960: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00967: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00991: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00992: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00994: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-00995: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-01014: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-01017: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-01022: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-01023: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-01024: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-01028: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-01035: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-01041: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-01042: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-01043: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-01058: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-01068: derive threat scenario candidates from source wording. Tag: Inferred
  • REQ-AUTO-01069: derive threat scenario candidates from source wording. Tag: Inferred
Open Security Decisions

Security Open Decisions

  • Needs Customer Clarification: Confirm ownership and control allocation for Electric Clutch Actuator ECU boundary.
  • Needs Customer Clarification: Confirm ownership and control allocation for Vehicle/network boundary.
  • Needs Customer Clarification: Confirm ownership and control allocation for Diagnostic access boundary.
  • Needs Customer Clarification: Confirm ownership and control allocation for Backend/cloud boundary.
  • Needs Customer Clarification: Confirm ownership and control allocation for Development/tooling boundary.
  • Needs Customer Clarification: Confirm ownership and control allocation for Customer/OEM approval boundary.
  • Needs Customer Clarification: Confirm ownership and control allocation for Unknown assumed deployment boundary.
  • Inferred from Requirements: Confirm concrete mechanism and verification evidence for Cryptographic Protection.
  • Inferred from Requirements: Confirm concrete mechanism and verification evidence for Secure Communication.
  • Inferred from Requirements: Confirm concrete mechanism and verification evidence for Secure Boot and Platform Integrity.
  • Inferred from Requirements: Confirm concrete mechanism and verification evidence for Secure Software Update.
  • Inferred from Requirements: Confirm concrete mechanism and verification evidence for Security Monitoring and Detection.
  • Inferred from Requirements: Confirm concrete mechanism and verification evidence for Development and Toolchain Security.
  • Inferred from Requirements: Confirm concrete mechanism and verification evidence for Backend/Cloud Security.
Security Concept Overview Evidence

Security Architecture Map

Security Capability Matrix

Security CapabilityProtectsApplied ToMechanismEvidenceOpen Decision
Secure Diagnostics and RBACDiagnostic access state and privileged servicesDiagnostic Tester Interface / Diagnostic ServerUDS Auth 0x29, authorization, lockout and auditStrongConfirm final role model and service list
Secure Software UpdateECU software and firmware authenticityBootloader / Update LogicSigned packages, integrity validation, rollback control and update loggingStrongConfirm signing chain, rollback and campaign ownership
Data Authenticity and Integrity VerificationSecurity-relevant vehicle dataVehicle Network / Secure Data Transfer InterfaceSecOC/SDT-style MAC, freshness and replay rejectionModerateConfirm protected signal allocation
Key and Certificate HandlingKeys, certificates and trust anchorsSecurity Services / Hardware Platform / PKIProvisioning, validation, protected storage and renewal/revocationStrongConfirm HSM capability and PKI ownership
Communication Boundary ControlVehicle and offboard interface boundariesExternal Interfaces / Security ServicesInput validation, boundary filtering and fail-safe discard behaviourModerateConfirm exact boundaries and failure policy
Security LoggingSecurity event evidenceLogging / Event Reporting InterfaceEvent capture, retention, integrity and reportingModerateConfirm event set and reporting channel
Vulnerability and Incident HandlingField security postureSecurity Operations / Compliance ProcessVulnerability intake, triage, mitigation and incident workflowStrongConfirm reporting channels and responsibilities
Cybersecurity Evidence and DIAApproval and residual-risk caseEngineering Toolchain / OEM Approval InterfaceTraceability, V&V evidence, decision logging and residual-risk approvalStrongConfirm DIA split and authority

Protected Asset Table

AssetThreat ExposureProtection StrategyEvidenceOpen Decision
Clutch control behaviourCommand spoofing, unsafe state or malformed dataCommand validation, authenticated/fresh messages where allocated, diagnostic authorizationConfirmed function; security allocation inferredConfirm protected signal set
ECU software and firmwareTampered or wrong software installedSigned update, IVD/integrity checks, secure boot/platform integrityStrong update/flash evidenceConfirm signing chain and rollback
Keys, certificates and trust anchorsCredential theft or invalid trust decisionsProtected storage, certificate validation, lifecycle managementStrong key/certificate evidenceConfirm HSM and PKI owner
Diagnostic access stateUnauthorized privileged service accessUDS Auth 0x29, RBAC, lockout and auditStrong diagnostic evidenceConfirm role model
Security evidence and decisionsUntrusted evidence or unapproved residual riskTraceability, review workflow and decision loggingStrong process evidenceConfirm approval authority

