Automotive Cyber Security: ISO/SAE 21434
Cyber security in the automotive sector is a big topic. With ISO/SAE 21434, the automotive industry has developed a standard to protect vehicles from potential threats. We’ll show you the basics of ISO/SAE 21434 and explore together how it can help improve vehicle security.
What is ISO/SAE 21434?
Numerous cyber threats exist that can be mitigated through compliance with ISO/SAE 21434. This standard defines a comprehensive set of security requirements that cover all aspects of automotive cyber security, including system integrity, communications security and monitoring. Meeting these requirements provides numerous benefits, such as improved security standards to protect the integrity of vehicle systems and ensure the safety of vehicle components.
They also enable companies to verify and monitor the security and integrity of their vehicle systems.
Compliance with ISO/SAE 21434 requirements can thus ensure that both vehicle systems are protected from cyber attacks and drivers and vehicles are secure.
Why is Automotive Cyber Security so important?
It is significant that we agree on a consistent level of security for the automotive industry. That’s why the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE) collaborated to develop ISO/SAE 21434.
This standard specifies the technical and organizational requirements for automotive cyber security and focuses on protecting vehicles and their systems from cyber attacks. It defines the basic security concepts, requirements and guidelines that must be met to ensure a level of security that protects vehicle functions and data integrity. In addition, the standard mandates that security measures be implemented at all levels of the vehicle lifecycle. This includes development, production, operation and maintenance. Thus the protection of vehicles from cyber attacks throughout their lifecycle is ensured.
What exactly is behind ISO/SAE 21434?
The standard basically requires the implementation of a CSMS that allows potential vulnerabilities related to connected vehicles to be actively managed. Such a management system is to be audited and certified by an external party, similar to an information security management system (ISMS). Nevertheless, the standard does not define any specific requirements for cybersecurity technologies, solutions or countermeasures.
In general, the standard is divided into 15 sections:
- Sections 1 through 4 contain only general information, such as terminology.
- Sections 5 and 6 contain the necessary guidelines to ensure cybersecurity management. These include an organization-wide cybersecurity policy, guidelines and procedures, and specific cybersecurity management for a project.
- Section 7 outlines ongoing cybersecurity activities, including contributing information for ongoing risk assessment and vulnerability management.
- Section 8 defines risk management and describes the process for fully identifying, assessing, and addressing risks.
While Sections 5 through 8 address the organization, Sections 9 through 14 focus primarily on cyber security for whole vehicles and individual vehicle components.
- Section 9 establishes standards for the design of new components. This should include identifying authoritative assets and defining cybersecurity objectives.
- Section 10 addresses the specification, establishment, and verification of cybersecurity for each component during the development phase.
- Section 11 validates the component specifications, again at the vehicle level. The post-development phase consists of Sections 12 – Production, 13 – Operation and Maintenance, and 14 – Decommissioning, which specify respective cybersecurity aspects.
The final part of the standard describes the supporting processes for cyber security measures and identifies the interactions and dependencies between suppliers and customers. The order of the individual sections is not specified, as ISO 21434 is intended to be understood as a framework for the establishment and continuous further development of the CSMS. It places particular emphasis on uniqueness and the use of the German language.
The advantages of ISO/SAE 21434 for your company
The introduction of ISO 21434 should not be seen as a chore, but as an opportunity. It enables an improvement of the corporate structure, offers reputational benefits and reduces cyber risks and damages through active management. Implementing a CSMS and getting it certified enables mitigation of liability and insurance risks. In addition, the standard can support overall business planning and make processes more efficient. In today’s world, cybersecurity and data protection are also increasingly critical for customers.
Altogether ISO/SAE 21434 is an essential step toward automotive cyber security. It provides a universally recognized standard that manufacturers and suppliers can use as a guide when protecting vehicles. It is therefore important that companies use ISO/SAE 21434 as the basis for their automotive cyber security strategy. This way, they can ensure that their vehicles and systems are protected. ISO/SAE 21434 also allows vehicle manufacturers and suppliers to introduce new technologies to make their vehicles even more secure.
We are happy to advise you on implementation and offer workshops and quick checks to help you achieve your goals.