ISO/SAE 21434 and UNECE WP.29
The development of automobiles is characterized by 3 major trends: digitalization, networking, and the development of autonomous vehicles. While safety processes are established and mature, each of these three trends imposes the need for rich cybersecurity processes.
Currently several automotive security standards and norms are in creation. From 2020 and 2021, they will become relevant for all modern OEMs and suppliers. Particularly relevant standards will be ISO/SAE 21434 (Road vehicles – Cybersecurity Engineering) and UNECE WP.29 (Regulation on Cybersecurity).
The standard is developed in cooperation between ISO and SAE and thus has a broad international basis.
ISO/SAE 21434 (Road vehicles – Cybersecurity Engineering) pursues several objectives. In particular, the standard for the automotive industry
- create a uniform terminology for cybersecurity engineering
- define minimum requirements for processes and activities in cybersecurity engineering
- promote cooperation between the parties involved in the value chain
- and thus overall describe the “state of the art” of cybersecurity engineering.
The ISO/SAE Joint Working Group (JWG) is divided into individual project groups (PG) dealing with the topics “Risk Management”, “Product Development”, “Operations and Maintenance” and “Overview and Interdependencies”.
ISO/SAE 21434 shall be applied to vehicles and their subsystems, components, connections and data. Hardware and software are considered. The aim is to establish a structured process for all participants in the value-added process and to firmly anchor the topic of security in the design process.
What is not specified by the standard are explicit recommendations for encryption technologies or other implementation approaches of concrete solutions.
Motivated by the goal of establishing “Security by Design“, the Security Risk Analysis fulfills a special role in ISO/SAE 21434 by determining security risk levels at the level of the vehicle and its individual components. The manufacturer has to prove that appropriate risk levels are achieved.