ISO 21434: Definition, Compliance, Tools, and Certifications

In a world where technology is constantly evolving, the automotive industry has been working hard to stay ahead of the curve in terms of cybersecurity. With more and more cars being connected to the internet, it’s essential that measures are put in place to protect drivers and their data. That’s why ISO 21434 was developed – to promote cybersecurity in road vehicle systems. In this blog post, we’ll take a closer look at ISO 21434 and what it means for your organization. Stay safe out there on the open road!

What is Cybersecurity in Automotive?

Cybersecurity in automotive is the practice of protecting connected vehicles from unauthorized access or malicious damage. ISO 21434 outlines a set of regulations and guidelines that organizations must follow to ensure their systems are secure, including recommendations for risk identification, threat management, privacy protection, and more. ISO 21434 also defines requirements related to safety considerations such as security-by-design and system failure handling capabilities. By taking steps such as regular software updates, patching vulnerabilities quickly, avoiding single points of failure within the system architecture, and implementing secure authentication protocols like two-factor authentication (TFA) or one time password (OTP), organizations can minimize the risks associated with cyber threats in automobiles.

What is ISO 21434?

ISO 21434 is a standard that was developed by the International Organization for Standardization (ISO). It’s designed to create a framework for cybersecurity in road vehicle systems. The standard covers everything from risk assessment and management to security controls and mitigation strategies. In short, ISO 21434 is all about keeping vehicles safe from cyberattacks.

ISO 21434 is based on the ISO/SAE 21434 standard, which was developed by the Society of Automotive Engineers (SAE). The ISO/SAE 21434 standard is a set of guidelines for cybersecurity in vehicles. It was created in response to the growing number of cyberattacks on cars and trucks. The ISO/SAE 21434 standard is voluntary, but ISO 21434 is mandatory for all ISO members.

Overview:

ISO 21434 is a standard that has been developed to provide manufacturers, suppliers, and OEMs with a framework for ensuring the cybersecurity of vehicle electronic systems. It was created to ensure that cybersecurity is considered at every stage of the product’s development, from inception through retirement. To elaborate on this point, ISO 21434 provides terminology, goals, criteria, and methods related to cybersecurity in road vehicles in order to:

• Define cybersecurity standards and procedures
• Analyze, identify, and manage cybersecurity threats
• And promote a ‘security by design’ or cybersecurity culture within the company.

What Does ISO 21434 Include?

ISO 21434 includes four main parts: risk assessment and management, security controls, communication and information exchange, and mitigation strategies.

1. Risk Assessment and Management: ISO 21434 requires organizations to assess and manage risks to vehicle systems. This includes identifying, assessing, and managing cybersecurity risks. Organizations must also have a plan in place for dealing with cyber incidents.
2. Security Controls: ISO 21434 requires organizations to implement security controls to protect vehicles from cyberattacks. These controls include things like authentication, authorization, and encryption.
3. Communication and Information Exchange: ISO 21434 requires organizations to exchange information about cybersecurity risks and incidents. This includes sharing information with suppliers, customers, and other stakeholders.
4. Mitigation Strategies: ISO 21434 requires organizations to have mitigation strategies in place for dealing with cyber incidents. These strategies should be designed to minimize the impact of an incident on vehicle systems.

Purpose of ISO 21434:

Today, every vehicle is loaded with the power of artificial intelligence. From wi-fi and Bluetooth to USB and LTE connectivity, a car is super loaded with high-tech stuff making them more appealing and modern. All this together makes the vehicle not only more capable but also highly prone to cyber-attacks.

The purpose of ISO 21434 is to protect vehicles from all types of cyberattacks. This standard provides a framework for organizations to assess, manage, and mitigate risks to vehicle systems. ISO 21434 is designed to ensure that cybersecurity is considered at every stage of the product’s development, from inception through retirement.

Process of implementing ISO 21434:

The cycle of implementing ISO 21434 is a five-step procedure as defined in the standard itself.

1. Identification of assets and potential damage resulting from a breach of security features
2. Identification and analysis of possible threats, attacks, and vulnerabilities
3. Determination of risk levels based on damage scenarios and the probability of successful attacks
4. Take countermeasures until the remaining risk is acceptable
5. Documentation of the important steps and results of the risk assessment process, such as asset lists, damage scenarios, attack reports, or risk reports.

ISO 21434 Document Structure:

ISO/SAE DIS 21434 [11] focuses on the cybersecurity activities of all phases of a vehicle’s life cycle, from design and development through production, operation, and decommissioning. The ISO/SAE DIS 21434 draft’s structure is analyzed and briefly described in this section before a more detailed account is given in the subsequent sections of the paper.

Section 1 defines the Scope of the norm.

Section 2 provides normative references.

Section 3 defines abbreviated terms and definitions of terms used in the document.

Section 4 is a descriptive section that discusses the car’s ecosystem, cyber-security management, and the entire vehicle lifecycle. This part provides information on the vehicle ecology, organizational cybersecurity administration, and the automobile lifecycle as a whole. The definition of automotive cyber-security in this context refers to ensuring that all assets inside the car, as well as the car itself, are protected against unauthorized access or manipulation that might lead to harm.

Automotive cybersecurity thus considers: 

• threats to the vehicle or its components and 
• threats to the ecosystem that compromise assets outside of the vehicle but utilize vulnerabilities within the vehicle. 

Additionally, a general organizational overview of cybersecurity management and the cybersecurity engineering lifecycle activities is provided.

