ISO 21434, the Automotive Cybersecurity standard

Reading time: 3 minutes - Difficulty: Advanced
ISO 21434 sets out the requirements for the cybersecurity management system (CSMS), the compliance of which is proof of cybersecurity of road vehicles.

Fundamentals of ISO 21434

Linked to UNECE Regulation No. 155, the standard is the work of the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE); hence it is called ISO/SAE 21434 – Road Vehicles Cybersecurity Engineering.
ISO 21434 applies to the electrical and electronic (E/E) systems of mass-produced road vehicles, including software and related components and interfaces.

Although this standard does not prescribe specific technical requirements or technology related to cybersecurity, it is the guide for the overall safety of guidance systems, because:

  • it specifies requirements for cybersecurity risk management
  • it covers the topic of a product’s lifecycle, from concept through decommissioning, including aspects necessary for the OEM to achieve compliance from an organizational perspective
  • it defines a common language for managing cybersecurity risks within the supply chain

 

When to apply ISO 21434

ISO 21434 is applicable specifically to the vehicle, meaning that the system outside the vehicle should be considered an interface, thus outside the scope of ISO 21434.

In addition, its application is limited to elements and components relevant to cybersecurity, and includes after-sales and spare parts, as outlined in Annex D: Cybersecurity relevance.

 

The following fall within the components covered by ISO 21434:

  • Gateway
  • Infotainment systems
  • Sensors
  • Cameras
  • Security systems
  • Communication systems in general

On the other hand, the following are currently deemed parts of the interface, and so are outside the scope of the standard:

  • External storage devices
  • Back-end servers
  • Connectivity systems
  • Diagnostic and maintenance applications

Different standards may be applied to the latter parts, such as IEC 62443, ISO 27001, or NIST.

 

The security lifecycle according to ISO 21434

The lifecycle, for the purposes of the ISO 21434 management system, outlines the importance of organizational aspects to ensuring cybersecurity of end products.

Just as other cybersecurity standards focus on the roles and responsibilities of OEMs, ISO 21434 also largely emphasizes this topic, devoting large sections to:

  • Cybersecurity governance
  • Supply of resources
  • Cybersecurity culture
  • Cybersecurity procedures
  • Information sharing

 

The reasoning and application behind the ISO 21434 security lifecycle is summarized in the diagram above.