Have You Heard of ISO 21434? You Will

You probably already know what ISO 26262 is. If you don't, then you can find out in several previous posts:

• "The Safest Train Is One that Never Leaves the Station"
• History of ISO 26262
• ISO 26262...Chapter 11
• What to Do About IP Developed Before ISO 26262?

ISO 21434

The actual ISO 26262 standard is titled Road Vehicles—Functional Safety. Another standard that you can expect to hear more about is ISO 21434 Road Vehicles — Cybersecurity Engineering. The standard is currently under development and the first draft became publicly available in February 2020. Whereas ISO 26262 deals with the functional safety of automotive electronics (including semiconductor components in chapter 11), ISO 21434 deals with the cybersecurity risk in road vehicle electronic systems.

The goal of ISO 21434 is to build upon ISO 26262 and provide a framework similar to it for the entire life cycle of road vehicles. The major components of this new standard include security management, project-dependent cybersecurity management, continuous cybersecurity activities, associated risk assessment methods, and cybersecurity within the concept product development and post-development stages of road vehicles. Its full name is actually ISO/SAE DIS 21434. As it says on the SAE (Society of Automotive Engineers) website:

This document specifies requirements for cybersecurity risk management regarding engineering for concept, development, production, operation, maintenance, and decommissioning for road vehicle electrical and electronic (E/E) systems, including their components and interfaces. A framework is defined that includes requirements for cybersecurity processes and a common language for communicating and managing cybersecurity risk.

This document is applicable to series production road vehicle E/E systems, including their components and interfaces whose development or modification began after the publication of the document. This document does not prescribe specific technology or solutions related to cybersecurity.

Obviously, the need for the standard is driven by the increased connectivity of cars. You've probably seen the famous video where Charlie Miller and Chris Valasek took control of a Wired journalist's car and drove it into a ditch. I wrote about it in my post Automotive Security: A Hacker's Eye View when Charlie gave a keynote at Arm TechCon that year. The video is embedded in the post if you want to see it. Just this year, the SolarWinds exploit, which is a supply chain attack, has terrified automotive companies since cars either already have or will have over-the-air (OTA) updates for their software. For more on SolarWinds, see my posts The Biggest Security Breach Ever and Update: Achronix, SolarWinds, Wikipedia, US Fabs.

C2A

I recently talked to Nathaniel Meron of C2A. He pointed out that there are more issues than just the obvious safety one. For example:

• Hackers taking over an ADAS system and the driver loses control over steering
• The serious safety risk of the brakes being disabled in a vehicle
• Ransomware—not allowing a vehicle to be used until ransomware is paid
• Car theft
• A malicious recall—installing a virus on an OEM's fleet to cause an unexpected bug that prompts the vehicle to behave incorrectly, forcing the OEM to recall the product (causing millions of dollars of cost)

There has been a lot of investment in automotive cybersecurity startups, but the timing has been too early. The automotive industry moves slowly and was only in an investigative phase. Also, the cybersecurity companies are coming from hyperscale data center backgrounds and don't talk the automotive industry's way. As a result, so far there are zero secured vehicles.

But C2A believes its timing is good and the market is happening now. One reason is ISO 21434 and work by UNECE WP.29, the World Forum for Harmonization of Vehicle Regulations, which is producing regulations that will be initially adopted in Europe, Japan, and some other countries. These new regulations make OEMs (what normal people call car companies) responsible for cybersecurity mitigation in four cybersecurity areas over the entire vehicle lifecycle: managing cyber risks, securing vehicles by design, detecting and responding to security incidents, and providing safe and secure OTA software updates. 

A result of all this burst of standards and regulations means that the automotive companies are finally getting their acts together and the market is moving. The first RFQs have already been issued. C2A summarizes this sea change in the regulatory environment in its white paper:

Changes in the regulatory environment for automotive cybersecurity lingered for some time in the industry. Today, the first cut of standards are here and encompassed in the new ISO 21434 standard and UNECE WP.29, which define the categoric directive for implementing cybersecurity management systems for the protection of vehicles. Together with additional standards expected in the future, such as the Cybersecurity Act in the EU, the Chinese ICV program, new guidelines from JASPAR in Japan and legislative proposals in the US Congress, these are vivid examples of the inndustry-wide collaborative efforts to create a basis for automotive cybersecurity. Now, OEMs need to independently find their practical way of tackling the challenge of cybersecurity lifecycle management while adhering to these standards.

Get ready to hear a lot more about the alphabet soup of acronyms, and especially ISO 21434. And by the way, Cadence partner Green Hills Software announced last year that it has adopted the two new international security standards and regulations for automotive cybersecurity—ISO/SAE 21434 and UNECE WP.29—for the INTEGRITY RTOS and associated products and services.

Learn More

Download the draft ISO 21434 standard (it will cost you $120).

C2A's website.

 

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.