Section 5 includes descriptions of the organizational cybersecurity strategy, policy, and objectives. The objective of this section is to:

• describe the organizational objectives regarding cybersecurity and the organizational strategy to achieve these objectives
• the specification of organization-specific rules and processes to implement the organizational cybersecurity strategy
• assign responsibilities for cybersecurity engineering and the corresponding authority
• provide the resources needed
• foster a cybersecurity culture
• manage the competencies and awareness needed to perform the cybersecurity activities
• apply continuous improvement
• perform an organizational cybersecurity audit
• manage interactions between cybersecurity processes.

Section 6 defines risk management requirements, which include a plan and method to determine the extent to which the road user is threatened by a potential circumstance or event.

Section 7 deals with the concept phase and defines cybersecurity goals, resulting from a threat analysis and risk assessment; as well as cybersecurity requirements definition to achieve the cybersecurity goals.

Section 8 specifies the implementation and verification of cybersecurity requirements specific to the product development phase. 

Section 9 is focusing on the production, operation, and maintenance phases, and specifing requirements to ensure that the cybersecurity specifications are implemented in the produced item; also covers in-field cybersecurity activities.

Section 10 describes supporting processes, including organizational processes. 

Sections 1, 2, and 3 describe the scope of the rule and abbreviated phrases and definitions of words used on the document’s first pages, which are not further discussed in this work because they were previously addressed in the introduction section.

SAE J3061 VS ISO 21434:

ISO 21434 and SAE J3061 are two different standards that focus on automotive cybersecurity. While ISO 21434 is a European standard, SAE J3061 is an American standard developed by the Society of Automotive Engineers (SAE).

The main difference between ISO 21434 and SAE J3061 is their respective approaches to cybersecurity in vehicles. ISO 21434 uses a holistic approach to automotive cybersecurity, while SAE J3061 focuses more on specific cyber threats. Additionally, ISO 21434 provides organizations with guidance on how to implement automotive cybersecurity across all phases of vehicle lifecycles whereas SAE J3061 offers only general recommendations for risk management. ISO 21434 is also more comprehensive than SAE J3061, as ISO 21434 covers the entire vehicle life cycle.

Relationship Between ISO 21434 And UN R155:

ISO 21434 and UN Regulation No. 155 (UN R155) both regulate automotive cybersecurity, however, ISO 21434 is a technological standard while UN R155 is a legal guideline.

The main difference between ISO 21434 and UN R155 is that ISO 21434 focuses on developing secure vehicles while UN R155 focuses on ensuring the safety of those vehicles in use. ISO 21434 provides organizations with guidance on how to implement automotive cyber security across all phases of vehicle life cycles whereas UN R155 offers rules and regulations for basic safety requirements when using those vehicles. Additionally, ISO21434 covers topics such as risk assessment, system design processes, and testing processes which are not included in the scope of the UNR155 regulation. ISO 21434 is also more comprehensive than UN R155, as ISO 21434 covers the entire vehicle life cycle.

Requirements Traceability and ISO-21434:

ISO 21434 mandates organizations to ensure the traceability of product requirements throughout the development life cycle. Requirements traceability is a process that verifies that all requirements have been accounted for and implemented during the development phase.

ISO/SAE 21434 outlines three key principles (RQ‑09‑08, RQ 09-09, and RQ 09-10) that have been established as a standard for deriving cybersecurity requirements from cyber security specifications throughout the development process. This important element of traceability will ensure successful implementation during every stage of your project’s lifecycle. For example,

• [RQ-10-02] and [RQ-10-03] both look into the correlation between requirements and design.
• The traceability between the component’s implementation and its specification is addressed in [RQ‑10‑08] and [RQ‑10‑09], demonstrating that these two research questions are of paramount importance.

Integration & Verification Within ISO-21434

ISO/SAE 21434 includes requirements [RQ-10-09] and [RQ-10-10] which are concerned with the integration of the components into subsystems and systems, to verify that the result fulfills the cybersecurity specifications. [RQ-10-10] highlights the following methods for verification,

• Requirements-Based Test – Requirements-based tests are critical for not only demonstrating that the requirements have been fulfilled but also verifying that no redundant code is present.
• Interface Test – Interface testing ensures that the connection between software systems, subsystems, and components is performing properly.
• Evaluation of Resource Usage – When it comes to a connected system, especially when malicious entities are attacking, allocating the right amount of resources (memory, timing, file system…) and resolving competition issues should be taken into serious consideration.
• Control and Data Flow Verification – Inaccurate data or improper control flow can leave your code susceptible to threats. Control and data flow analysis is an excellent ways to ensure that both are appropriate to the system’s design specifications.
• Dynamic Analysis – Dynamic analysis is an encompassing term for software tests that involve examining the behavior of a system when it is actively running. This method can be applied to validate and confirm either the whole or parts of programs, ensuring accuracy at all times.

Visure Requirements ALM Platform:

The ISO 21434 standard provides a comprehensive and holistic approach to automotive cybersecurity. However, implementing it can be daunting for organizations that are new to the standard. That’s where Visure Requirements ALM Platform comes in.

Visure Requirements is a requirements management tool that helps organizations effectively manage ISO 21434 compliance throughout the product development life cycle. With Visure Requirements, organizations can:

• Trace requirements from ISO 21434 to product requirements
• Automatically generate ISO 21434 compliance reports
• Collaborate on ISO 21434 compliance across the organization

Get started with Visure Requirements today and simplify your ISO 21434 compliance journey!

Conclusion:

ISO 21434 is a global standard that provides guidance on how to secure vehicles from cyber-attacks. It can be difficult to implement such a standard without the help of a professional tool like Visure Requirements ALM Platform. With our platform, you can easily create and manage your documents according to the structure of ISO 21434, making it easy to ensure compliance with the standard. Request a free 30-day trial today and see how Visure Requirements can help you achieve compliance and improve your product development process.