Safety has been an integral part of the automotive development process for decades. Performing FMEAs (Failure Mode and Effects Analysis) and FTAs (Fault Tree Analysis) has been part of every automotive development process. The concept of ASIL levels (Automotive Safety Integrity Levels) is well understood and consistently applied in the supply chain. As a result, today most drivers consider their vehicles “safe”.
But what measures need to be taken with regard to security? What do you as a developer in the automotive sector have to consider in the future?
Which dangers are imminent?
With the advent of highly networked and (semi-)autonomous vehicles, cars today are increasingly exposed to cyber-attacks. Through the integration of multiple interfaces such as WLAN, Bluetooth, LTE or USB, vehicles have become “networked computers on wheels”. Combined with autonomous driving functions and a life span of 10 years or more, cars are vulnerable to hacking activities. If these interfaces are attacked, not only high material damages can occur but also a high danger for the occupants.
ISO/SAE 21434 – the solution to the problem?
One thing is certain: the resulting risks cannot be covered by the existing security standards.
But how can ISO/SAE 21434 help?
The purpose of the norm is to ensure that OEMs and all participants in the supply chain have structured processes in place that support a “Security by Design” process. The norm applies to road vehicles including all their components, connections and software. The importance of secure hardware development should not be underestimated!
ISO/SAE 21434: road vehicles – cybersecurity engineering
Launch of an international standard to establish a security lifecycle in theautomotive environment
ISO/SAE 21434 describes the security engineering process in the automotive environment. Due to the trend towards ever greater networking of vehicles and the focus on embedded platforms, attack scenarios are emerging that were previously more familiar from the classic IT environment. The planned standard is therefore aimed at securing the systematic development of safe vehicles and maintaining this security throughout the entire vehicle life Cycle.
For more information about the upcoming standard, see the interview with security expert Daniel Angermeier (Fraunhofer AISEC).
Similar to ISO 26262, the new ISO/SAE 21434 looks at the entire development process and life cycle of a vehicle. It follows the V-model. During all phases, including requirements engineering, design, specification, implementation, test, and operations, security aspects need to be taken into consideration.
It must be ensured that the production of a safe vehicle requires a safety-conscious requirements analysis and a corresponding design and product specification.
However, if you are hoping for specific recommendations of security technologies or appropriate countermeasures by ISO/SAE 21434, we must disappoint you, as these will not be part of the standard. Instead, it is recommended that you conduct a structured threat analysis and risk assessment.
When will the standard be released?
The first draft of the international standard ISO/SAE 21434 was published in February 2020 and can be purchased here. The final standard is expected to be released in 2020.
How can you implement ISO/SAE 21434 in your process?
Determining the security risk level of a vehicle and its components will be one of the key activities defined in the standard.
Which points should be considered in a security risk assessment:
- Identification of assets and potential damage resulting from a breach of security features
- Identification and analysis of possible threats, attacks and vulnerabilities
- Determination of risk levels based on damage scenarios and the probability of successful attacks
- Take countermeasures until the remaining risk is acceptable
- Documentation of the important steps and results of the risk assessment process, such as asset lists, damage scenarios, attack reports or risk reports
IT-Security in the automotive industry | ISO 21434
A suitable tool for the implementation of ISO/SAE 21434 is the YAKINDU Security Analyst, which was developed by itemis. With the help of this tool, a model-based security risk assessment can be carried out. This has the advantage that already existing structural and functional models can be used to determine assets, damages, vulnerabilities and threats.
Be ready for ISO/SAE 21434 with the YAKINDU Security Analyst!
Contact us now if you are interested or have further questions.