What is the ISO/SAE 21434?
ISO/SAE 21434 is a standard for automotive cyber security. The aim of the standard is to create industry-wide agreement on important cyber security issues and to ensure that the entire supply chain has processes that support a security by design approach. The standard applies to road vehicles including their components, connections and software.
The standard considers the entire development process and life cycle of a vehicle. The standard also follows the V-model. Security aspects must be taken into account in all phases of this process.
In order to manufacture a secure vehicle, a security-aware requirements analysis and product specification are required. ISO/SAE 21434 will not recommend any specific security technologies or solutions for countermeasures. Instead, the standard recommends the execution of a structured threat analysis and risk assessment. This includes the dertmination of the protection needs in an iterative process.
Why is ISO/SAE 21434 important?
Safety has long been an integral part of the development process in the automotive industry. The concept is understood and implemented throughout the entire supply chain. That’s why most people today consider their vehicles to be safe.
But as vehicles become increasingly networked and autonomous, new dangers arise. Vehicles have more and more external interfaces such as Wifi, Bluetooth, GSM or USB. This makes them vulnerable to cyber attacks. If these interfaces are attacked, not only high material damages can occur but also a high danger for the occupants.
As these risks are not covered by existing safety norms, the new ISO/SAE 21434 with its new guidelines and standards for automotive cyber security is very important!
When will the standard be released?
The first draft of the international standard ISO/SAE 21434 can be purchased here. The final standard is expected to be released in 2020.
How to implement ISO/SAE 21434
One of the most important steps defined in the standard is to determine the security risk-level of a vehicle and its components.
In the safety domain, a hazard and risk analysis (HARA) is carried out for risk assessment purposes. TARA is the corresponding acronym for this in the security domain. TARA stands for “Threat Assessment and Remediation Analysis” or “Threat Analysis & Risk Assessment”.
During a security risk assessment, assets and potential damages as a result of a violation of security properties must be identified. Potential threats, attacks and vulnerabilities must be identified and analyzed. Risk levels can be determined based on damage scenarios and the likelihood of successful attacks. Countermeasures must then be applied until the remaining risk level is acceptable.
Also the important steps and results of the risk assessment process such as e.g. asset lists, damage scenarios, attack reports or risk reports must also be documented in reports.
IT-Security in the automotive industry | ISO 21434
A suitable tool for implementing ISO/SAE 21434 is the YAKINDU Security Analyst, developed by Itemis AG. With this tool a security risk assessment can be carried out model-based. This has the advantage that already existing structural and functional models can be used to determine assets, damages, vulnerabilities and threats.
Be immediately ready for ISO/SAE 21434 with the Security Analyst!
Contact us now if you are interested or have further questions.