You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Not all discussions are / have been minuted but this is a page that is available to keep some public notes.


Minutes August 22, 2019

MoRA tooling

  • Dirk ask for a new recurring invitation and earlier warning for meetings. 
    → Yes, the new invitation series should come starting from next meeting.
  • Offer to license temporarily for GENIVI team
  • If we start analyzing it would be possible to share the results
    • Idea: to share the threat catalog
  • Gunnar: How is it shared in practice?
  • Dirk: Can be stored in version control, such as git.
  • Steve: Could we apply this to for example a communication protocol like SOME/IP?
  • Dirk: It would be mapped onto the item types that the tool uses:  Components, Connections, Dataflows and Functions
  • Dirk:  Is there a reference architecture we could analyze?
  • Gunnar: We have the infotainment-focused compliance specification, but we're more interested in the newer projects.  The Vehicle Data reference architecture for vehicle data
  • Dirk: We are open to any proposals from members
  • Mike: Are there possibilities to rate your system at the end, get a "scoring" of the security level?
  • Dirk: A group like GENIVI could agree on some common standards and baselines.  But the acceptable security/risk/etc depend a lot on projects, industry, company risk exposure, etc.
  • Dirk: ...But theoretically a "GENIVI reference framework" would be possible.
  • Gunnar: I want to point out that it needs to start by looking at what already exists, and focus on filling the gaps.

If companies help us define the problem then the incentive for them is that their technology may be part of the solutions

  • Dirk: 21434 will require documentation to prove that security analysis has been done.  It would be better to have documentation coming out of tool support.

Opportunities for collaborators:

  • Learn how to do security analysis (using MoRA methodology as the working method during this learning opportunity)
  • Sharing of experience how to actually implement the requirements of 21434
  • Collaboratively develop a shared "reference" security evaluation framework.
    • Note: the Safety evaluation frameworks should give some guidance about good processes here

Ideas for new topics / subprojects:

  • Analysis and testing
  • Surveys
  • Whitepapers, MRDs
  • Security contributions into current GENIVI projects

Other advantages of participating:

  • We have a lot of opportunity to give participating members information and unique opportunities about Events, speaking opportunities, etc.

Marketing of course supporting all of these activities.

Mike:  I'd like to see a shared description of this analysis tooling and what we are aiming for in the reference evaluation framework.



  • No labels