ISO/SAE 21434: Setting the Standard for Automotive Cybersecurity

FAY GOLDSTEIN

Communications Manager

May 3, 2020

Understanding the ISO/SAE 21434 draft standard and Upstream Security’s solutions for effective compliance in the realm of automotive cybersecurity.

Why was this automotive SAE cybersecurity standard needed?

As the automotive world shifts toward connected cars and smart mobility, an added element of vulnerability arises, namely, the threat of cyber-attacks. Because automotive cybersecurity is a new and evolving field, traditional automotive safety and security standards have not sufficiently covered the topic of cybersecurity. Therefore, to tackle cybersecurity threats and this additional concern for the security and safety of drivers, OEM’s, Tier 1 suppliers, and others, have often taken individual (if any) approaches. Unfortunately, an individual approach does not suffice; with the growth, prevalence, and sophistication of cyberattacks, the need arose to establish specific guidelines and standards for automotive cybersecurity.

In 2016, SAE International, the professional association and standards developing organization for engineering professionals, and ISO, the International Organization for Standardization, an international standard-setting body composed of representatives from various national standards organizations, came together to tackle this issue of setting industry standards related to automotive cybersecurity.

Both organizations had individually worked on automotive safety and security related standards in the past; ISO 26262 had previously set functional safety standards and SAE J3061 set the foundation for cybersecurity standards. When both organizations realized they had a common goal, they came together with OEMs, ECU suppliers, cybersecurity vendors, and governing organizations, and with more than 100 experts from more than 82 companies based in over 16 countries, a joint working group was established to compose a deep and effective global standard for automotive cybersecurity. Using four main working groups focusing on risk management; product development; production, operation, maintenance, and decommissioning; and process overview, the ISO/SAE 21434 draft was born.

The need for this standard was clear:

First, common cyber-related terminologies to be used in the automotive industry were needed. In the past, the many different terms being used caused difficulty in understanding cyber-risk and how to mitigate it. Second, criteria for effective cybersecurity in a vehicle was also needed; prior to the ISO/SAE 21434 standard, there was never a definition of what “sufficient cybersecurity” meant. Third, while there were advanced and accepted standards for automotive safety, where the concept of ASIL (Automotive Safety Integrity Levels) was understood and applied, there was no complementary cybersecurity standard definition, as proprietary levels of cybersecurity assurance differed company-by-company. And finally, there needed to be a standardized reference for regulators to point to and use to enforce vehicle compliance ensuring that drivers of connected vehicles were kept safe and secure from cyber threats and attacks.


What falls within the scope of the cybersecurity automotive standard

ISO/SAE 21434, in draft form as of May 2020, is a baseline for vehicle manufacturers and suppliers to ensure that cybersecurity risks are managed efficiently and effectively. The standard was specifically developed to ensure the safety and security of the ultimate road-user/driver, and as such, the determinant levels of risk and corresponding cybersecurity measures are set based on the final impact on the driver.

The standard provides a standardized cybersecurity framework, establishes cybersecurity as an integral element of engineering throughout the lifecycle of a vehicle from the conceptual phase all the way through decommissioning, ensures that cybersecurity is considered in post-production processes (software updates, service and maintenance, incident response etc), and calls for effective methods of lessons learned, training, and communication-related to automotive cybersecurity.

More specifically, the scope of the standard includes:

  • Specific requirements for cybersecurity risk management
  • A cybersecurity process framework
  • Common language to help manufacturers and organizations communicate their cybersecurity risk

 

The benefits of the standard are obvious. ISO/SAE 21434 brings with it the potential for common terminology for the supply chain, industry consensus, a clear minimum criteria for vehicle cybersecurity engineering, cybersecurity driven into the vehicle design upfront, threat landscapes that are clearly defined, key references for regulators, and a new level of trust built between stakeholders.

Quite intentionally, ISO/SAE 21434 does not dictate specific cybersecurity technologies or solutions, mandates around remediation methods, or cybersecurity requirements for telecommunications systems, connected back-offices, EV chargers, or autonomous vehicles.

Rather, the standard heavily emphasizes risk identification methods and established processes to address the cyber-risks. As such, it dictates the standard, if a compromised back-office, charger, or autonomous vehicle leads to a direct risk to the road-user, it must be monitored, controlled, and mitigated. Upstream Security enables the relevant parties within the automotive ecosystem to identify the risk and respond as the standard requires.

What role does Upstream play in the implementation of the standard’s requirements for effective automotive cybersecurity?

Just as the ISO/SAE 21434 standard approaches the entire ecosystem related to the connected vehicle and not merely the vehicle itself, so too, Upstream analyzes the entire cybersecurity ecosystem of the connected vehicle through the automotive cloud for both on-board (in-vehicle) threats as well as off-board (back-end cloud telematics servers and services) threats.

 

Upstream aids OEMs, connected vehicle fleets, Tier 1 suppliers, and others to meet important aspects of the ISO/SAE 21434 standard through multiple verticals using Upstream C4 “Centralized Connected Car Cybersecurity” a cloud-based automotive cybersecurity platform leveraging and Upstream’s AutoThreat Intelligence, the first automotive cybersecurity threat feed in the industry. Specifically, Upstream provides solutions to help meet three primary requirements in the standard.

  1. Continuous Cybersecurity Activities (Clause 7) – Upstream offers constant and continuous monitoring of the cyber-threat landscape
  2. Defined Methods To Determine Cyber Risks (Clause 8) – Upstream C4 detects incidents in near real-time, automatically classifies them for severity and impact and triggers mitigation actions
  3. Cybersecurity Incident Response and Updates (Clause 13) – Upstream designed the C4 incident investigation module with full automotive contextual understanding, providing security analysts with the necessary information needed to perform incident root cause analysis.

To learn more on ISO/SAE 21434 and how Upstream can help you become compliant download our white-paper.

Newsletter Icon

Upstream’s 2024 Global Automotive Cybersecurity Report

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

The GenAI Arms Race is Here

Listen to this blog Your browser does not support the audio element. The Automotive and Smart Mobility Ecosystem is entering a new era of GenAI,…

Read more

Upstream Participates in TISAX, Accelerating Customer Onboarding & Ensuring Data Protection

Listen to this blog Your browser does not support the audio element. In the fast-evolving landscape of the automotive industry, ensuring robust information security practices…

Read more

Revving Up Safety: UN Regulation R155 Now Covers Motorcycles

Listen to this blog Your browser does not support the audio element. On Jan. 26, the UNECE decided to include motorcycles, scooters, and electric bicycles…

Read more

NIS2 Directive’s Impact on the Smart Mobility Ecosystem

Listen to this blog Your browser does not support the audio element. The NIS2 Directive, expected to become mandatory in October 2024, aims to significantly…

Read more