Safety has been an integral part of the development process of automobiles for decades and the performance of analyses such as FMEA (Failure Mode and Effects Analysis), and FTA (Fault Tree Analysis) or the concept of ASIL Level is standard. Many users therefore regard their vehicles as “safe”. Automotive security expert Daniel Angermeier explains which aspects of automotive safety must be considered in the future and what role the upcoming ISO/ SAE 21434 standard will play in this context.

Mr. Angermeier, you have been involved in security engineering for many years and have carried out numerous projects in the automotive sector.

Are the established safety concepts and measures still sufficient today for a vehicle to be considered safe?

The existing concepts and measures are, of course, indispensable for vehicle safety. However, there is a trend towards ever greater networking in vehicles using embedded platforms. The control units used in this context can be attacked in the classic way. This means that safety needs to be accompanied by a consideration of security. The current safety standards can certainly not be replaced, because they are still very relevant and important, but they must be supplemented accordingly.

To what extent does this change future attack scenarios and the associated risks?

The core of the whole thing is that we have few isolated networks today. Especially through embedded products we experience an ever stronger connection to the electronics of customers, this means one is more strongly networked externally and internally and all this with devices that are potentially vulnerable. In addition, there are other scenarios, such as cyber-physical attacks, which can also be used to control actuators by means of received messages. Therefore, in addition to communication, the integrity of the systems used is also very important. In order to be able to react to such scenarios, it is important that systems are not only functionally safe, but also secure against such attacks. Because a lack of security can also compromise safety. Of course this can lead to conflicting safety and security requirements. Here it is necessary to find a common solution in order to be able to build a safe system in every respect.

Now the Draft International Standard (DIS) of ISO/ SAE 21434 has been published in February 2020. This is a standard for cybersecurity/information security for road vehicles.

How could this standard help with the treatment of security risks?

ISO/ SAE 21434 is a standard that describes how security engineering should work in the automotive environment. It offers a relatively holistic view of the development and the life cycle of vehicles. Among other things, the standard focuses on the risk analysis and the development of secure concepts. This means that an implementation of ISO/ SAE 21434 should help to systematically develop secure vehicles and then keep them secure throughout the entire life cycle of the vehicle. In addition, the standard gains further relevance as it is a recommendation from UNECE WP.29 (Working Party of the Inland Transport Committee (ITC) of the United Nations Economic Commission for Europe (UNECE) on Regulation on Cyber Security). This means that in future it will also be relevant for vehicle type approval that vehicles have been developed securely and that a security lifecycle exists within the company.

According to ISO/ SAE 21434, which aspects are to be considered with regard to security risk assessment?

For the risk assessment as such, it is important to proceed systematically. In this process, possible damage scenarios should be derived in a structured manner, which can arise if security properties, i.e. properties of the assets in the system, are violated. It is also important to identify which threat scenarios exist and which attack paths can lead to these threats being implemented for threat scenarios where the risk cannot be accepted or treated otherwise. This corresponds to the procedure of the classical risk treatment, in order to determine which risks I can accept, where I can possibly transfer risks and, very strongly, of course, the question of safety-related risks, i.e. how can I prevent the damage from occurring at this point, namely by introducing additional security measures. Of course, there is always the possibility of avoiding a risk, for example by not implementing a particular vehicle function if you cannot get it safely. ISO/SAE 21434 specifies the framework for how the whole and which cornerstones exist for the risk analysis method.

How can ISO/ SAE 21434 generally be integrated into existing processes?

In the end, I believe it is important to understand which lifecycle phases the ISO/ SAE 21434 standard works with and to map how these lifecycle phases are set in the company and whether they have been implemented. Then the great art is actually to let the security run parallel to the other activities and to identify possible synchronization points. The resulting work products of the activities required by ISO, must then be integrated into the development milestones and the later lifecycle.

The interview was conducted in March 2020. The ISO/ SAE 21434 standard is also expected to come into force this year.