Safety Integrity vs Cybersecurity Assurance Levels

Security and safety levels are needed due to two reasons: they are not binary attributes, where a system can be either safe or unsafe, or secure and un-secure, and also due to increased product complexity and costs associated with it, which requires different degrees of engineering effort.

From cross-industry SILs (Safety Integrity Levels) to Automotive SILs (ASILs), through military DALs (Development Assurance Levels), the integrity/assurance levels reflect different degrees of scrutiny to be applied during all development phases and are meant as a tool, as a convention, to refer to the same minimum set of engineering practices among different stakeholders, within same industry

In functional safety, they can be relatively easy bound to a risk, however cybersecurity risk is harder to estimate, since is more un-predictable. In order to address this issue, newly published ISO 21434 provides recommendations on a classification scheme, similar to ASILs, based on “Cybersecurity Assurance Levels”.

Methods are recommended along the same lines as in ISO 26262, without addressing post-production phases or referring to any specific technical security recommendations or different types of security strengths.