The increasing connectivity and software complexities of modern vehicles also mean an increase in cybersecurity risks, making a proactive and comprehensive approach to automotive security a necessity. In this blog post, we’ll talk about ISO 21434, a critical cybersecurity standard designed to address these challenges and shape the future of automotive development.
Understanding ISO/SAE 21434
ISO 21434, titled "Road vehicles - Cybersecurity engineering" is an international standard developed collaboratively by the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE). Released in August 2021, it serves as a crucial framework to mitigate cybersecurity risks associated with the design and development of electronic systems in road vehicles.
Building upon the foundation laid by its predecessor, ISO 26262, which focuses on functional safety, ISO 21434 specifically targets cybersecurity risks. In essence, it provides comprehensive guidelines and requirements for organizations, including Original Equipment Manufacturers (OEMs) and suppliers.
The standard encourages a "security by design" approach, outlining cybersecurity engineering requirements for the entire lifecycle of electrical and electronic systems in road vehicles. Its applicability extends to series production road vehicle systems developed or modified after its publication.
Why is ISO 21434 Needed?
Increasing Connectivity and Complexity
Modern vehicles are equipped with an increasing number of electronic systems, connectivity features, and software-dependent components.
The rise of technologies such as Advanced Driver Assistance Systems (ADAS), Highly Automated Driving (HAD), and various in-car networks has made vehicles more connected and complex.
Increasing Cybersecurity Risks
With the growing connectivity, there's a heightened risk of cybersecurity threats, including unauthorized access, data breaches, and compromises of vehicle control systems.
Traditional safety standards, like ISO 26262, focus on functional safety but may not adequately address the evolving landscape of cybersecurity risks.
Need for Comprehensive Cybersecurity Standards
Recognizing the need for a dedicated standard to address cybersecurity challenges in the automotive domain, ISO/SAE 21434 was developed.
It complements existing safety standards and provides specific guidelines to manage and mitigate cybersecurity risks throughout the vehicle's entire lifecycle.
ISO 21434 Overview
Comprehensive Lifecycle Coverage
ISO/SAE 21434 covers every stage of a vehicle's lifecycle, from design and development to decommissioning. This holistic approach ensures that cybersecurity is considered and managed at all phases.
Supply Chain Integration
The standard spans the entire automotive supply chain, recognizing the collaborative nature of vehicle design projects. It establishes requirements for due diligence in cybersecurity engineering throughout the supply chain.
Cultural Emphasis on Cybersecurity
ISO/SAE 21434 encourages a cybersecurity-centric culture within organizations. It emphasizes the importance of considering security from the outset of every project, avoiding the historical tendency of treating security as an afterthought.
Programming Language and Coding Standards
The standard specifies criteria for software development, including the choice of programming language. It recommends secure design and coding techniques and provides examples of coding standards (e.g., MISRA C, CERT C) to enhance software security.
Risk Assessment and Management:
ISO/SAE 21434 incorporates Threat Analysis and Risk Assessment (TARA) to evaluate cybersecurity risks. It provides a structured approach to identify vulnerabilities and apply appropriate mitigations.
Acknowledging that cybersecurity may be compromised at some point, the standard mandates post-production activities, including Vulnerability Management and Incident Response, to monitor and address cybersecurity breaches.
Why ISO 21434 Matters for Automotive Developers
ISO/SAE 21434 is a pivotal standard that matters for automotive developers because it provides a comprehensive and structured framework to address cybersecurity challenges, ensuring the safety and security of modern vehicles throughout their lifecycle.
Compliance with ISO/SAE 21434 is mandatory for automotive manufacturers. Compliance with this standard ensures that automotive developers meet evolving regulatory requirements related to cybersecurity.
By adhering to ISO/SAE 21434, developers can systematically identify, assess, and mitigate cybersecurity risks, reducing the likelihood of breaches that could lead to financial losses, damage to reputation, and safety risks.
Consumer Trust and Market Competitiveness
Following ISO/SAE 21434 enhances consumer trust by demonstrating a commitment to cybersecurity. With the increasing concerns about the security and privacy of connected vehicles, adhering to recognized standards can set vehicles apart in the market.
Collaborative Industry Approach
ISO/SAE 21434 reflects a collaborative effort between international standardization bodies and industry experts. This collective approach ensures that the standard benefits from diverse perspectives and expertise, contributing to a safer and more secure automotive landscape.
How Can Automakers Comply With ISO 21434 Easily?
ISO 21434 has significantly impacted automotive development teams, shaping their approach to cybersecurity, risk management, and the overall development lifecycle of connected vehicles.
The best way to comply with the regulation is to bring a comprehensive approach to security testing with automated tools and holistic security processes. Recent trends in automotive security further emphasize the need for a holistic approach, including an increase in remote Common Vulnerabilities and Exposures (CVEs), a shift in focus towards peripheral vehicle components over the Controller Area Network (CAN Bus), and the prevalence of automotive weaknesses on industry-standard lists like SANS Top 25 and OWASP Top 10.
ISO 21434 with Mayhem
To effectively mitigate risks, organizations in the automotive sector must shift their focus from automotive-specific cybersecurity practices, such as CAN Bus fuzzing, to prioritizing the security of all software within and around vehicles. Recognizing this shift, our comprehensive app and API security testing solution, Mayhem, aligns seamlessly with the key areas of ISO 21434.
Mayhem goes beyond mere compliance, focusing on comprehensive security coverage. Developed by professional hackers, Mayhem generates and executes thousands of tests per minute, identifying defects in code often missed by static analysis. Self-learning algorithms continuously expand test coverage, ensuring a thorough examination of your code.
To learn how to achieve ISO 21434 compliance and comprehensive automotive security coverage with Mayhem, get in touch with our team or download our guide.