In almost all product developments in the automotive industry, the ISO/SAE 21434 standard (officially published as early as 2021 in the so-called “First Edition”) is currently being used worldwide in some extents along the entire value chain and quickly became clear that the standard has deliberately been kept very abstract.
But how does this lack of detail and the deliberately rather superficial depth of ISO/SAE 21434 affect product development in concrete terms? This question will be explored in this blog.
- I. Getting started with ISO/SAE 21434
- II. The challenge with ISO/SAE 21434
- III. The importance of the right understanding
- IV. An outlook on future development work
- V. Sum up
In general, one would like to think that it should be much easier to develop and establish something if the way in which this can be done in detail is characterized by a high degree of flexibility.
In practice, however, this is a double-edged sword because when it comes to specific questions about how exactly something should be done, high flexibility is also a reason why all too often you don’t get anywhere. If there is no sufficiently detailed description showing what exactly is to be done, it can become a problem.
Getting started with ISO/SAE 21434
This is particularly the case with ISO/SAE 21434:2021 in its “First Edition”. It indicates “what to do”, but is not correspondingly open and comprehensive enough on “how to do it” or how to get there specifically.
How does this “information deficit” affect the creation and maintenance of cybersecurity processes, the establishment of structures and procedures, and the concrete elaboration of the various ISO/SAE 21434 work products?
To this end, just like other standards, it is important to know that ISO/SAE 21434 is not mandatory.
Nevertheless, the standard has received tremendous attention around the world in recent months (and now almost years) as it is one of the first to address the problem of inexisting concrete guidance or definition of what level of cybersecurity is sufficient for a vehicle.
Consequently, the standard serves as an essential foundation for building a cybersecure vehicle. Accordingly, it covers all steps of the entire product lifecycle-from initial concept, through development and production, to operational use, and finally to the end of cybersecurity support and decommissioning. It includes principles for both the development and post-development phases.
In addition to technical processes, the standard (referred to as “Cybersecurity Management“) also highlights organizational structures, activities (among others) of cybersecurity management at the organizational and project levels, as well as the important topic of supplier management and the so-called Continual Cybersecurity activities.
In doing so, ISO/SAE 21434 establishes a type of minimum criteria and guides through the essentials for developing cybersecure vehicle components.
The challenge with ISO/SAE 21434
However, the standard does not provide a detailed process or specific guidance on how this outlined cybersecurity can ultimately be achieved in practice.
Benefits of flexibility
So how can the lack of detail in ISO/SAE 21434 become an advantage? Flexibility can be mentioned here as one of the most important advantages. In fact, the given freedom of action for the concrete implementation, might even be the main benefit.
For those responsible in organizations which develop very different items, components or products, not having an exact sequence of processes along an overall methodology described in the standard for product development can have particular added value.
In practice, heterogeneous organizations in the automotive industry have usually already defined their own strategy and structure for integrating cybersecurity into their products.
Accordingly, good time and cost efficiencies can result from this.
Existing processes can also simply form a basis for cybersecurity integration. For example, take incident management (from IT), requirements management (from functional safety) or existing test concepts for software, hardware and systems and, last but not least, general management and supplier processes can also simply form a basis for cybersecurity integration.
Therefore, not everything has to be turned upside down. It is possible to continue working with already established processes and structures that are already set up and practiced in companies. It may only be necessary to make a few adjustments to fully meet the requirements of the standard.
(The review of these needs for adaptation currently make our consulting approach of ISO/SAE 21434 Gap Analysis popular).
What are the disadvantages?
As already mentioned, ISO/SAE 21434 does not present a rigorously specified methodology that the automotive industry can apply on a 1:1 basis with regard to cybersecurity. Now, let’s talk about how this can be disadvantageous.
Especially for original equipment manufacturers (OEMs), who do not find themselves in the need to ensure the application of the standard in their own organization, this lack of clarity can be a problem. Due to the nature of the value chain, OEMs are exposed to a completely different work situation than the players in the subsequent supply chain. Especially in the interconnected development processes of a vehicle, the distribution of tasks and responsibilities, the associated information flows and documentation are of particular importance. With UN Regulation No. 155, it is also clear that the approval-relevant topic of CSMS and corresponding compliance is not just on the side of the OEM; suppliers must also have “their cybersecurity” under control accordingly. This is not only a theoretical challenge: If the cybersecurity requirements are not met, no cars can be sold in the UNECE member states.
By now, the word is out that applying ISO/SAE 21434 can be an important step toward UN R155 compliance.
So what happens when OEMs now go and do their duty within UN R155/CSMS and also have to ensure the cybersecurity of their suppliers?
They flat out call for “the application of and compliance with ISO/SAE 21434.”
The problem with this is that the lack of information in the specifications regarding precise procedures for ensuring cybersecurity in a product can lead to particular confusion.
If there is no dedicated formulated “recipe”, then it becomes more complex to assess the extent to which everything has been done correctly. This is a critical problem that continues throughout the product lifecycle.
Automotive projects are broad, complex and span a significant amount of time. A lack of precision early on or in just one aspect of project cybersecurity can lead to compounded problems that grow in scope and severity overtime. Therefore, missing or insufficiently considered requirements, which only become visible in later phases of the development or within the product lifecycle, are often a disadvantage to the original objectives, the time planning and last but not least, the competitiveness.
Successful implementation of cybersecurity puts immense demands on the organization and can easily cascade from an isolated consideration to an influencing variable on costs, the ultimate quality of the product, and beyond.
