We need to do an “ISO 21434 Risk Assessment”. Preferably already yesterday. Okay, slow down. At this point, a distinction can be made directly between two different intentions, which are often referred to synonymously here.
- I. Brief side note: What is the difference between a standard and a regulation?
- II. UNECE Regulation No. 155 – Regulation for automotive cybersecurity
- III. How do you audit ISO 21434? When is one compliant to ISO 21434?
- IV. When will ISO PAS 5112 be released?
- V. Practical tip for ISO 21434: Use gap analyses as a pre-audit already now!
a) You are already familiar with the upcoming ISO/SAE 21434 standard. You are already specifically looking for a Cybersecurity Risk Assessment, as envisioned by ISO/SAE 21434, to find and assess product-specific cybersecurity risks and threats (Cf. Clause 08 Risk Assessment Methods)?
b) You are just starting to deal with ISO/SAE 21434, and your highest priority is to understand how to assess the security of your product in terms of cybersecurity?
Many players in the automotive industry are currently leaning at various degrees towards the option b).
The underlying reasoning behind this: A lack of secure products leads to a lack of customer relationships, no revenue, no organization. Following this, the product becomes the starting point. The organization, processes and methods are considered afterwards.
Accordingly, it seems understandable that the product (or the actual asset of value creation itself) appears to be the primary entry point for dealing with ISO/SAE 21434.
To this end, it must be made clear: Yes, the product itself plays a key role. ISO/SAE 21434 and risk assessments in particular are used to make products secure. But companies are becoming aware that ISO/SAE 21434 is not only about the product, but also about projects and the entire organization. This understanding is important: It’s not just about the product. You might have heard about the UNECE Regulation No. 155 (short: UNR 155) which covers not only the product but also product development and the organization.
Now the question arises, what the current situation regarding the overall interrelationships between ISO/SAE 21434 as a standard in relation to UNECE Regulation No. 155 looks like.
In this blog, we shall try to tackle the topic of relationship between the standard and the regulations in relation to organization and product development and their interdependencies in a simple way.
Brief side note: What is the difference between a standard and a regulation?
Standards are usually reference points designed by the industry itself under the control of an authority such as the ISO (the International Standards Organization).
Standards are considered to be state-of-the-art references. For example, ISO/SAE 21434 Road vehicles – Cybersecurity engineering provides the framework for requirements and recommendations to develop a cybersecure product in the automotive industry. ISO/SAE 21434 does not offer any fixed suggestions for solutions, but only a purposely abstract framework. Read more about this in our blog Hello ISO/SAE 21434! The new point of reference for cybersecurity in the automotive industry is coming
In simple terms, the evidence that one has worked along a standard could be used in court to verify whether something is developed according to the industry standard and way of working, just by using an ISO standard as a reference.
Regulations, in contrast, are legally binding directives issued by an official body, such as a government.
In the case of the automotive industry and the UNECE Reg. No 155, these are binding requirements that must be complied with in order to obtain type approval and therefore market access. A lack of compliance with the regulation can consequently lead to a sales ban in the corresponding area of application (in case of UNR 155 over 60 countries already are adopting the regulation).
These regulations often use the standards to have a thematic point of reference.
UNECE Regulation No. 155 – Regulation for automotive cybersecurity
Originally founded as the Working Party on the Construction of Vehicles, UNECE WP.29 is the world forum for the harmonization of vehicle regulations of the United Nations Economic Commission for Europe.
What is set up here is to be regarded as the “UN regulations” for international vehicle construction.
One of the most important recent regulations is the UNECE Regulation No 155 concerning the approval of vehicles with regards to cybersecurity and Cyber Security Management System.
Here, the UNECE refers to the ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering standard. This was made especially clear in the published interpretation document of late 2020, which related the requirements of the regulation to the various requirements of ISO/SAE 21434.
In other words, the ISO 21434 industry standard provides support for meeting the requirements of UNECE Regulation No. 155.
(To draw a parallel from information security: Here the implementation of the ISO 27k-series would be one thing, the EU GDPR/DSGVO as applicable law, the other).
The two major sections of UNR 155: type approval and CSMS
On the one hand, UNR 155 is about ensuring cybersecurity at the organizational level. The objective here: ensuring cybersecurity principles are implemented in core of the business and its processes.
On the other hand, it is all about the product and type approvals. The objective here: ensuring the design of the vehicle architecture, risk assessment and implementation of adequate security controls.
The Cyber Security Management System (CSMS) is of central importance for ensuring the cybersecure organization in the automotive industry. Moreover, the CSMS provides basis for the Certificate of Compliance for CSMS, i.e. the auditing and the corresponding official certification.
