Why the new ISO/SAE 21434 automotive cybersecurity standard matters

Why the new ISO/SAE 21434 automotive cybersecurity standard mattersWith over-the-air updates, infotainment, and the integration of mobile devices and cloud-based services, the connected vehicle offers the ultimate experience with state-of-the-art safety, autonomy, and driver comfort. Robust cybersecurity measures must be engineered into all aspects of the vehicle’s construction to protect critical features and back-end networks from cyberattacks.

The latest automotive cybersecurity standard, ISO/SAE 21434, aims to provide connected vehicles with robust protection from malicious cyberattacks. The standard requires OEMs and their supply chains to apply a security-by-design approach to their components, servers, and processes to reduce the risk of being vulnerable to attacks at any point in a vehicle’s lifetime, from the initial concept and design phases to end of life.

Under ISO/SAE 21434, security must be considered for all electronic systems in the connected car, at every stage, from concept to manufacturing to decommissioning, and systems must be engineered in such a way that they will offer robust protection from evolving threats. The requirements defined by the standard must be embedded into a company’s DNA, and organizations must implement a Cyber Security Management System (CSMS), including cybersecurity risk management.

Connected vehicles will inevitably communicate with outside entities, from other vehicles to smart-city infrastructure and to the cloud. If left unsecured, the vehicle electronics systems could be compromised by attackers. Robust security measures are essential to prevent attacks and protect the vehicle, its systems, and the back-end networks that serve them from cyberattacks.

Efforts to create an automotive cybersecurity standard started in 2016, when the Society of Automotive Engineering (SAE) and the International Organization for Standardization (ISO) embarked ON a joint initiative to create an industry standard for vehicle cybersecurity. Both organizations had separately worked on automotive safety and security-related standards: ISO 26262 is the renowned automotive functional safety standard, and SAE leveraged the framework of ISO 26262 when creating J3061, the “Cybersecurity Guidebook for Cyber-Physical Systems.”

The two organizations ultimately joined forces and collaborated with automakers, component and system suppliers, and cybersecurity vendors — involving over 100 experts from more than 82 companies in 16 countries. The new ISO/SAE 21434 standard is the result of this collaboration. It defines precise procedural and organizational requirements for achieving robust vehicle cybersecurity. Also detailed in the standard are the steps required for performing threat analysis and risk assessment of potential cyberthreats throughout the vehicle’s life cycle. Additionally, organizations need to monitor cybersecurity events and manage incidents when they occur.

In addition, from July 2022 onward, vehicle manufacturers (automotive OEMs) must comply with the new UN R155 automotive cybersecurity regulation for new vehicle type launches in Europe, Japan, and Korea, which represents over a third of global vehicle production. Other regions are expected to follow.

UN R155 is a further step toward enhancing cybersecurity. The regulation was adopted in 2020 by the United Nations Economic Commission for Europe (UNECE) WP.29, also known as the World Forum for Harmonization of Vehicle Regulations. Under UN R155, vehicle manufacturers can achieve vehicle type approval and sell new vehicle types only if they have a certified CSMS in place.

The standard ISO/SAE 21434 supports the implementation of the R155 requirements in organizations across the supply chain. NXP is the first Semiconductor supplier to be certified by TÜV SÜD to comply with ISO/SAE 21434. This helps OEMs meet requirements of the R155 regulation.

It’s important to stress that the standard does not mean that OEMs should tear apart existing systems and remove legacy components at will. They must analyze automotive systems and determine whether their components fulfill relevant security criteria. This analysis will prove easier for new, compliant components. Existing off-the-shelf components will require further assessment as to their suitability and to identify — and address — any potential security shortfalls. Considering the plethora of electronic components used in a new car from both Tier 1 and Tier 2 suppliers, the responsibility will be a shared one, with the implications encompassing the whole supply chain.

Future automotive products must comply with the standard, and manufacturers must provide supporting evidence. NXP and other suppliers must work closely with Tier 1 and OEM customers and help them conduct their risk assessments and compliance validation.

Moving forward, consumers and automakers will benefit from the implementation of the standards and adherence to the regulations. Consumers can enjoy consistent, seamless technology that enhances safety and user experience with robust protection against cyberattacks and evolving threats.

about NXP Semiconductors