SAE J3061: Definition, Compliance, Tools, and Certifications
What is SAE J3061?
SAE J3061, released in March 2017, is the first cybersecurity guidebook for cyber-physical vehicle systems. The SAE’s Vehicle Cybersecurity Systems Engineering Committee developed and maintains this best practice to provide guidelines for reducing cybersecurity risks. SAE International is a global standards development organization and professional association of engineers and technical experts in the aerospace, automotive, and commercial vehicle industries.
The SAE J3061 process framework for cybersecurity in cyber-physical vehicle systems is a standard. It gives high-level advice and information on best practices tools and methods for cybersecurity, which can be applied to existing development procedures in a business. It builds on previous work in the area of security engineering and secure system development techniques, as well as ISO 26262, the automotive system functional safety standard.
In reality, the security lifecycle described in J3061 is strongly guided by ISO 26262’s safety lifecycle. J3061 deﬁnes interaction points between the security and safety processes to ensure that they run parallel. It’s a specific information security standard designed for the automotive safety process in some respects. The system life cycle is divided into the concept phase, product development (including system, hardware, and software), manufacturing, operation, and maintenance throughout J3061. It also recommends supporting activities such as requirement management.
The appendices provide additional information to be aware of and may be used in helping improve the Cybersecurity of feature designs. Much of the information identified in the appendices is available but some experts may not be aware of all of the available information. Therefore, the appendices provide an overview of some of this information to provide further guidance on building Cybersecurity into cyber-physical vehicle systems. The objective of the overviews is to encourage research to help improve designs and identify methods and tools for applying a company’s internal Cybersecurity process.
Appendices A-C – Describe some techniques for Threat Analysis and Risk Assessment, Threat Modeling, and Vulnerability Analysis (e.g., Attack Trees) and when to use them.
Appendices D-I – Provide awareness of information that is available to the Vehicle Industry.
Appendix D – Provides an overview of sample Cybersecurity and privacy controls derived from NIST SP 800-53 that may be considered in the design phases.
Appendix E – Provides references to some available vulnerability databases and vulnerability classification schemes.
Appendix F – Describes vehicle-level considerations, including some good design practices for electrical architecture.
Appendix G – Lists current Cybersecurity standards and guidelines of potential interest to the vehicle industry.
Appendix H – Provides an overview of vehicle Cybersecurity-related research projects starting from 2004.
Appendix I – Describes some existing security test tools of potential interest to the vehicle industry.
What are the benefits of SAE J3061?
The SAE J3061 standard provides a framework for managing cybersecurity risks throughout the product lifecycle. This includes specifying requirements for design, development, production, and operation phases. In addition, the standard defines processes and tools that can be used to assess compliance. The standard is also designed to be compatible with other SAE standards, such as SAE J3034, which provides guidance on data security for automotive networks.
The SAE J3061 standard offers a number of benefits for companies developing cyber-physical vehicle systems:
- It provides a comprehensive and systematic approach to managing cybersecurity risks
- It is based on existing standards and best practices in the field of security engineering
- It is compatible with other SAE standards, such as SAE J3034
- It defines processes and tools that can be used to assess compliance with the standard.
Relationship between SAE J3061 and ISO 26262:
SAE J3061 is based on the ISO 26262 standard and includes specific requirements for automotive systems. SAE International released SAE J3061 in order to provide guidance specifically for vehicles with cyber-physical systems.
SAE J3061 is complementary to ISO 26262 in that it provides guidance on best development practices from a cybersecurity standpoint (threats), as well as ISO 26262’s best development methods to avoid functional danger (hazards). SAE J3061 also requires a similar sound development approach and follows the same phases of growth as ISO 26262.
In practice, when J3061 is used in a development team that is already adhering to ISO 26262, the procedures are such that they may be integrated at each stage of the product lifecycle – with the exception that only one test team is utilized for both safety and cybersecurity activities in even the most rudimentary projects. While neither document commands their use, their usage is nearly essential in all but the simplest endeavors. However, while the documents complement each other, they were developed independently and as such there are some notable differences.
What are the SAE J3061 compliance tools?
The SAE J3061 standard provides a framework for managing cybersecurity risks throughout the product lifecycle. This includes specifying requirements for design, development, production, and operation phases. In addition, the standard defines processes and tools that can be used to assess compliance. Some of these compliance tools are:
- SAE’s Cybersecurity Assurance Program (CAP) – CAP is a voluntary program that assesses how well a company’s cybersecurity processes meet SAE J3061.
- SAE’s Global Cybersecurity Management System (GCMS) – GCMS is a software platform that helps companies manage their cybersecurity risks and compliance with SAE J3061.
- SAE’s Automotive Cybersecurity Health Index (ACHI) – ACHI is a tool that helps companies measure and improves their automotive cybersecurity posture.
- SAE’s Automotive Information Sharing and Analysis Center (Auto-ISAC) – Auto-ISAC is an information sharing and analysis center for the automotive industry.
What are SAE J3061 certifications?
SAE J3061 does not currently have any certification programs. However, SAE International offers other certification programs that may be relevant to users of the standard, such as:
- SAE’s Cybersecurity Expert (CYSE) program
- SAE’s Certified Automotive Cybersecurity Professional (CACP) program
The CYSE program is a global certification program that assesses an individual’s knowledge of SAE J3061. The CACP program is a professional certification program that recognizes individuals who have demonstrated proficiency in automotive cybersecurity.
Both the CYSE and CACP programs are administered by SAE International.
What are the compliance requirements?
The SAE J3061 standard defines four levels of compliance, which range from “minimal” to “aspirational.” Depending on the level of risk a system poses, different cybersecurity measures must be put into place. For example, Level 0 (minimal) requires only that safety-critical systems be isolated from non-safety critical networks. In contrast, Level III (aspirational) requires comprehensive cybersecurity throughout the product development lifecycle as well as continuous monitoring and improvement.
Application of J3061:
The SAE J3061 standard can be applied to any system that uses, processes, or stores data. This includes systems that are connected to the internet as well as those that are not. SAE J3061 can also be applied to both new and existing systems.
When applying the standard, it is important to consider the specific needs of your organization and tailor the application of the standard accordingly. J3061 is not a one-size-fits-all solution and should be customized to meet the unique needs of your organization.
SAE International offers a variety of resources to help organizations understand and apply SAE J3061, including training courses, webinars, and white papers. In addition, SAE International offers certification programs that assess an individual’s knowledge of SAE J3061.
Organizations that are looking to implement SAE J3061 should first consider the resources offered by SAE International. These resources can help organizations understand and apply the standard in a way that is tailored to their specific needs. In addition, SAE International’s certification programs can provide individuals with the skills and knowledge necessary to effectively apply SAE J3061 in their organization.
SAE J3061 is a specification that defines how requirements management should be done in order to achieve safety-related goals. The benefits of using the standard are improved quality and safety of the product, as well as reduced time and effort needed for development. The relationship between SAE J3061 and ISO 26262 is such the former can be seen as a subset of the latter. The application of SAE J3061 varies depending on the industry, but it is widely used in the automotive industry. Request a free 30-day trial at Visure Requirements ALM Platform to see how this standard can help your organization improve product quality and safety.