Managing Security Evidence in Safety-Critical Organizations

TL;DR

This paper investigates how safety-critical organizations manage security evidence amidst increasing cybersecurity requirements, revealing current shortcomings and the need for improved processes and education.

Contribution

It provides qualitative insights into the maturity of security evidence management in safety-critical industries and highlights gaps in processes and education.

Findings

Current maturity levels are insufficient for certification demands

Organizations struggle to identify relevant security artifacts

Educational gaps and lack of processes hinder evidence management

Abstract

With the increasing prevalence of open and connected products, cybersecurity has become a serious issue in safety-critical domains such as the automotive industry. As a result, regulatory bodies have become more stringent in their requirements for cybersecurity, necessitating security assurance for products developed in these domains. In response, companies have implemented new or modified processes to incorporate security into their product development lifecycle, resulting in a large amount of evidence being created to support claims about the achievement of a certain level of security. However, managing evidence is not a trivial task, particularly for complex products and systems. This paper presents a qualitative interview study conducted in six companies on the maturity of managing security evidence in safety-critical organizations. We find that the current maturity of managing security evidence is insufficient for the increasing requirements set by certification authorities and standardization bodies. Organisations currently fail to identify relevant artifacts as security evidence and manage this evidence on an organizational level. One part of the reason are educational gaps, the other a lack of processes. The impact of AI on the management of security evidence is still an open question