ISO SAE 21434 Compliance for Automotive Security
As today’s vehicles become more connected via Wi-Fi and Bluetooth capabilities, cyberattacks pose an ever-present risk. Cyberattacks via connected vehicles are becoming more common, and hackers can even take over a vehicle’s capabilities to control the vehicle. Since auto cybersecurity is a relatively new field, traditional cybersecurity standards haven’t fully addressed vehicle safety regarding cyber threats.
Yet any time there’s digital connectivity, there’s a risk for a security breach. The Society of Automotive Engineers (SAE) International and the International Organization for Standardization (ISO) have created a universal standard for automotive cybersecurity to better control cyber risk in vehicles: ISO SAE 21434 Road Vehicles – Cybersecurity Engineering.
What Is ISO/SAE 21434 and What Does It Mean for the Automotive Industry?
Before ISO SAE 21434, there wasn’t a global standard for mitigating cybersecurity attacks in digitally connected vehicles. While ISO and SAE had both developed different standards for cyber safety for vehicles in the past (with ISO 26262 and SAE J3061), this new standard creates a universal framework for suppliers, equipment manufacturers, and vendors to keep connected vehicles more secure.
The goal of the new standard is to better manage cybersecurity threats in vehicles. This includes reducing the scale of cyberattacks and any data theft that may occur. The standard will empower the auto industry to inherently create more secure vehicles.
One of the most important features of the standard is that it establishes universal terms for auto cybersecurity. However, it also emphasizes the importance of both assessing and managing vehicle cybersecurity, but part of managing cybersecurity risk is being able to communicate that risk and mitigate threats via universally-understood terms.
The intention is that the end result will be digitally connected vehicles designed and produced according to these baseline cybersecurity requirements. The standard also serves as a reference for industry regulators to enforce vehicle cybersecurity and protect drivers from the consequences of cyberattacks.
Framework of ISO/SAE 21434
Unlike some other cybersecurity standards, ISO SAE 21434 doesn’t provide a concrete list of items to obtain auto cybersecurity compliance. However, the publication is an important first step in the right direction for establishing an actionable cybersecurity standard.
All phases of creating the vehicle must be in compliance with the standard, including the design, engineering, production, operation, maintenance, and decommissioning phases. Outlining these stages in the standard ensures that cybersecurity is considered throughout the entire process of creating digitally connected vehicles for a more comprehensively secure result.
The ISO/SAE framework includes:
- Management of cybersecurity, especially during concept and product development, but also during production, operations, and maintenance.
- Risk assessment methods, including asset identification, threat analysis, impact assessment, and vulnerability analysis.
- Integrating cybersecurity relevance and goals during the concept phase.
- Implementing and verifying cybersecurity requirements during the development phase.
- Cybersecurity monitoring, vulnerability management, and incident response during the production, operations, and maintenance phases.
- Continuing to support cybersecurity via organizational procedures.
The standard stresses that cybersecurity shouldn’t be an afterthought—it should be at the forefront of creating vehicles with connectivity capabilities to ensure better security.
The Importance of Having a Standard for Auto Cybersecurity
By mandating cybersecurity requirements throughout the entire process, ISO SAE 21434 helps create an inherently more secure connected vehicle. While the standard doesn’t define specific solutions for mitigating threats (likely because the vehicle cybersecurity landscape is changing so quickly, like many modern technologies), it does establish minimum criteria for engineering a vehicle with cybersecurity threats in mind.
However, the new standard doesn’t address cybersecurity standards for electric vehicle (EV) chargers or autonomous vehicles, which require a different approach to cybersecurity.
However, the standard does emphasize the importance of both identifying and addressing cybersecurity risks in a vehicle. ISO/SAE is a necessary development in the world of automotive cybersecurity, as it can reduce the risk for a connected vehicle to experience hacking and keep drivers safer.
Compliance Tips for Automotive Cybersecurity
When getting started with auto cybersecurity, what are some compliance tips to keep in mind?
- Check for weaknesses in your software using industry standardized tools, such as Threat Analysis and Risk Assessment (TARA). It’s impossible to address any vulnerabilities if you don’t know they exist. Weaknesses can be places where hackers can gain access to vehicle systems or data.
- Consider cybersecurity in every aspect of the design. Cybersecurity cannot be overlooked when designing a connected vehicle; it should play a pivotal role throughout every vehicle’s design and development process.
- Conduct risk analysis throughout the entire process. Assessing risk will help you uncover any potential vulnerabilities so you can better address them. Continuous monitoring and updates are important, even after the vehicle is out on the road.
- Have a plan to mitigate and absolve threats. Responding to incidents, especially when a vehicle and driver safety are involved, are of the utmost importance, so having a plan to address potential threats can save invaluable time should an attack play out in real life.
Are You Prepared to Be in Compliance?
ISO SAE 21434 compliance is more than understanding the terminology used for auto cybersecurity. You must identify gaps in your procedures, analyze risk, and continue to develop your standards for auto cybersecurity. Fortunately, ISO/SAE will help make vehicles less vulnerable to cyberattacks that can be at best a nuisance and at worst a threat to someone’s life.
How KeyBRIDGE 4100 Automotive TrustAnchor is already helping Auto Parts Manufacturers to address ISO/SAE 21434
Centralizing cryptographic key management and performing key injection or key distribution is a paramount concern for any industry. Today, several Auto Parts manufacturers are now leveraging the native key management and key injection functions of the KeyBRIDGE 4100 Automotive TrustAnchor to meet these evolving requirements and best practices.
The KeyBRIDGE 4100 Automotive TrustAnchor permits secure key distribution among an infinite list of tier providers. Cryptographic keys for Electronic Control Units or (ECUs) are logically segregated and made available for use under auditable Role Based Access Controls. With the ability to perform secure Key Generation using a certified hardware based FIPS random Number generator, keys may be distributed and/or directly injected onto ECUs.
As the primary system of record, KeyBRIDGE can then support all future validation and authentication challenges required for asset identification. Moreover, using the simple to use JSON Schema RESTful API, this critical function may be automated in an interoperable fashion with various third party systems.