GAP Analysis and Cyber Security Management System (CSMS) Installation

The GAP analysis service we offer as Optival compares your organization’s current cyber security practices with ISO/SAE 21434 and UNECE R155 requirements and systematically reveals areas that are missing or need improvement.

Thanks to this analysis:

• The extent to which your current organizational structure is compliant with the regulations is determined,
• Weak links in process, documentation and technical implementation are clarified,
• A strategic roadmap is created to reach the targeted level of compliance.

After the GAP analysis, a CSMS infrastructure tailored specifically for your organization is created based on the findings. In this process

• Management policies and responsibility matrix are created,
• TARA (Threat Analysis and Risk Assessment) process is integrated,
• Traceability of cyber security work products is ensured,
• Ensure that processes are documented in a manner consistent with ISO/SAE 21434,
• Internal audit, corrective action and continuous improvement mechanisms are established.

Why is it Important?

CSMS is not just a set of documents; it is a culture of security that ensuresyour organization is systematically prepared for cyber threats throughout the vehicle lifecycle. Successful establishment of this system is a prerequisite for obtaining R155 type approval and offers a strong competitive advantage in cooperation with OEMs.

Threat Analysis (TARA) Application and Creation of Cyber Security Concept

The electronic control units (ECUs), wireless communication protocols and software systems in modern vehicles are vulnerable to increasingly sophisticated threats. Therefore, recognizing cyber threats early in the vehicle development process and taking risks under control is fundamental to both security and regulatory compliance.

As Optival, with the TARA applications we carry out in accordance with the ISO/SAE 21434 standard; we determine how vulnerable the system components are to potential threats. In this process

• System assets and valuable resources (assets) are identified,
• Potential attack paths are modeled,
• Risk score is calculated through damage scenarios and probability analysis,
• Based on the results, cybersecurity goals are created and prioritized.

TARA outputs are used to create work products that are the cornerstone of cyber security engineering and are structured to be consistent with UNECE R155 Annex 5.

Solutions developed to mitigate identified security risks are integrated into the system architecture as a cybersecurity concept. In this context:

• Technical controls and countermeasures for security objectives are defined,
• Solutions are developed in areas such as communication security, data integrity, access control and software update mechanisms,
• Security requirements are traceable throughout the design process.

This process forms the basis for sustainable cybersecurity throughout the entire product lifecycle.

Determination and Implementation of Testing and Validation Strategy

The success of cyber security measures is demonstrated not only by policies defined at a theoretical level, but also by testing the effectiveness of these measures in the field. Optival makes vehicle cybersecurity measurable by ensuring both the development of a testing strategy and the professional implementation of that strategy, in accordance with the requirements of ISO/SAE 21434 and UNECE R155.

Identifying the Strategy

The first step of the testing process is to create verification plans in accordance with the security requirements and system architecture. In this context

• Appropriate test methods are matched for each security objective,
• Attack surfaces for critical system components are identified (CAN, TCU, OTA, Bluetooth, Wi-Fi, etc.),
• Test scope, methodology, success criteria are defined,
• When necessary, test repetitions are optimized with automation infrastructures.

Implementation of the Application

Depending on the strategy, Optival experts perform comprehensive test applications in the field or in a laboratory environment:

• Functional Testing: Tests whether the defined security requirements are functionally working correctly on the system.
• Fuzz Testing: Measures the fault tolerance of software by applying unexpected data inputs to interfaces and protocols.
• Penetration Tests: The vulnerabilities of the system are detected by imitating real attack techniques.
• OTA and Wireless Security Tests: Software updates, Bluetooth and LTE connections are tested for encryption, authentication and access control.

Evidence of Safety Performance

Documenting tests is the most powerful way to gain the trust of your customers and prove your technical competence in R155 type approval processes. Optival’s testing expertise not only identifies problems, but also provides remedial recommendations for sustainable cybersecurity.

Supplier Management

In the automotive sector, the cybersecurity obligations of vehicle manufacturers are not limited to their own systems. UNECE R155 mandates a security approach that covers the entire supply chain and expects manufacturers to establish structures that can audit the processes of their suppliers. At this point, supplier management becomes a strategic responsibility for cybersecurity compliance.

Optival’s supplier management service supports OEMs and primary suppliers to align their technical and process relationships with their sub-suppliers in accordance with ISO/SAE 21434 and UNECE R155. In this context

• Compliance requirements are set for suppliers and minimum safety criteria are defined,
• Work products (security goals, TARA outputs, V&V records) are checked for accuracy and consistency,
• Supplier risk level is analyzed and prioritized,
• Audit plans and evaluation criteria are prepared,
• CIA (cybersecurity interface agreement) process is carried out.

Supplier Audit and Training Support

Optival not only evaluates technical documentation, but also conducts internal audits, training and awareness activities for suppliers. This way:

• Suppliers’ cyber security competence is increased,
• Integrated contribution to the OEM’s safety objectives,
• Unexpected incompatibilities in type approval processes are prevented.

Benefit and Impact

• Vendor security vulnerabilities are minimized,
• Regulatory compliance is ensured throughout the chain,
• Suppliers’ technical competence and liability awareness are increased.

Optival sees supplier management not only as a control mechanism but as part of a long-term safety culture.

Internal and External Audit Support

• In-house pre-assessment audits are conducted to analyze the level of regulatory compliance,
• CSMS processes are audited according to UNECE R155 and ISO/SAE 21434 criteria,
• Internal audit procedures are established in processes extending to the supplier chain,
• Corrective and preventive action plans are developed for nonconformities and deficiencies.

Certification Process Consultancy

• Support the preparation of CSMS compliance reports (audit reports) as defined in ISO/SAE 21434,
• Work products based on ISO/SAE 21434 are technically reviewed for submission to independent assessors,
• Technical guidance is provided in audits to be conducted with third party certification bodies.

Type Approval Process Management

Optival provides type approval services at vehicle level as an appointed technical service under UN ECE R155. This includes

• CSMS audit (cybersecurity audit) and CSMS CoC (certificate of compliance) certification process is carried out,

• Type approval processes are carried out by applying cybersecurity assessment at vehicle level,
• Manage CSMS audits that must be performed every 3 years,
• In case of design changes, the type approval effect is evaluated and necessary update studies are carried out.