Nowadays, there is more connectivity than ever in vehicles, meaning more risks to car cybersecurity as a whole. From WiFi to Bluetooth, LTE, and USB, the number of connected interfaces in automobiles increases exponentially every year. According to ABI Research, 30 million new connected cars were sold in 2020 alone – and they predict that number will go up to 115 million cars globally by 2025. But with increased connectivity comes higher security risks, which is why the industry developed ISO 21434, an automotive standard that promotes cybersecurity in road vehicle systems. Read on to learn more about ISO 21434 and how your organization can get ready for it!
Although there are many benefits that come with driving a connected car (5G wireless connectivity to enable self-driving capabilities, advanced navigation systems, fewer road accidents being a few of them), the increasing amount of software in vehicles has also led to heightened cybersecurity concerns. Networked and semi-autonomous cars are more vulnerable to cyber attacks than their predecessors. As a result, manufacturers all over the world are looking to mitigate those vulnerabilities and reduce the likelihood of accidents and injuries they could cause.
However, existing industry safety standards for road vehicles' cybersecurity engineering were not comprehensive enough; they did not cover the safeguards that should be in place to mitigate cybersecurity risks. As a result, a new standard was needed to make sure that automotive cybersecurity is taken into account at every stage of the product life cycle in automotive development, and that the necessary safeguards are implemented at every step of the way. That’s where ISO 21434 comes in.
What is ISO 21434?
ISO 21434 “Road vehicles - cybersecurity engineering” is an automotive industry standard developed by the International Standard of Organization (ISO) alongside the Society of Automotive Engineers (SAE). This standard builds on its predecessor, ISO 26262, which does not cover software development or subsystems. ISO 21434 focuses on the cybersecurity risks inherent in the design and development of car electronics. It provides updated guidelines for security management, continued security-related activities, as well as risk assessment and mitigation methods.
When does ISO 21434 come into effect?
The status of ISO 21434 is currently ‘under development’, and forecasted to be published by the end of 2021. That being said, the draft version of ISO 21434 was already published in February 2020. According to the virtual GENIVI All Members Meeting in May 2021, the changes to the final version will be minor, so Original Equipment Manufacturers (OEMs) and suppliers looking to address automotive cybersecurity risks can follow the draft guidelines with confidence.
An overview of ISO 21434
ISO 21434 provides a guideline for ensuring the cybersecurity of road vehicle electronic systems. It was developed to ensure that OEMs and suppliers take cybersecurity into account at every step of the product lifecycle, from the concept phase all the way to retirement. To expand on that, ISO 21434 provides the terminology, objectives, requirements, and guidelines that organizations need in order to:
- Define cybersecurity policies and processes
- Analyze, identify, and manage cybersecurity risks
- Champion a ‘security by design’ or cybersecurity culture within the organization
ISO 21434 applies to all the software included in vehicles as well as electronic systems and components, and last but not least, the hardware as well. The overall goal of the standard is to provide a comprehensive guideline for automotive developers which will help them cover cybersecurity topics throughout the whole development lifecycle, and make sure that the entire supplier chain is covered, too.
How does ISO 21434 affect automotive OEMs and suppliers?
The purpose of ISO 21434 is to encourage automotive OEMs and suppliers to consider cybersecurity concerns and measures throughout the whole lifecycle of the product. In order to comply with ISO automotive cybersecurity requirements, OEMs and suppliers will need to be able to demonstrate that they have implemented the recommended safeguards and done their due diligence. It also requires that OEMs and suppliers demonstrate that the full supply chain is covered: the full responsibility remains with the manufacturer.
ISO 21434 promotes organizations adopting a ‘security and privacy first’ mindset, which is why ISO 21434 lays out guidelines for the whole product development lifecycle. It follows the V model and details how cybersecurity comes into every phase: from requirement definition to design, implementation, testing, operations, all the way to retirement. Some of the activities OEMs and suppliers will need to do according to this guideline are the following:
- Carrying out risk assessments
- Identifying cybersecurity vulnerabilities
- Ensuring development is undertaken with the correct safeguards in place to address these vulnerabilities
- Rigorously testing applications and software/hardware components to make sure these risks have been mitigated
ISO 21434 on cybersecurity: what does the standard say?
ISO 21434 presents a series of requirements for automotive cybersecurity engineering. These serve to analyze vulnerabilities and put safeguards in place to ensure the highest level of cybersecurity possible. The approach is based on the premise that cybersecurity should come first in all questions of design and be considered at every step of the product lifecycle, rather than an isolated measure which is introduced separately at a later stage. In practical terms, this affects choices like the programming language used for example, as secure coding techniques must be implemented as well as unambiguous syntax and semantic definitions.
How is ISO 21434 related to UN R155?
The UN R155 is one of the regulations released by the UNECE world harmonization forum for vehicle regulations (WP.29), alongside its sibling regulation UN 156. It will be considered binding for new vehicles in the UNECE markets by July 2022.
RN155 mandates the use of a certified cybersecurity management system, as well as paying special attention to:
- Analyzing, assessing, and managing cyber risks with connected vehicles
- The use of cybersecurity ‘by design’ to reduce risks throughout the supply chain
- Keeping vehicle software up to date securely
- Having systems in place which detect and mitigate security incidents in vehicles
UN R155 and ISO are very similar, with the first being a UN regulation while the second is an industry standard. Both are guidelines with requirements that must be met to promote cybersecurity in the automotive industry. Having the right tooling in place to support compliance is essential for meeting the requirements of both automotive cyber security ISO standards and UN regulations, and having your products approved to go to market.