The importance of the right understanding
The correct understanding of the contents surrounding the ISO/SAE 21434 is of crucial importance. Two directions can be established as starting points:
- Knowledge at decision-maker and executive level about the far-reaching impact of ISO/SAE 21434 far beyond the actual product to be developed
- Specific expertise in process definition and planning as well as in the evaluation of the requirements, recommendations and permissions of the standard at the engineering and project level.
These two directions overlap in the process. Only in this way it is possible to compensate for the lack of clarity and precision in the details of the standard that is missed here and there in an organization-specific manner for one’s own work, in order to achieve resilient cybersecurity along the particular product lifecycle.
Universal instead of specified: What are the advantages at the implementation level?
The lack of detail in the standard is less likely to be interpreted as a disadvantage, especially in organizations that already have higher levels of maturity in the establishment of processes, e.g., in supplier management, or in terms of cybersecurity.
Those who already have mature structures, strategies and a corresponding process landscape, at best not only written down but also applied in practice, will find it easier to adapt these to the new, possibly additional and/or modified requirements. The prerequisite for this is to have the appropriate positions with the necessary expertise on the various cybersecurity issues.
On the other hand, companies are just starting to implement general cybersecurity requirements or CSMS requirements, for example, based on a specific customer requirement. However, when there is a lack of experience and best practices are still rare on the market, the “vagueness” of the standard is not of help, but rather an obstacle.
Of course, it would initially be advantageous to provide more concrete guidance and ground guidelines on the “how” in the standard. But at the same time, this would mean that organizations might be denied the freedom to develop their own strategies, approaches and solutions with respect to cybersecurity implementation.
Following this, within ISO/SAE 21434, particular importance is attached to the annexes. Here, many specialists, regardless of how mature their own work is, would like to see far more comprehensive and more specific examples discussed in the annexes of the standard.
About the importance of existing process structures
Something we repeatedly discover in our consulting practice and try to point out at an early stage: Well-defined and neatly applied processes are one of the most important success factors for the implementation of cybersecurity. If you are able to refer to an existing process landscape that already works well in other areas, you have a starting point from which you can successfully integrate cybersecurity principles in a holistic manner.
Anyone familiar with automotive cybersecurity and who reads ISO/SAE 21434 correctly will agree that it cannot be assumed that one will ideally reach a point where all risks will have been completely eliminated in each case.
From this perspective, it is of utmost importance to the essential processes (from incident response to vulnerability management to TARA and, of course, with a view to the CSMS and much more).
Those who consistently set up reasonable procedures and implement them correctly will be far ahead.
At the same time, neighboring processes and domains must not be lost out of sight.
Related processes and management systems that are correctly set up are a lever for implementing new cybersecurity requirements in the existing process landscape.
The general idea of ISO/SAE 21434 should also not be disregarded, which goes more in the direction of not making precise specific requirements that can simply be checked off one after the other, for example, in order to provide the customer with a quick proof of activity. Rather, the standard tries to get away from this “security for the paper” idea and to more envision the awareness of the correct approach and the importance of achieving cybersecurity in general.
In the phase of concrete implementation, it should not really be a particular challenge for organizations and projects that the standard only hands over limited information here. After all, it should be the experienced staff in these respective areas who have the know-how about the correct implementation of security topics. Of course, without any expertise, it is difficult, and one would wish the standard would offer more in-depth instructions.
An outlook on future development work
It is important to understand the fast-changing pace currently taking place around the vehicle not only affects the evolving vehicle itself (in terms of components used, etc.), but also the relevant players and used technologies.
In parallel, there can never be a standstill in cybersecurity issues: Newly discovered vulnerabilities, emerging security flaws, all this happens every day, every hour. The discovery and disclosure of corresponding new cybersecurity-related risks – starting from the perspective of an ISO standard – is usually rather ‘un-standardized’. Discovered by third parties, insufficiently kept secret, unclearly documented … horror scenarios in cybersecurity, one only needs to have a look at the neighboring domain of information security.
But what can already be said today: Established (and continuously evolving) processes will continue to become more mature in these domains of cybersecurity activities.
This first “First Edition” of ISO/SAE 21434 provides the starting point for this. We can also say today that it will likely continue to evolve. But in its current deliberately abstract manner, it is already laying the foundations for the most important activities and their far-reaching implications.
The extended view on relevant information sources such as VDA publications, VDA Information Security Assessment catalog around TISAX, Auto-ISAC or OICA resources and many more is not to be neglected here.
Regardless of the abstract nature of the standard, in summary, implementing the requirements and recommendations of ISO/SAE 21434 is essential to ensure that a product experiences a minimum level of cybersecurity during its lifecycle. At the same time, the standard serves as the cornerstone for strategically aligning cybersecurity in organizational structures, organizational management issues and processes.
Accordingly, automotive industry organizations are striving to implement the requirements and deliverables defined in the standard to achieve the cybersecurity-level and ISO/SAE 21434 compliance results their customers expect with respect to their products.
The lack of detail and resulting flexibility can be an advantage, as long as the appropriate required expertise and already established mature processes are in place.
If this is not the case, the risk of non-gapless cybersecurity arises, which can have a negative impact on a product.
From a consulting perspective, we can also confirm that achieving the objective of making one’s own product ‘cybersecure’ can only succeed if the significance of the scope of the essential processes is known.
Darja Boiko is Senior Analyst at CYRES Consulting. She is an experienced specialist not only in project management, but also establishing CSMS. She is involved in a variety of projects dealing with ISO/SAE 21434, UN Regulation No. 155, and ASPICE for Cybersecurity.