Cybersecurity Assurance Levels

Cybersecurity Assurance Levels (CAL) are a core concept from the ISO/SAE 21434:2021 standard for automotive cybersecurity engineering. They represent a four-tiered classification (CAL1 to CAL4) used to specify the required rigor for cybersecurity activities applied to a vehicle component or function. The CAL is determined based on the risk value derived from a Threat Analysis and Risk Assessment (TARA). This risk value considers both the impact of a potential threat (on safety, finance, operations, and privacy) and the feasibility of the corresponding attack path. A higher risk value results in a higher CAL. Unlike a simple risk score, a CAL directly maps to a set of prescribed assurance activities for development, verification, and validation, ensuring that security efforts are proportional to the identified risks. This systematic approach is essential for complying with regulations like UNECE R155.

The application of CALs in enterprise risk management follows a structured process. First, a Threat Analysis and Risk Assessment (TARA) is conducted as per ISO/SAE 21434 Clause 15. This involves identifying assets, threat scenarios, and evaluating their impact and attack feasibility to calculate a risk value. Second, the calculated risk value is mapped to a specific CAL (1 through 4) based on predefined organizational rules. High-risk items receive a high CAL, while risks below a certain threshold may not require a CAL. Finally, the assigned CAL is used to tailor subsequent development activities. For instance, a component with CAL4 demands more rigorous architectural analysis, code reviews, and penetration testing than a CAL1 component. This risk-based approach optimizes resource allocation, enhances security posture, and ensures compliance with UNECE R155, directly impacting type approval success rates and reducing post-production vulnerabilities.

Taiwanese enterprises, primarily component suppliers, face several challenges. First, complex supply chain integration is a major hurdle. Different OEMs may have varied interpretations of CALs, forcing suppliers to manage multiple compliance frameworks. Second, there is a shortage of TARA expertise—professionals with a hybrid skill set of automotive engineering and cybersecurity are scarce, leading to inconsistent risk assessment quality. Third, insufficient testing resources for high-CAL components is common, as building in-house capabilities for advanced testing is costly. To overcome these, enterprises should establish standardized Cybersecurity Interface Agreements (CIAs), invest in professional training or external consulting, and leverage third-party labs to meet validation requirements cost-effectively. A priority should be to conduct a TARA on high-risk product lines within 6 months.

Winners Consulting specializes in Cybersecurity Assurance Levels for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact