The Cyber Security Assurance Level (CAL) is a scheme in accordance with ISO/SAE 21434 that is used to assess risks in connection with threats. Within the Cyber Security Management System according to ISO/SAE 21434, the CAL occupies a prominent position and covers the entire process. Let’s now take a closer look at the Cyber Security Assurance Level and its role.
How is the Cyber Security Assurance Level (CAL) defined?
ISO/SAE 21434 defines the cyber security assurance level as follows:
| Risk | Cyber Security Assurance Level |
|---|---|
| Low (1) | CAL1 |
| Middle (2) | CAL2 |
| High (3) | CAL3 |
| Very High (4) | CAL4 |
The Cyber Security Assurance Level (CAL) is essentially an assignment of risks to the corresponding CAL levels. In the further course of the Cyber Security Management System (CSMS), the CAL is reused in all activities that are relevant to cyber security. It is used to identify relevant components throughout the entire process. The CAL corresponds in some ways to the ASIL (Automotive Safety Integrity Level) from ISO 26262, with the difference being that the CAL relates to cyber security rather than safety.
At what point in time is the CAL determined?
During the analysis of asset analysis and the threat analysis and risk assessment (TARA), damage scenarios, attack paths, threats and the associated initial risks are identified. The Cyber Security Assurance Level (CAL) is used here. The initial risk is assigned to the corresponding CAL in accordance with the assignment defined in the table above. Each risk requires the implementation of appropriate mitigation measures and the CAL supports the traceability of these measures from specification through to verification and validation.
How does the CAL affect the software development life cycle?
As already mentioned, the Cyber Security Assurance Level (CAL) serves to ensure the traceability of the respective measures. The requirements resulting from these measures must first be specified at system level in the Cyber Security Concept. In order to identify the cyber security requirements, an assignment to the corresponding CALs is required. As soon as the software and hardware domains derive their requirements from the Cyber Security Concept, the appropriate CAL is passed on to ensure that the requirements are assigned to the correct CAL. This is crucial, as the test measures depend on it.
How does the CAL affect verification and validation?
After the specification phase, each requirement is assigned a CAL. The appropriate verification and validation measures are defined on the basis of the CAL. ISO/SAE 21434 gives the following example:
| Method | CAL1 | CAL2 | CAL3 | CAL4 |
|---|---|---|---|---|
| Static Code Analysis | T1 | T1 | T2 | T2 |
| Functional Testing | T1 | T1 | T2 | T2 |
| Vulnerability Scanning | T1 | T1 | T1 | T1 |
| Fuzz Testing | – | T1 | T2 | T2 |
| Penetration Testing | – | – | T1 | T2 |
T1 includes tests with shortened test duration or in shortened test scenarios, while T2 includes tests with extended test duration or in extended test scenarios. In other words, T1 could be described as basic tests and T2 as extended tests.
Conclusion
The Cyber Security Assurance Level (CAL) in accordance with ISO/SAE 21434 assesses risks in relation to threats and plays a central role within the Cyber Security Management System. Defined in CAL levels (1 to 4), the CAL is determined during the asset and threat analysis and risk assessment. It is used to identify and assign risks to the corresponding levels. The CAL influences the entire software development life cycle, from specification and derivation of requirements to verification and validation. The allocation of the CAL also influences the selection of verification and validation methods, whereby lower CALs are associated with shorter test times (T1) and higher CALs with longer test times (T2).
