What's technically inside the ISO/SAE 21434 ?

As the DIS of the ISO21434 is finally available. This is a collection of the insights and discussions we had while reading it. Read now inside the ISO/SAE 21434.

What's this about?

If you are unsure about what ISO21434 is and which role it plays for you, we’ve written an overview so that you can get onboard:

Relevance of ISO21434

Work Products

The DIS of ISO21434 distinguishes the three kinds of product phases concept phase, development phase, and operation phase. The general endeavor of performing a TARA is described in chapter 8. The concept phase, as described in chapter 9, consists of defining the item (9.3 Item Definition), finding Cybersecurity Goals (section 9.4) and bundling them into a whole Cybersecurity Concept (section 9.5). The major part of identifying Cybersecurity Goals is to invoke the TARA that is described in chapter 8.

The main steps when performing an ISO21434-conform TARA are (in order of an idealized linear execution):

  • Item Definition (section 9.3)
  • Asset Identification (section 8.3)
  • Threat Scenario Identification (section 8.4)
  • Impact Rating (section 8.5)
  • Attack Path Analysis (section 8.6)
  • Attack Feasibility Rating (section 8.7)
  • Risk Determination (section 8.8)
  • Risk Treatment Decision (section 8.9)
  • Cybersecurity Goals [RQ-09-07]
  • Cybersecurity Claims [RQ-09-08]
  • Cybersecurity Concept (section 9.5)
Dependencies of TARA according to ISO21434 are visible

Insights

As this place is a living document, we are continuously adding the questions and discussions that arise. Here you go with some of them.

Changes from SAE and ISO 21434 DIS to Final

We compared the SAE and ISO 21434 DIS to its final and collected what we consider the most relevant changes for TARA activities. Read more…

ISO/SAE 21434 is public now

ISO/SAE 21434 was published, woohoo! On the iso.org website, you can buy it for about 183€. Read more…

ISO/SAE 21434 has entered the final approval stage

ISO/SAE 21434 has entered stage 50.00 of the ISO process on 2021-03-09. This means that the committee has fully written and finalized the document. Read more…

Summary presentation of 21434 at the GENIVI Tech Summit

The GENIVI Alliance held a technical summit on a virtual base on May 12-14, 2020. On the 14. at 10:45 CEDT, we presented a summary on how to run ISO21434-conformant projects in practice. Read more…

How to identify relevant Assets according to ISO21434?

In Clause 8.3, the DIS of ISO21434 allows to enumerate the relevant assets with a variety of methods. As examples, it suggests to enumerate them by their impact rating, or threat scenarios, or even using predefined catalogues. Read more…

How to deal with new vulnerabilities according to ISO21434?

An organization that adheres to the DIS of ISO21434 is supposed to continuously monitor cybersecurity information from external and internal sources [RQ-07-01]. It will then decide whether or not to trigger a cybersecurity event, which starts a vulnerability analysis that will eventually initiate according risk treatments. Read more…

How does ISO21434 relate to ISO31000?

ISO21434 requires ISO31000 to be fulfilled (Source: Requirement RQ-05-10 in Clause 5). Their use of vocabulary is naturally compatible, with minor differences on the two terms risk and stakeholder. First, ISO31000 includes positive consequences in a “Risk”, which ISO21434 does not. Read more…

How are risks determined according to ISO 21434?

Clause 8.8 of the DIS of ISO21434 determines the risk level value based on impact ratings (IRs) and attack feasibility ratings (AFRs). The IR results from combining the IRs from each described damage scenario (result of Clause 8.5). Read more…

What are Security Goals according to ISO21434?

Cybersecurity goals are security requirements that are identified in the concept phase of a product. Each goal is associated with one or more Threat Scenarios. They are part of the security concept that is supposed to be implemented in the development phases. Security goals are created based on the risks that have been decided to be reduced. The risks and their treatment decisions (such as reduction) are the major outcome of the TARA. Read more…

Where is the System Modeling in ISO21434?

The DIS of ISO21434 has the name “item” for the target system under evaluation. It uses that term in compliance with ISO26262, which is describing the safety-equivalent of ISO2143. Read more…

Where are the Controls in ISO21434?

The DIS of the ISO21434 considers controls as artifacts that are yielded in the development-phase of a product. In the concept-phase, they are rather called Cybersecurity Goals, which don’t describe the concrete implementation yet. Later when digested they will turn into Cybersecurity Requirements. Read more…

How do SAE J3061 and SAE 21434 relate?

SAE 21434 is intended to cancel and supersede SAE J3061. J3061 related security and safety processes to each other. Read more…

An example ongoing Activity

Jordan from Reciprocity labs tells us, why Vulnerability Scanners are a major security tool.

Vulnerability Scanners

How about Hardware?

Let’s not underestimate how relevant this is for the development of hardware, and here is why…

Hardware Development

How could such process look like?

We’ve been giving a couple of presentations on how we interpret the ISO/SAE 21434 to be practically carried out.

Here is an 8min video on the itemis SECURE (we might be biased, as we’re developing it).

Here is a more detailed walk through the ISO/SAE 21434 Annex G example, first as in the ISO, then with tool support (1h44min):

Here is a presentation on how the openXSAM.io initiative aims to establish an open exchange format for cybersecurity risk assessments to transfer data across tools, teams and organizations to implement ISO/SAE 21434. (1h 36min)

As part of the research project SecForCARs, we looked at how to bring security and safety teams into mutually supporting each other without entangling their processes. This talk was presented at the RESS’21 workshop on the ISSRE’21 scientific conference (15min).

Author Bastian Kruck secure@itemis.com

Let’s Discuss