ISO/SAE 21434: The new automotive cybersecurity standard

Cars are capable of more and more every day. What was considered as engineering art many years ago is gradually becoming a driving computer with an incredible amount of possibilities, up to completely autonomous driving in the future. Of course, this makes life easier for many people, but it also provides a lot of vulnerability to cyber-attacks, since more technology means more interfaces.

As of July 2022, the ISO/SAE 21434 standard is to be introduced worldwide.

ISO/SAE 21434 is the new security standard for cyber security in vehicles, valid since September 31, 2021, and aims to defend the entire automotive industry against hacker attacks from the beginning of the supply chain, through actual use, to safe scrapping. The aim is to prevent the loss of highly sensitive data as well as life-threatening scenarios.

With over-the-air updates, infotainment, and integration of mobile devices and cloud-based services, the connected vehicle offers a driving experience with the latest in safety, autonomy, and driver comfort. Robust cybersecurity measures must be integrated into all aspects of vehicle design to protect critical functions and back-end networks that serve them from cyberattacks.

Safety leads to new opportunities

As all aspects of technology become more interconnected, adequate protection against cyber threats becomes increasingly important. Robust cybersecurity measures are needed to prevent attackers from using interconnectivity to move through devices and systems undetected and unchecked. Trusted products and mature security organization help vehicle manufacturers protect their vehicles against cyberattacks. In this way, connectivity and autonomy become an opportunity for business and society rather than a threat.

Cybersecurity regulations

An automotive-specific standard, ISO 26262, has already existed for functional safety since November 2011, and ISO/SAE 21434 now represents a much more comprehensive evolution of this. Since there was already a similar standard in the USA from the SAE (Society of Automotive Engineers), the SAE J3061TM, they did not want to discontinue it completely, and so the first major collaborative project between SAE and the ISO (International Organization for Standardization) came about. This is the origin of the name ISO/SAE 21434.

The standard was developed to protect the car in its entirety from attacks, from the first step of production to the point of scrapping. To give hackers no chance, every security vulnerability must be closed by a patch within a few hours or a few days at the latest. According to previous experience, the most sensitive parts are the interfaces to the external world, such as Bluetooth, Internet, USB, sensors and cameras. However, the best-known approach is to crack the keyless technology and gain access to the vehicle. Hackers exploit every possible loophole they can find.

The consequences of these attacks can range from simply lowering the vehicle’s odometer, to immobilizing the car, stealing the vehicle, and even, by installing malware, taking over the vehicle’s controls or disabling individual functions, all the way to the entire device.

The standard provides internationally uniform definitions for weak points and vulnerability, as these are to be verified. These are minimum criteria and a guideline on which OEMs or suppliers can base their work. The standard is not mandatory, but in case of doubt it still determines liability. By not following the standard, manufacturers slip into the reversal of the burden of proof and must now prove that they are not at fault. The production of companies will therefore have to adapt to the requirements of ISO/SAE 21434 in order to be able to successfully deal with future legal disputes, as well as to fully consolidate the data and security of the end customers.

Cybersecurity regulations

The new UN R155 automotive regulation for cybersecurity is another step toward improving cybersecurity. The regulation was adopted in 2020 by WP.29 of the United Nations Economic Commission for Europe (UNECE), also known as the World Forum for Harmonization of Vehicle Regulations. Under UN R155, vehicle manufacturers can only obtain vehicle type approval and sell new vehicle types if they have a certified cybersecurity management system (CSMS).

The impact on older components

It’s important to emphasize that the standard does not mean OEMs should tear apart existing systems and remove old components at will. They must analyze automotive systems and determine whether their components meet the relevant safety criteria. This analysis will prove easier with new, compliant components. Existing off-the-shelf components must be evaluated for their suitability to identify and close potential security gaps. Given the large number of electronic components used in a new car from both Tier 1 and Tier 2 suppliers, responsibility is shared, with implications spanning the entire supply chain.

• Wikipedia
• all-electronics.de
• NXP