Attack Surface Table

Attack SurfaceEntry PointRequired ControlsEvidenceStatus
Vehicle networkCAN / PWM command and status pathMessage validation, authenticity/freshness where allocated, safe discardCAN/PWM requirements and SecOC/SDT evidenceRequires confirmation
Diagnostic accessUDS tester and programming servicesAuthentication, authorization, lockout, rate limiting and auditUDS/Auth 0x29 evidenceRequires confirmation
Software update / flashProgramming/update package pathSignature validation, IVD/integrity checks, rollback and loggingFlash/update evidenceRequires confirmation
PKI / provisioningKey and certificate injection or renewal pathProtected storage, certificate validation, ownership and revocation controlsKey/certificate evidenceRequires confirmation
Supplier engineering evidenceALM, CI/test and evidence repositoryAccess control, artifact integrity and audit trailCybersecurity concept/evidence requirementsRequires confirmation

Security Decision Table

ConclusionStatusEvidenceImpactDecision Needed
ECA ECU product identity and AMT platform contextConfirmed3299216_1.md function statements; system_identity.mdStabilizes review-board namingConfirm final product designation/variant
Cybersecurity concept and evidence package are in scopeConfirmedCybersecurity and process requirementsMakes this an architecture/security baseline, not a brochureConfirm approval workflow
Secure diagnostics, update and key/certificate handling apply to the ECUInferredUDS, flash/IVD and certificate/key requirementsDrives security services and trust-boundary designConfirm exact allocation
SecOC/SDT-style protection is needed for selected data flowsRequires ConfirmationSecure communication requirementsBlocks final interface-security allocationCustomer must identify protected signals

Executive Security Conclusion

The Electric Clutch Actuator ECU must protect clutch-control behaviour, software and firmware, cryptographic keys/certificates, diagnostic access, vehicle data exchange and security evidence. Diagnostic role allocation, update-sequence ownership, key hierarchy, HSM capability, and SecOC/SDT signal scope still require OEM/supplier agreement.

Evidence Basis:

  • Requirement IDs: REQ-AUTO-00001; REQ_SEC_0001; REQ_SEC_0002; REQ-AUTO-00006; REQ_SEC_0003; REQ_SEC_0022; REQ-AUTO-00009; REQ_SEC_0023; REQ-AUTO-00011; REQ_SEC_0024 (showing 10 of 326)
  • Source Markdown sections/pages: converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 3; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 5; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 6; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 7; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 8; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 9; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 10; converted/markdown-cleaned/1001379436_P10_000_01_RDDM-1140152501-1744.md page 11 (showing 8 of 139)
  • Confidence level: Medium
  • Classification: Inferred from Requirements

Protected Assets

Main Attack Surfaces

  • Inferred from Requirements: Diagnostic access, vehicle network communication, secure update/flash path, certificate/key provisioning, backend/IT interfaces, development/evidence tooling, and customer evidence handoff.

Security Architecture Logic

  • Recommendation: Protect the highest-risk boundaries first - diagnostics, vehicle communication, update/flash, and key/certificate handling - using authenticated access, signed and integrity-verified software, message authenticity and freshness, and isolated key storage, with logging and traceable evidence feeding OEM approval. Preserve authenticity, integrity, freshness, software validity, diagnostic access control, and evidence integrity as the main security goals.

Open Security Decisions

  • Needs Customer Clarification: Final TARA, item definition, exact assets, algorithms, certificate hierarchy, diagnostic roles, backend responsibilities, and deployment topology.
  • Needs Customer Clarification: Allocation of secure-communication (SecOC/SDT) protection to specific signals, plus the protection profile and freshness model.
  • Needs Customer Clarification: Ownership split (supplier/OEM) for update sequence, key provisioning, monitoring, and incident response.

See the Security Capability Model, Asset Model, Trust Boundary Model, and Security Mechanism Catalog below for the detailed control evidence.