Automotive cyber security standards: ISO/SAE 21434 and more

The automotive industry is one of the victims of the extremely rapid onset of the digital age. For a few decades, the car computer was just a fancy name for a very simple electronic control unit (ECU) monitoring the engine. The road vehicle would run fine with the computer turned off, it would just be less fuel-efficient.

That is no longer the case in the age of connected cars and, especially, fully autonomous vehicles. Today, we have cars with many advanced electronic systems – lights that adjust to road conditions, self-parking systems, advanced cruise control, all the way to vehicles that run by themselves with no need for a driver at all. Your car can no longer run without a computer. And if the computer goes awry, for example, as a result of a cyberattack, it can have severe consequences both for the driver and for everyone else on the road.

Are connected cars under threat of cyberattacks?

Since the connected vehicle concept is relatively new, malicious hackers are yet to exploit it en-masse, and the impact of cyberattacks is much lower than in the case of other applications of computer technology such as websites, mobiles, and IoT. However, be not mistaken; such attacks were already proven possible. While such cases are not yet making headlines due to their limited impact, it’s only a matter of time before malicious actors, such as those working for hostile governments, start seeking ways to eliminate people by steering their connected cars into canyons.

The more functionality and connectivity we introduce into the connected vehicles ecosystem, the easier it is to hack into connected cars. Vehicles and their electronic modules already need regular software updates, which could be delivered over the air instead of over cable, through publicly accessible Wi-Fi or a mobile network. Such update mechanisms sound like perfect interfaces for an attacker to exploit.

While it is amazing how quickly the industry has developed in such a short time, it made the same mistake as many other quickly developing industries – vehicle manufacturers often didn’t stop to think enough about every aspect of cybersecurity, and even if they did, they had very little guidance and the approach was not unified.  The last two years, however, have seen a lot of improvement in this scope thanks to the development of the global standard – ISO/SAE 21434 and the UNECE WP.29 requirements. These standards cover the most important cybersecurity requirements when it comes to the automotive industry – those concerned with vehicle safety itself.

Overview of ISO/SAE 21434

The ISO/SAE 21434 international standard, released in August 2020, was developed together by the International Organization for Standardization and SAE International (formerly known as the Society of Automotive Engineers). While this is a completely new standard, it was inspired by older ones: ISO 26262 for functional safety and SAE J3061 for cybersecurity. It represents the common language of organizations concerned with vehicle cybersecurity risk management. Its introduction was welcomed with open arms by all stakeholders because, until that time, they were faced with a long list of potentially usable standards.

Just from the first look at ISO/SAE 21434, it is clear that this safety standard is primarily concerned with vehicle software and hardware – it focuses on cyber threats caused by malicious hackers, security risk management for vehicles and their parts, and mitigation of cybersecurity incidents. This automotive security standard aims at helping manufacturers make sure that vehicles are developed with the lowest possible risk of a cyberattack. This includes the most serious cyberattacks that could pose a danger to the driver and other road users but also, for example, those that would endanger vehicle user privacy and their sensitive data.

ISO 21434 promotes road vehicle cybersecurity engineering based on the concept of security by design. It aims to help organizations develop programs and procedures that cover cybersecurity from the earliest stages of vehicle design throughout the entire vehicle lifecycle, including post-production, all the way to decommissioning. It nourishes a cybersecurity culture throughout the organization, makes sure the manufacturer doesn’t ignore important cybersecurity activities such as vulnerability analysis, vulnerability management, and threat analysis and risk assessment (TARA), as well as guides them toward clearly defining and managing cybersecurity risks through the establishment of a cybersecurity management system (CSMS).

Like all standard ISO recommendations, ISO/SAE 21434 is voluntary. Organizations are welcome to adopt it to improve their cybersecurity measures as part of due diligence but are not legally required to follow it. However, the standard may be a business requirement in the supply chain, and vehicle manufacturers may impose this requirement on automotive OEMs, automotive developers, service providers, and other stakeholders involved in product development.

UNECE WP.29 requirements

UNECE WP.29 is not a standard in itself, but a working party called the World Forum for Harmonization of Vehicle Regulations, formed by the Sustainable Transport Division of the United Nations Economic Commission for Europe (UNECE). It focuses not just on vehicle cybersecurity but on all aspects of regulating the construction, approval, and periodic technical inspections of wheeled vehicles. The rise in the number of connected vehicles drove UNECE WP.29 to include cybersecurity regulations in their vehicle safety requirements.

While in certain countries, manufacturers do not have to undergo any type of validation or attain the approval of the organization to introduce new vehicles onto the market, they still are required to follow the guidelines, and if discrepancies are found later, they could face recalls and major fines. This makes cybersecurity, which is now part of these requirements, no longer an option for vehicle manufacturers.

The requirements of UNECE WP.29 are more generic than those of ISO SAE 21434, and if the manufacturer meets the requirements of ISO 21434, they usually also meet all the requirements of WP.29. This assumption strengthens the position of ISO 21434 even more and encourages every vehicle manufacturer to adopt it, not just for easy type approval.

The role of DLP in automotive cybersecurity

Due to the fact that ISO/SAE 21434 covers a very specific scope of cybersecurity processes, it does not specifically concern itself with data privacy and security safeguards. However, these aspects are mentioned in the standard. The standard assumes that there is a way to ascertain information security. It expects the organization to go beyond ISO 21434 and develop cybersecurity processes to cover information security by building an information security management system with the help of standards such as ISO/IEC 27001. This is clearly mentioned in one of the sections of ISO 21434:

5.4.6 Information security management
Work products should be managed in accordance with an information security management system.

To ensure that the vehicle production processes in the entire value chain are safe from information theft, the information security management system mentioned in section 5.4.6 should include data loss prevention solutions such as the Endpoint Protector. While such solutions do not specifically apply to automotive software development, they protect the systems used in the development process of connected vehicles, which is just as important to ensure vehicle safety and owner safety.