ISO 21434: Definition, Compliance, Tools, and Certifications
In a world where technology is constantly evolving, the automotive industry has been working hard to stay ahead of the curve in terms of cybersecurity. With more and more cars being connected to the internet, it’s essential that measures are put in place to protect drivers and their data. That’s why ISO 21434 was developed – to promote cybersecurity in road vehicle systems. In this blog post, we’ll take a closer look at ISO 21434 and what it means for your organization. Stay safe out there on the open road!
What is ISO 21434?
ISO 21434 is a standard that was developed by the International Organization for Standardization (ISO). It’s designed to create a framework for cybersecurity in road vehicle systems. The standard covers everything from risk assessment and management to security controls and mitigation strategies. In short, ISO 21434 is all about keeping vehicles safe from cyberattacks.
ISO 21434 is based on the ISO/SAE 21434 standard, which was developed by the Society of Automotive Engineers (SAE). The ISO/SAE 21434 standard is a set of guidelines for cybersecurity in vehicles. It was created in response to the growing number of cyberattacks on cars and trucks. The ISO/SAE 21434 standard is voluntary, but ISO 21434 is mandatory for all ISO members.
ISO 21434 is a standard that has been developed to provide manufacturers, suppliers, and OEMs with a framework for ensuring the cybersecurity of vehicle electronic systems. It was created to ensure that cybersecurity is considered at every stage of the product’s development, from inception through retirement. To elaborate on this point, ISO 21434 provides terminology, goals, criteria, and methods related to cybersecurity in road vehicles in order to:
- Define cybersecurity standards and procedures
- Analyze, identify, and manage cybersecurity threats
- And promote a ‘security by design’ or cybersecurity culture within the company.
What Does ISO 21434 Include?
ISO 21434 includes four main parts: risk assessment and management, security controls, communication and information exchange, and mitigation strategies.
- Risk Assessment and Management: ISO 21434 requires organizations to assess and manage risks to vehicle systems. This includes identifying, assessing, and managing cybersecurity risks. Organizations must also have a plan in place for dealing with cyber incidents.
- Security Controls: ISO 21434 requires organizations to implement security controls to protect vehicles from cyberattacks. These controls include things like authentication, authorization, and encryption.
- Communication and Information Exchange: ISO 21434 requires organizations to exchange information about cybersecurity risks and incidents. This includes sharing information with suppliers, customers, and other stakeholders.
- Mitigation Strategies: ISO 21434 requires organizations to have mitigation strategies in place for dealing with cyber incidents. These strategies should be designed to minimize the impact of an incident on vehicle systems.
Purpose of ISO 21434:
Today, every vehicle is loaded with the power of artificial intelligence. From wi-fi and Bluetooth to USB and LTE connectivity, a car is super loaded with high-tech stuff making them more appealing and modern. All this together makes the vehicle not only more capable but also highly prone to cyber-attacks.
The purpose of ISO 21434 is to protect vehicles from all types of cyberattacks. This standard provides a framework for organizations to assess, manage, and mitigate risks to vehicle systems. ISO 21434 is designed to ensure that cybersecurity is considered at every stage of the product’s development, from inception through retirement.
Process of implementing ISO 21434:
The cycle of implementing ISO 21434 is a five-step procedure as defined in the standard itself.
- Identification of assets and potential damage resulting from a breach of security features
- Identification and analysis of possible threats, attacks, and vulnerabilities
- Determination of risk levels based on damage scenarios and the probability of successful attacks
- Take countermeasures until the remaining risk is acceptable
- Documentation of the important steps and results of the risk assessment process, such as asset lists, damage scenarios, attack reports, or risk reports.
ISO 21434 Document Structure:
ISO/SAE DIS 21434  focuses on the cybersecurity activities of all phases of a vehicle’s life cycle, from design and development through production, operation, and decommissioning. The ISO/SAE DIS 21434 draft’s structure is analyzed and briefly described in this section before a more detailed account is given in the subsequent sections of the paper.
Section 1 deﬁnes the Scope of the norm.
Section 2 provides normative references.
Section 3 deﬁnes abbreviated terms and deﬁnitions of terms used in the document.
Section 4 is a descriptive section that discusses the car’s ecosystem, cyber-security management, and the entire vehicle lifecycle. This part provides information on the vehicle ecology, organizational cybersecurity administration, and the automobile lifecycle as a whole. The deﬁnition of automotive cyber-security in this context refers to ensuring that all assets inside the car, as well as the car itself, are protected against unauthorized access or manipulation that might lead to harm.
Automotive cybersecurity thus considers:
- threats to the vehicle or its components and
- threats to the ecosystem that compromise assets outside of the vehicle but utilize vulnerabilities within the vehicle.
Additionally, a general organizational overview of cybersecurity management and the cybersecurity engineering lifecycle activities is provided.
Section 5 includes descriptions of the organizational cybersecurity strategy, policy, and objectives. The objective of this section is to:
- describe the organizational objectives regarding cybersecurity and the organizational strategy to achieve these objectives
- the speciﬁcation of organization-speciﬁc rules and processes to implement the organizational cybersecurity strategy
- assign responsibilities for cybersecurity engineering and the corresponding authority
- provide the resources needed
- foster a cybersecurity culture
- manage the competencies and awareness needed to perform the cybersecurity activities
- apply continuous improvement
- perform an organizational cybersecurity audit
- manage interactions between cybersecurity processes.
Section 6 deﬁnes risk management requirements, which include a plan and method to determine the extent to which the road user is threatened by a potential circumstance or event.
Section 7 deals with the concept phase and deﬁnes cybersecurity goals, resulting from a threat analysis and risk assessment; as well as cybersecurity requirements deﬁnition to achieve the cybersecurity goals.
Section 8 speciﬁes the implementation and veriﬁcation of cybersecurity requirements speciﬁc to the product development phase.
Section 9 is focusing on the production, operation, and maintenance phase, and speciﬁng requirements to ensure that the cybersecurity speciﬁcations are implemented in the produced item; also covers in-ﬁeld cybersecurity activities.
Section 10 describes supporting processes, including organizational processes.
Sections 1, 2, and 3 describe the scope of the rule and abbreviated phrases and deﬁnitions of words used on the document’s first pages, which are not further discussed in this work because they were previously addressed in the introduction section.
Visure Requirements ALM Platform:
The ISO 21434 standard provides a comprehensive and holistic approach to automotive cybersecurity. However, implementing it can be daunting for organizations that are new to the standard. That’s where Visure Requirements comes in.
Visure Requirements is a requirements management tool that helps organizations effectively manage ISO 21434 compliance throughout the product development life cycle. With Visure Requirements, organizations can:
- Trace requirements from ISO 21434 to product requirements
- Automatically generate ISO 21434 compliance reports
- Collaborate on ISO 21434 compliance across the organization
Get started with Visure Requirements today and simplify your ISO 21434 compliance journey!
ISO 21434 is a global standard that provides guidance on how to secure vehicles from cyber-attacks. It can be difficult to implement such a standard without the help of a professional tool like Visure Requirements ALM Platform. With our platform, you can easily create and manage your documents according to the structure of ISO 21434, making it easy to ensure compliance with the standard. Request a free 30-day trial today and see how Visure Requirements can help you achieve compliance and improve your product development process.