As the digitalization accelerates, cybersecurity is becoming an essential part in the automotive industry. Corresponding standards and regulations are beginning to demand cybersecurity (Update August 2021: ISO/SAE 21434 is now officially published). For an increasing number of positions in the diverse automotive industry, cybersecurity is becoming an absolutely unavoidable part of doing business. There is a real world need to think about cybersecurity today. And to act accordingly. This is where standards and regulations come into play.
Compared to the last hundred years since the invention of the automobile, the rapid increase in technological advancements has occurred only in very recent years. Meanwhile, the current pace of innovation around the automotive ecosystem continues to accelerate.
From ever new steps forward and backwards on the way to autonomous driving over to the advancement of e-mobility and all the sophisticated data-based and always-online systems running onboard.
And these are just the megatrends that have already found their way into the general public. What engineers and cybersecurity managers already have on their desks today only hints the incredible range of future developments.
The digital transformation of the automotive industry reveals the threats of cybersecurity
A simple fact is that modern cars are becoming a very tempting target for cyberattacks and also multiply cyber risks due to the increasing amount of interfaces as a result of the progressing digitization.
Parallel to other industries, which are already building up real cybersecurity and IT security bastions, cybersecurity is becoming a major driver for the automotive industry. Cybersecurity is becoming an absolutely serious quality dimension for automobiles, if not the most important issue across the value chain.
It is therefore quite obvious that every player in the automotive industry is affected in some way, but hardly anyone seems to know exactly how.
Accordingly, the shouts for general guidelines are getting louder. Parameters. A Framework. Facts. Obligation. Regulations. Standards.
No doubt: defined cybersecurity requirements for newly developed cars are necessary
In terms of harmonization, standardization and implementation of effective frameworks (keywords Functional Safety and ASPICE), the automotive industry is generally considered to be at the cutting edge.
Nevertheless, cybersecurity is a relatively new topic in the context of the automobile.
And it’s not as if the automotive industry isn’t currently facing enough challenges: tougher competitive situations in the context of globalization, rising cost pressure, shorter development cycles, increasing complexity in general …
Accordingly, automotive players are behind in bringing cybersecurity fully into their organizations, their development projects and into the minds of their teams.
Hello, ISO/SAE 21434 – Road vehicles – Cybersecurity Engineering!
With ISO/SAE 21434, which has been officially published in the end of August 2021 (Please see: ISO/SAE 21434:2021 is now officially published. All info here (Update: August 2021), the international association of automotive engineers SAE International and ISO (the International Organization for Standardization) have joined forces for the first time.
The result is a new point of reference for cybersecurity in the automotive industry. For the first time, the standard sets up a defined expectation respectively defined minimum cybersecurity requirements. Furthermore the standard defines a unified terminology that is valid along the entire supply chain and is intended to create an industry-specific consensus regarding cybersecurity in the automotive industry.
ISO/SAE 21434 is to be considered as state of the art and thus as a binding reference point for large parts of the world.
It will be valid for road vehicle type E/E systems, including their components, software and interfaces up to any external network or device.
All phases of the vehicle lifecycle, including design, engineering, production, operation, maintenance and decommissioning, are relevant for the compliance with ISO/SAE 21434.
Important to know: The standard is purposely kept in an abstract way.
It only describes the intention of a process and intentionally leaves the actual design of the process in the hands of the user. At the same time, to cope with the fast pace of cybersecurity development, the standard does not provide specific cybersecurity technologies or solutions, recovery solutions or clearly specified technical requirements.
In the context of the ISO/SAE 21434 standard, the question of the relation to UN Regulation No. 155 (which was developed by UNECE WP.29) always comes up: For this, we recommend a look at our blog What is the difference between a standard and a regulation?
Please note: Due to the official regulations of DIN/ISO, which is responsible for the reproduction procedures of the ISO standard, we cannot make extracts of the standard public on this page.
For this purpose, simply use our brand new Pocket Guide ISO/SAE 21434
Update June 2021: In the meantime, we have published the world’s first reference book on ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering officially licensed by DIN/ISO: The Essential Guide to ISO/SAE 21434
Manuel Sandler is Associate Partner at CYRES Consulting. He has many years of experience in global project and process management in various parts of the value chain, including OEMs and Tier-1. He is ASPICE Provisional Assessor and an expert in Engineering Process Development, ISO 26262, ISO/IEC 15288 and ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering.