ISO/SAE 21434: A Joint Solution to the Automotive Cybersecurity Challenge
October 06, 2021
In March of this year, a signal was sent to a Range Rover from inside its owner’s home. The signal remotely started the parked vehicle, then two thieves entered the car and drove it away.
If that’s possible, what else can hackers do to vehicles, either parked or in motion?
Automotive cyberattacks are on the rise, with attackers finding ways to gain access to connected car subsystems through keyless entry systems, on-board apps, and other back doors. And while safety-critical automotive systems are often the target – not the entry point – of these attacks, they must be designed as if hackers are trying to compromise them directly.
Of course, building subsystems that are both safe and secure is easier said than done, especially as the software in modern cars balloons to well over 100 million lines of code and vehicle components become more interconnected with other internal processes and the outside world. The time and cost associated with securing these designs from cyber threats is usually prohibitive, especially without industry or regulatory consensus around a common security architecture.
Which is why the International Standards Organization (ISO) and Society of Automotive Engineers (SAE) created one: ISO/SAE 21434.
Introducing an Integrated Automotive Safety & Security Standard
ISO/SAE 21434 is an automotive cybersecurity standard that integrates high-quality safety and security measures throughout the entire automotive product lifecycle to ensure road vehicles have been designed, manufactured, and deployed with integrity. The standard maps to the “Systems Engineering V Model” (Figure 1).
Figure 1. The ISO/SAE 21434 standard maps safety and security requirements into the traditional systems engineering V model to minimize the effort associated with designing safe and secure automotive systems. (Source: Research Gate)
The finalized ISO/SAE 21434 standard spans internal and external vehicle software, connectivity, and networking operations. It addresses all these components by focusing on two main security concepts:
- Threat Analysis and Risk Assessment (TARA): TARA focuses on possible threat scenarios that can occur on various systems within a vehicle. It evaluates the extent to which threats can impact the driver and other aspects of the vehicle/system.
- Product Development: Ensures that cybersecurity design methods leveraged road vehicles incorporate the “Systems Engineering V Model,” which allows manufacturers to follow the vehicle’s architectural design and cybersecurity requirements simultaneously.
The ISO/SAE 21434 standard leverages guiding principles set forth in the SAE J3961 cybersecurity in cyber-physical vehicle standard, as well as the SAE J3061 Standard: Cyber Security Guidebook for Cyber-Physical Vehicle Systems. As such, it includes a defined framework with cohesive cybersecurity requirements and processes for manufacturers and developers producing road vehicles (Figure 2).
[Figure 2. ISO/SAE 21434 specifies a number safety and security requirements in both hardware and software that span each phase of vehicle production, from design, manufacture, operation, and maintenance. (Source: LDRA)]
Aside from being applicable to each phase of an organization’s development process, from production and operation through service and decommissioning, the considers:
- Commonly used tools and methods for designing, verifying, and validating automotive cybersecurity systems
- Basic guiding principles used in automotive cybersecurity systems
- Scalability for the development of additional cybersecurity standards development in the future
Jack Pokrzywa, director of global ground vehicle standards, SAE International said, “We see this standard as a critical tool in the arsenal of cybersecurity professionals and product developers around the globe. SAE is committed to helping industry achieve the highest levels of security in all vehicles.”
Ensuring Cybersecurity for Safety-Critical Automotive Systems
Being created by a joint task force of more than 100 product development engineers and cybersecurity specialists from 14 geographic regions, the ISO and SAE recognize that the industry will need help implementing the 21434 standard.
Therefore, educational resources are being made available to the design community on https://discover.sae.org/cybersecurity, including free articles, white papers, webcasts, and a Guidebook that is for sale. SAE/ISO members like Deloitte and Synopsys have also produced webinars to help companies start working with the new standard.
Finally, TÜV SÜD Division Mobility has partnered with the SAE to develop an Automotive Cybersecurity Certification program, a two-day seminar that will provide a common understanding of the language, international laws and regulations, and security threats and protections that are relevant under the new standard.
More information on the certification program is available at www.sae.org/learn/content/c2105/. Interested parties can find out more information or download the ISO/SAE 21434 standard from the ISO website.