For this purpose, the VDA (the German Association of the Automotive Industry) has released a questionnaire (still in draft status, finalization is still pending; The Red Book will be released soon), which is intended to provide an initial basis for the audit protocol as a rudimentary checklist.
Here, the requirements are taken and reformulated into questions or scenarios on how to cover the requirements for CSMS.
Auditing to the Certificate of Compliance for CSMS
How is auditing carried out in accordance with UNECE Regulation No. 155? Two entities are relevant here. Firstly, the official approval authority (such as the Federal Motor Transport Authority under the Federal Ministry of Transport and Digital Infrastructure), and secondly, an institution at the technical level.
CSMS only a topic concerning OEMs?
The following applies: The OEMs must demonstrate that the CSMS is managed along the entire value chain. Consequently, all players involved need to be aware of potential risks and gaps, from Tier 1 till Tier n supplier level. This means that suppliers must also work in compliance with the CSMS principles.
The audit or the Certificate of Compliance for CSMS must be obtained at least every three years.
To build a link to type approval: This CSMS certification is the prerequisite for type approval in the first place. Then there are the additional detailed requirements relating to the product.
As creation and implementation of new organization wide rules and processes can be painfully slow, it is advisable to take the necessary steps at an early stage.
How do you audit ISO 21434? When is one compliant to ISO 21434?
When we talk about compliance with ISO, it is not irrelevant to explain the basic difference between audit and assessment in this context:
The audit checks whether the processes at the level of the organization are compliant with ISO 21434.
The assessment checks the project-specific processes and their technical implementation.
Regardless of the fact that ISO/SAE 21434 is still in Draft International Standard (DIS), there is already a draft for the guidelines to the standard for auditing ISO/SAE 21434.
These guidelines are part of the ISO PAS 5112, which is also currently not finalized.
(CYRES Consulting is part of the DIN working committee for ISO PAS 5112 for Road vehicles – Guidelines for auditing cybersecurity engineering.)
The audit will target the organization and thus all necessary processes along the Clauses of the ISO/SAE 21434.
(In addition, ISO PAS 5112 follows ISO 19011, the international standard for auditing management systems.)
When it comes to verifying compliance with ISO/SAE 21434, the following scenarios can be considered (at this time) for checking:
- In an (informal) preparatory pre-audit, check oneself whether and how one is already compliant with the purpose of identifying possible gaps.
- Ensuring compliance is achieved with suppliers.
- Perform an independent review in the form of an official audit and certification by a national accreditation body with the aim of obtaining certification. (Please note: At this time, there is no official information on the specific possibilities for this.)
Anyway, a possible way in the future might be to get certified by performing an audit with a third party which is accredited by a national authority. In Germany this would be the national accreditation body DAkkS based in Berlin. The auditor would audit against the principles and guidelines of the ISO PAS 5112 and thus the ISO/SAE 21434.
The audit can be performed by third party accreditation agencies, which are authorized and able to audit the guidelines of the ISO PAS 5112 and thus the ISO/SAE 21434 requirements correctly.
When will ISO PAS 5112 be released?
The current schedule is for ISO PAS 5112 to be released in parallel with the final release of the ISO/SAE 21434 standard. (Due to the ongoing Covid-19 crisis, further postponement is possible, we will keep you updated.)
Practical tip for ISO 21434: Use gap analyses as a pre-audit already now!
In order to give sufficient resources to the scope of the overall compliance to ISO/SAE 21434 (and of course the UNR 155) at an early stage, it is recommended to deal with the question: Where do we currently stand?
What is the status of development projects and organizational structures regarding the application of ISO 21434? Systematically conducted pre-audits are an opportunity to identify potential gaps at an early stage.
This is also an important step towards being prepared for future required certifications for cybersecurity.
Not only because official certification is expensive, but also in order to identify existing deficits at an early stage and to speed up efforts in finding appropriate solutions.
Learn more about our ISO/SAE 21434 Gap Analysis
Felix Roth is Senior Consultant at CYRES Consulting. After his master’s degree in Management and Technology from the TU Munich and with several stops in different companies and fields including digitalization and industry 4.0, he joined CYRES Consulting back in 2019. At CYRES Consulting he is co-responsible for the CYRES Academy and is involved in different Cybersecurity projects. He is also member of the DIN NA 052-00-32-11 AK “Cybersecurity” and thus also of the ISO/TC 022/SC 32/WG 11 “Cybersecurity” covering the development of the ISO/SAE 21434 and ISO PAS 5112.