The safety of vehicles has been a matter of intense cybersecurity discussion, with the very evident increase of known threats and vulnerabilities. While there are technological innovations in the area of cybersecurity for the automotive industry, automotive vehicle and component manufactures have for a long time drawn guidance from:
- Guidelines like SAE J3061,
- Standards like ISO 26262 – a functional safety standard with links to cybersecurity and references to IEC 62443
- Automotive SPICE Process Assessment Model
- AUTOSAR reference architecture
The ISO 21434 standard, which is expected to be released in 2020, will become the first global automotive cybersecurity standard, paving the way for a more consistent means of managing cybersecurity across the automotive ecosystem. While ISO 21434 may not completely replace the guidance that some of the standards which had frameworks have been providing, it will help bring in cybersecurity engineering rigour into the lifecycles.
Where the ISO 21434 would stand out is 1) Its focus on challenges unique to the automotive industry - safety rigour, management of a long lifecycle, usage of embedded systems, software and applications for navigation, entertainment and safety.
2) Support the industry is to define a common terminology for use throughout supply chain and set the minimum viable criteria for cybersecurity engineering. Additionally it would help the industry raise awareness on key cybersecurity issues with consensus on measures to address them.
While ISO 21434 is a principles-based standard and is not prescriptive of countermeasures and technologies to be used - it brings to focus some key cyber risk management principles :
- Reasonable - being reasonable and pragmatic around securing systems and components
- Due diligence - ability to demonstrate that due care and due diligence is exercised in the production cycle
- Engineering - cybersecurity by design into the production lifecycle
- Risk-Based Approach - prioritisation of risk and remediation measures for impact
- Common Taxonomy - consistent way to report, measure cyber risk amongst stakeholders in the ecosystem
- Lifecycle approach - manage cybersecurity activities/processes for all phases of lifecycle:
• Design and Engineering, Production, Operation by Customer
• Maintenance and Service, Decommissioning
The standard advocates the use of Cybersecurity Assurance Level (CAL) in 21434, where the CAL level would indicate the required level of cybersecurity process rigor. While the CAL is informational, the methodology for determining CAL would be defined in ISO 21434.
Given that the ISO 21434 is a standard which is to be applied to many types of assets with varying levels of criticality, applying all requirements of the standards in all cases is neither appropriate nor feasible (principle of reasonable). The CAL therefore provides the means of calibrating effort and costs of implementing the cybersecurity engineering process requirements and communicates these requirements clearly throughout the supply chain.
With this context, the ISO 21434 is expected to be a vital component of cybersecurity engineering and risk management program for organizations and stakeholders across the automotive ecosystem in the coming years.
How can TUV Rheinland Industrial Cybersecurity help :
Our deep cybersecurity expertise, coupled with our strong heritage in functional safety can provide guidance on the implementation of ISO 21434 for automotive Tier 1 and OEMs. Our Cybersecurity consultants with cross-industry expertise are uniquely positioned to provide advise on engineering cybersecurity by design in accordance with the principles of ISO 21434 to create a resilient and robust cyber risk management program.