With increasing calls for cybersecurity standards for the industry, the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE) joined hands to introduce ISO/SAE 21434, a set of guidelines for securing high-level processes in connected cars. The publication was in response to the need for common cyber-related terminologies, criteria for effective cybersecurity, and a standard definition for automotive cybersecurity.
Focusing on cybersecurity risks in road vehicle electronic systems, ISO 21434 covers all stages of a vehicle’s lifecycle – from design through decommissioning – by the application of cybersecurity engineering. It guarantees the development of automotive cybersecurity engineering from four aspects: risk assessment management, product development, operation/maintenance and process audit.
Key elements are the establishment of a common terminology and methods for risk assessment in the field of cybersecurity. Overall, this standard enables an industry-wide “Security by Design” approach that does justice to the increasing networking and thus vulnerability of vehicles.The goal is that the products designed, produced and tested by the standard have certain cybersecurity protection capabilities. The guidelines encourage engineers to design E/E systems that keep up with evolving technologies and cybersecurity threats.
The ISO 21434 defines a framework that includes requirements for cybersecurity processes and a common language for communicating and managing cybersecurity risks. This standard applies to electrical and electronic systems for mass production road vehicles. It is through the following dimensions that the standard ensures the development of automotive cybersecurity engineering design and process systems:
- Terms and definitions relating to cybersecurity
- Enterprise level cybersecurity management
- Project level cybersecurity management
- Continuous improvement of cybersecurity management
- Risk assessment of cybersecurity management
- Cybersecurity related product concept development
- Cybersecurity related product system development
- Cybersecurity management operation and maintenance requirements
- After the design stage (production, operation and maintenance, decommissioning, scrapping, etc.) cybersecurity management
The ISO 21434 poses specific requirements to check for inherent weaknesses and the overall compliance to cybersecurity requirements. Regarding programming language selection, software developers should check for secure design and coding techniques, alongside unambiguous syntax and semantic definitions.
This presents many benefits for the automotive cybersecurity industry. It emphasizes risk identification methods and established processes to address the cyber-risks. This means, it dictates the standard at which the product must be monitored and mitigated. Perseus enables its users to identify the risk and provide efficient solutions, as the standard requires.
The ISO/SAE 21434 is therefore a process-oriented standard and helps define a structured process to ensure cybersecurity along the lifecycle. It was created as a new baseline standard after contributions and consultations from more than 80 entities related to the automotive industry, cybersecurity, electronic parts manufacturing companies and other groups.