Experiences with the automotive SPICE for cybersecurity assessment model and tools

In August 2021 the ISO 21434:2021 standard for Road vehicles—Cybersecurity Engineering has been published. At the same time the blue book from VDA (Verein der Deutschen Automobilgesellschaft; German Automotive Association) for Automotive SPICE cybersecurity assessments has been released. In addition in the period September–December 2021 the training material for iNTACS (INTernational Assessor Certification Schema) certified Automotive SPICE for cybersecurity assessors has been developed. Since February 2022 the upgrade training of assessors worldwide has started. Beside the ASPICE (Automotive SPICE) for cybersecurity blue book also a red book from VDA has been published. The red book describes the questions to check in an ACSMS (Automotive CyberSecurity Management System) audit. This paper explains the main strategy and content for ASPICE for Cybersecurity assessments and how such assessments are integrated to the overall ACSMS strategy. Also, the paper outlines an example method and tool used in ASPICE for cybersecurity assessments and how such assessment results will look like.