The international standard ISO/SAE 21434:2021 defines requirements for cyber security risk management in the design, development, production, operation, maintenance and decommissioning of E/E systems (electrical and electronic systems) in vehicles. It thus covers the entire life cycle of vehicle components – from development to production, operation and maintenance to decommissioning. 

The standard was developed jointly by the International Organisation for Standardisation (ISO) and the Society of Automotive Engineers (SAE) and published in August 2021. Regular updates are planned to take account of current technological and threat-related developments. 

Content

  • What is the aim of ISO/SAE 21434?
  • What does the standard apply to and who does it affect?
  • A brief overview of the content
  • What approach does the standard take?
    • TARA – Threat Analysis and Risk Assessment
  • Regulatory context
  • Sources of supply
  • Support for the development and operation of cyber-secure vehicle components

With increasing connectivity (infotainment, telematics, vehicle-to-everything, etc.), the cyberattack surface of vehicles is growing. Vulnerabilities in control units, insecure interfaces and update processes (over-the-air updates) as well as weak authentication processes enable remote hijacking or the introduction of malware. Cyber attacks on motor vehicles not only pose a serious threat to the safety of vehicles, drivers and the environment, but also to the protection of data collected by the vehicle (e.g. movement data, etc.).

ISO/SAE 21434 aims to minimise such cyber threats. To this end, the standard focuses primarily on cybersecurity processes, a common language for communication and the management of cybersecurity risks.

ISO/SAE 21434 applies to all electrical and electronic components (hardware, software and communication interfaces) in mass-produced road vehicles. Replacement parts and accessories are also covered by the standard. However, it does not apply to external systems outside the vehicle, such as servers for off-board diagnostics or charging infrastructure systems. ISO/SAE 21434 therefore applies to all automotive manufacturers, suppliers and companies involved in the design, development or maintenance of electrical and electronic vehicle systems.

The content and approach of ISO/SAE 21434 are similar in relevant aspects to the ISO 26262 standard, which deals with the functional safety of electrical and electronic systems in motor vehicles. Both standards begin with a systematic hazard and risk analysis, then set protection goals and define measures for risk minimisation.

  • Chapters 1-3: Foreword, normative references, terminology
  • Chapter 4: General overview of cybersecurity risk management 
  • Chapter 5: Cybersecurity management of the organisation
  • Chapter 6: Cybersecurity management of projects
  • Chapter 7: Cooperation between suppliers and customers (service interface agreement)
  • Chapter 8: Continuous cybersecurity activities 
  • Chapter 9: Cybersecurity concept
  • Chapter 10: Definition of requirements and tasks in product development
  • Chapter 11: Validation at the level of the complete vehicle
  • Chapter 12: Requirements for production
  • Chapter 13: Response to cybersecurity incidents, update measures
  • Chapter 14: Procedure for termination of support, preparations for decommissioning
  • Chapter 15: Methods for threat analysis and risk assessment (TARA)

The appendix contains various examples (e.g. on cybersecurity culture in companies), checklists and assessment criteria (e.g. on the cybersecurity relevance of the system, the vulnerability of a component or the feasibility of an attack) as well as examples for creating a threat and risk analysis (TARA). 

As mentioned above, ISO/SAE 21434 uses proven methods and structures from ISO 26262 and applies them to the field of cybersecurity. It takes a systematic, risk-based approach that covers the entire product life cycle. It also describes measures for organisational anchoring.
Basically, companies must set up a cybersecurity management system (CSMS) to control organisational and project-related cybersecurity activities. When developing components and systems, it is required to first carry out a systematic threat and risk analysis to identify, assess and treat cybersecurity risks. Specific security objectives and requirements are then derived from the risk assessment and a security concept is developed that describes both technical and organisational measures. In addition to the development processes, production, operation, maintenance and decommissioning are also taken into account – for example, the involvement of suppliers and partners in security processes or continuous vulnerability management, update processes and incident management.

TARA – Threat Analysis and Risk Assessment

The standard requires a ‘Threat Analysis and Risk Assessment’ (TARA) to be carried out in order to identify cyber risks in the vehicle at an early stage and derive appropriate protective measures.

  • The threat analysis involves the systematic identification of potential threats that could compromise the cyber security of connected vehicles. This involves analysing possible attack vectors, vulnerabilities and potential attack scenarios.
  • Risk assessment focuses on evaluating and prioritising the identified threats and their potential impact on security.

The results of the TARA form the basis for the development and implementation of effective cybersecurity measures throughout the entire product life cycle.

ISO/SAE 21434 provides companies with a structured framework for introducing a CSMS (cybersecurity management system), which is required of automotive manufacturers by the European Union in Regulation UN/ECE No. 155. This regulation has been in force since 1 July 2024 for the type approval of motor vehicles, which includes, among other things, the examination of the applicant's risk assessment and process documentation.

ISO/SAE 21434 can be purchased from the International Organisation for Standardisation or DIN Media

Our security experts have in-depth experience in identifying, assessing and protecting against potential threats in the automotive environment. Based on decades of development work for safety-oriented embedded systems, NewTec has developed a structured process to support companies in comprehensively securing their products and production environments.

We support car manufacturers and suppliers with comprehensive advice on security management processes in accordance with ISO/SAE 21434 and TARA training courses. We are your partner for structured safety and security risk assessment (including patch and update systems) and secure system integration.

Questions? Contact us: Contact.
Or call us on +49 7302 9611-0.

 

This might interest you:

Your contact person


Stephan Strohmeier

Head of Safety & Security Solutions