As the digitalization process accelerates, cybersecurity is becoming an essential part of the digitalized economy, especially in the automotive industry. Digital innovations, as they have an increasing impact on our lives in constantly shrinking time cycles, highlight the urgency to think about cybersecurity. And to act accordingly. This is where standards and regulations come into play.
This particularly affects the automotive industry.
Compared to the last hundred years since the invention of the automobile, the rapid increase in technological advancements has occurred only in very recent years. Meanwhile, the current pace of innovation around the automotive ecosystem continues to accelerate.
From ever new steps forward and backwards on the way to autonomous driving over to the advancement of e-mobility and all the sophisticated data-based and always-online systems running onboard.
And these are just the megatrends that have already found their way into the general public. What engineers and cybersecurity managers already have on their desks today only hints the incredible range of future developments.
The digital transformation of the automotive industry reveals the threats of cybersecurity
A simple fact is that modern cars are becoming a very tempting target for cyberattacks and also multiply cyber risks due to the increasing amount of interfaces as a result of the progressing digitization.
Parallel to other industries, which are already building up real cybersecurity and IT security bastions, cybersecurity is becoming a major driver for the automotive industry. Cybersecurity is becoming an absolutely serious quality dimension for automobiles, if not the most important issue across the value chain.
It is therefore quite obvious that every player in the automotive industry is affected in some way, but hardly anyone seems to know exactly how.
Accordingly, the shouts for general guidelines are getting louder. Parameters. A Framework. Facts. Obligation. Regulations. Standards.
No doubt: defined cybersecurity requirements for newly developed cars are necessary
In terms of harmonization, standardization and implementation of effective frameworks (keywords Functional Safety and ASPICE), the automotive industry is generally considered to be at the cutting edge.
Nevertheless, cybersecurity is a relatively new topic in the context of the automobile.
And it’s not as if the automotive industry isn’t currently facing enough challenges: tougher competitive situations in the context of globalization, rising cost pressure, shorter development cycles, increasing complexity in general …
Accordingly, automotive players are behind in bringing cybersecurity fully into their organizations, their development projects and into the minds of their teams.
Hello, ISO/SAE 21434 – Road vehicles – Cybersecurity Engineering!
With ISO/SAE 21434, which is still in DIS status (i.e. not yet finally published) at the beginning of 2021, the international association of automotive engineers SAE International and ISO (the International Organization for Standardization) have joined forces for the first time.
The result is a new point of reference for cybersecurity in the automotive industry. For the first time, the standard sets up a defined expectation respectively defined minimum cybersecurity requirements. Furthermore the standard defines a unified terminology that is valid along the entire supply chain and is intended to create an industry-specific consensus regarding cybersecurity in the automotive industry.
ISO/SAE 21434 is to be considered as state of the art and thus as a binding reference point for large parts of the world.
It will be valid for road vehicle type E/E systems, including their components, software and interfaces up to any external network or device.
All phases of the vehicle lifecycle, including design, engineering, production, operation, maintenance and decommissioning, are relevant for the compliance with ISO/SAE 21434.
Important to know: The standard is purposely kept in an abstract way.
It only describes the intention of a process and intentionally leaves the actual design of the process in the hands of the user. At the same time, to cope with the fast pace of cybersecurity development, the standard does not provide specific cybersecurity technologies or solutions, recovery solutions or clearly specified technical requirements.
In the context of the ISO/SAE 21434 standard, the question of the relation to UN Regulation No. 155 (UNECE WP.29) always comes up: For this, we recommend a look at our blog What is the difference between a standard and a regulation?
Please note: Due to the official regulations of DIN/ISO, which is responsible for the reproduction procedures of the ISO standard, we cannot make extracts of the standard public on this page.
For this purpose, simply use our brand new Pocket Guide ISO/SAE 21434
Update June 2021: In the meantime, we have published the world’s first reference book on ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering officially licensed by DIN/ISO: The Essential Guide to ISO/SAE 21434
Manuel Sandler is Associate Partner at CYRES Consulting. He has many years of experience in global project and process management in various parts of the value chain, including OEMs and Tier-1. He is ASPICE Provisional Assessor and an expert in Engineering Process Development, ISO 26262, ISO/IEC 15288 and ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering.