ISO/SAE 21434 is considered a milestone for the automotive industry regarding cybersecurity. As of today, ISO/SAE 21434 has the new status “International Standard published”. What does this mean for the industry? We provide an overview in the following article and in a upcoming info webcast for which you can register free of charge.
First of all, the most important questions regarding the publication that has now taken place at a glance.
ISO/SAE 21434:2021: What you need to know now
- I.I. What is ISO/SAE 21434 in short?
- I.II. Why is ISO/SAE 21434 important?
- I.III. What is impacted by the ISO/SAE 21434?
- I.IV. How will ISO/SAE 21434 affect the ecosystem around road vehicles?
- I.V. Is the ISO/SAE 21434 released?
- I.VI. Where can ISO/SAE 21434:2021 be officially purchased?
- I.VII. What are the differences between the now released ISO/SAE 21434:2021 and the previous draft versions?
- I.VIII. What is the structure of ISO/SAE 21434:2021?
- I.IX. Does the ISO/SAE 21434 provide guidance?
- I.X. How is the ISO/SAE 21434 related to the UN Regulation No. 155?
- I.XI. Will there be relevant audits for ISO/SAE 21434?
- II. ISO/SAE 21434 DIS, FDIS and the latest publication: What are the differences?
- III. Additional Information materials next to the document of the standard
- IV. Publication of the official ISO/SAE 21434: Understand the scope of ISO/SAE 21434:2021 with our info webcast
- V. Be one step ahead: use a Gap Analysis to pre-audit to ISO/SAE 21434 compliance already today
ISO/SAE 21434:2021: What you need to know now
In our brand-new multi-part video learning course “Overview ISO/SAE 21434” on the CYRES Academy Online Learn Platform we answer the most important questions about ISO/SAE 21434:2021. After your registration you can watch the whole video course free of charge for a limited time.
However, regardless of that, let’s get started:
What is ISO/SAE 21434 in short?
ISO/SAE 21434 is to be considered as state of the art and thus as a binding reference point for cybersecurity in the automotive industry across large parts of the world. For the first time, the standard sets up a defined expectation respectively defined minimum cybersecurity requirements. Furthermore the standard defines a unified terminology that is valid along the entire supply chain and is intended to create an industry-specific consensus regarding cybersecurity in the automotive industry.
Why is ISO/SAE 21434 important?
Modern cars are becoming a very tempting target for cyberattacks and also multiply cyber risks due to the increasing amount of interfaces as a result of the progressing digitization.
From ever new steps forward and backwards on mega Trends in automotive cyber security, such as autonomous driving, over to the advancement of e-mobility and all the sophisticated data-based and always-online systems running onboard.
As the digitalization accelerates, cybersecurity is becoming an essential part in the automotive industry, an absolutely serious quality dimension for automobiles, if not the most important issue across the value chain. For an increasing number of positions in the diverse automotive industry, cybersecurity is becoming an absolutely unavoidable part of doing business. There is a real world need to think about cybersecurity today and to act accordingly. Compared to other industries, which have already built up real cybersecurity and IT security bastions, cybersecurity is being established in the automotive industry. This is where standards and regulations for harmonization come into play.
What is impacted by the ISO/SAE 21434?
The ISO/SAE 21434 will be valid for road vehicle type E/E systems, including their components, software and interfaces up to any external network or device.
All phases of the vehicle lifecycle, including design, engineering, production, operation, maintenance and decommissioning, are relevant for the compliance with ISO/SAE 21434.
How will ISO/SAE 21434 affect the ecosystem around road vehicles?
No matter if you are car manufacturer or Tier-n supplier – your organization will be affected by ISO/SAE 21434 on all levels:
Organizational level: Starting at C-level management, general awareness about cybersecurity must be given in all relevant departments. Decision-makers need to have an overview about: Why does cybersecurity matter? What kind of certification is necessary? How can cybersecurity awareness be spread onto other levels of the organization? What about documentation to have a proof of compliance when it comes to legal issues?
Project level: from the initial kick-off to the final completion of projects, cybersecurity in project management must be considered at every single step to guarantee that the entire product in itself is cybersecure.
Engineering level: steering wheels, headlights, sensors, radar and LiDAR systems, lane keeping systems, software – every single connected component of the vehicle must be cybersecure.
You want to learn more about the specific requirements of ISO/SAE 21434, the UN Regulation No. 155 (UN R155), and future certification? You can browse through our cyber security awareness online courses. to understand how cybersecurity is affecting organizations at all levels and what must be considered when building awareness across.
Is the ISO/SAE 21434 released?
The ISO/SAE 21434:2021 Road Vehicles – Cybersecurity Engineering has been officially released in its latest version on August 31, 2021. Thus, the release of the ISO/SAE 21434 standard replaces the previous draft versions (the DIS version from February 2020 as well as the latest FDIS version from May 2021).
Where can ISO/SAE 21434:2021 be officially purchased?
The document of the standard can be purchased in PDF format or hard copy on the official website of the International Standard Organization and (soon) probably also through the DIN at Beuth Verlag. In addition, the official Table of Contents and the general overview of the standard can be viewed via the ISO Online Browsing Platform.
What are the differences between the now released ISO/SAE 21434:2021 and the previous draft versions?
Since the start of the standard, the entire automotive industry has been keeping an eagle eye on what ISO/SAE 21434 requires of the stakeholders in the automotive value chain. Accordingly, even apparently minor adjustments and changes in the structure or wording of the standard can have far-reaching effects on practice.
From the draft versions to the officially published version, the structure of the document, i.e. the entire structure of ISO/SAE 21434, has changed from the DIS version once again. However, this change in the structure is not accompanied by serious changes in the content of the standard.
What is the structure of ISO/SAE 21434:2021?
The first thing to do is to think in the same way as ISO/SAE communicates: The structure of ISO/SAE 21434 does not represent an “execution sequence” of the individual topics.
For the official structure of ISO/SAE 21434:2021, we have created a custom graphical visualization that illustrates the structure not in sequence, but along the development product lifecycle:
The structure of ISO/SAE 21434:2021 in the order given in the now released document:
Clause 4 (General considerations) is informational and includes the context and perspective of the approach to road vehicle cybersecurity engineering.
- Clause 5 (Organizational cybersecurity management) provides information regarding cybersecurity management, specifications of the organizational cybersecurity policies, as well as rules and processes
- Clause 6 (Project dependent cybersecurity management) includes the cybersecurity management and cybersecurity activities at the project level
- Clause 7 (Distributed cybersecurity activities) includes requirements for assigning responsibilities for cybersecurity activities between customer and supplier, in other words distributed development
- Clause 8 (Continual cybersecurity activities) includes activities that provide information for ongoing risk assessments and defines vulnerability management of E/E systems until end of cybersecurity support.
- Clause 9 (Concept) includes activities that determine cybersecurity risks, cybersecurity goals and cybersecurity requirements for an item. You can also watch our Cybersecurity Concept video course.
- Clause 10 (Product development) includes activities that define the cybersecurity specifications, and implement and verify cybersecurity requirements
- Clause 11 (Cybersecurity validation) includes the cybersecurity validation of an item at the vehicle level
- Clause 12 (Production) includes the cybersecurity-related aspects of manufacturing and assembly of an item or component
- Clause 13 (Operations and maintenance) includes activities related to cybersecurity incident response and updates to an item or component
- Clause 14 (End of cybersecurity support and decommissioning) includes cybersecurity considerations for end of support and decommissioning of an item or component
- Clause 15 (Threat analysis and risk assessment methods) includes modular methods for analysis and assessment to determine the extent of cybersecurity risk so that treatment can be pursued. ++ Learn more about this with our On-Demand video course Threat Analysis and Risk Assessment in Automotive Cybersecurity ++
Clauses 5 to 15 are followed by the annexes, which summarize the cybersecurity activities and work products, among other things.
Does the ISO/SAE 21434 provide guidance?
Important to know: The standard is purposely kept in an abstract way.
It only describes the intention of a process and intentionally leaves the actual design of the process in the hands of the user. At the same time, to cope with the fast pace of cybersecurity development, the standard does not provide specific cybersecurity technologies or solutions, recovery solutions or clearly specified technical requirements.
In the context of the ISO/SAE 21434 standard, the question of the relation to UN Regulation No. 155 (which was developed by UNECE WP.29) always comes up. It is advised to comply with at least 100 requirements of ISO/SAE 21434 to comply to UN R155, which will become mandatory for the approval of all new vehicle types by July 2022. Since insufficient compliance with UN Regulation No. 155 leads to a sales ban in 64 UNECE member countries, the relationship with ISO/SAE 21434 arises. For a more detailed explanation, we recommend a look at our blog UN R155.
Will there be relevant audits for ISO/SAE 21434?
In order to fill up the space ISO/SAE 21434 leaves for the scope definition and process of audits and assessments, the ISO Working Group 11 (or short WG11) wants to bring guidelines into life to ensure a consistent scope and provide a roadmap for such audits. This is where ISO PAS 5112 Road vehicles – Guidelines for auditing cybersecurity engineering comes into play, which you can learn more about in our blog article.
ISO/SAE 21434 DIS, FDIS and the latest publication: What are the differences?
Although the ISO/SAE 21434 was only officially published a few hours ago, the previous versions have already been made publicly available in recent months.
First as a committee draft, then as a draft international standard (DIS for short) and finally with the newer final draft international standard (FDIS for short), which had only received little publicity.
Accordingly, automotive cybersecurity education providers and automotive cybersecurity practitioners have relied on the draft versions of ISO/SAE 21434 in recent months and years to understand the requirements and work products.
Thus, starting from the first public available version (DIS) the ISO/SAE 21434 was considered as state-of-the-art reference document for automotive cybersecurity.
With the release of the official version, these draft versions will be more or less obsolete for upcoming development projects; it can be assumed that from now on, only the reference to ISO/SAE 21434:2021 will be on the agenda in automotive projects.
Your customer demands in a Statement of Work the application of ISO/SAE 21434 in the now published official version?
We believe that it is essential to compare the different versions of ISO/SAE 21434 in order to be able to adapt the requirements to your projects and product development if necessary. This requires a dedicated synchronization, the simple comparison of the last three versions side by side is not sufficient.
For this purpose, we have been working intensively over the last few months on a ISO/SAE 21434 synchronization tool that allows you to compare the different versions of the standard in a way that is as straightforward and user-friendly as possible.
We are happy to provide organization-specific support to help you understand how the different ISO/SAE versions relate to each other and what you need to adopt to work according to the now officially published standard. Additionally we also offer automotive cybersecurity training which in turn sets the path for the required automotive cybersecurity certification that will help you and your team provide proof of competence as required by the ISO/SAE 21434.
We also provide dedicated Automotive Cybersecurity for Executives and Managers Sessions, where an overview of relevant standards and regulations, certifications and associated requirements for the organization are provided. Additionally, a Q&A session will give all attendees plenty of opportunity for asking organization-specific questions and getting reliable answers from experts. Alternatively, you can also get an overview on cyber security standards for automotive industry in a short video course.
Additional Information materials next to the document of the standard
The ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering is the main reference for automotive cybersecurity. Even though the ISO/SAE 21434 is only now officially published, further information is already available at the start.
The Essential Guide to ISO/SAE 21434, the first officially licensed book on ISO/SAE 21434
The Essential Guide to ISO/SAE 21434 (the world’s first reference book on ISO/SAE 21434, published in July 2021) is the first reference book (officially licensed by ISO/DIN) to contain the requirements and work products of the standard. The (hardcover) book refers to the ISO/SAE 21434 in the DIS version, which follows the same scope as the FDIS and the now published standard.
The ISO/SAE 21434 in the DIS and accordingly also the book contain even some more aspects.
This becomes even clearer when comparing the scope of the DIS with the latest release of ISO/SAE 21434:2021. The DIS version includes 116 requirements (RQ), 18 recommendations (RC) and 7 permissions (PM) whereas the official standard now published has 101 RQ, 13 RC and 4 PM. Even the sub-clause 10.4.3 “Specific requirements for software development” of the DIS is removed.
In direct comparison, it could even be said that the official publication that has now been made contains fewer requirements, but also leaves larger gaps in terms of concrete guidance.
Accordingly, The Essential Guide to ISO/SAE 21434 with the DIS does not differ from the now published official standard, but continues to offer a wide-ranging (and beyond the ISO/SAE 21434) introduction to the complex topic of automotive cybersecurity.
Please note: The Essential Guide to ISO/SAE 21434 is no longer available for order. Learn more about the upcoming subsequent publication ISO/SAE 21434:2021 Workbook here.
ISO/SAE 21434 as Pocket Guide
At the beginning of 2021, we published the world’s first pocket guide to ISO/SAE 21434. (Instead of nearly a hundred A4 pages, the entire standard can be worked through in a handy pocket format – a success, almost a thousand automotive cybersecurity specialists worldwide have ordered their hard copy). This current first edition of the Pocket Guide is based on ISO/SAE 21434 in DIS status.
The terms and conditions of publication regarding this official standard (which was developed for the first time by ISO in cooperation with SAE) do not allow a duplication like our Pocket Guide until six months after the official publication of the standard at the earliest.
Therefore, for each order of our ISO/SAE 21434 Pocket Guide (in the current edition, DIS version), you will receive a voucher for a free Pocket Guide in the version with the official ISO/SAE 21434:2021 with your order.
(Please note: The Pocket Guide ISO/SAE 21434:2021 will be published in March 2022 at the earliest due to this licensing reasons).
Please note: The ISO/SAE 21434 Pocket Guide is no longer available for order. Learn more about the upcoming subsequent publication ISO/SAE 21434:2021 Workbook here.
Publication of the official ISO/SAE 21434: Understand the scope of ISO/SAE 21434:2021 with our info webcast
In our daily consulting business, we have noticed in recent months and years that the discussion of ISO/SAE 21434 (and its draft versions) takes place at very different altitudes.
We would like to take the publication of the official ISO/SAE 21434:2021 as an opportunity for a info webcast in which we provide a current information update on the publication that has now taken place (as of August 2021).
Although by now it has become common knowledge that ISO/SAE 21434 is to be applied to all E/E systems within a road-vehicle (i.e. all electrical and electronic systems), a far-reaching misunderstanding has dominated since the first hour: ISO/SAE 21434 does not only refer to the product, but rather requires a holistic approach to cybersecurity along the entire product lifecycle, along all phases of the development project and with far-reaching effects on the organization.
How does this now become concretely articulated in the (updated) structure of the official ISO/SAE 21434:2021?
Use our info webcast (free of charge) to get a quick update on the publication of the ISO/SAE 21434:2021.
Update Sep 28: You find the video-recording of our webcast now online on the CYRES Academy Online Learn Platform. Here you go: ISO/SAE 21434 Official Publication Info-Webcast [Video-Recording]
Be one step ahead: use a Gap Analysis to pre-audit to ISO/SAE 21434 compliance already today
Are you wondering, if what you are doing today is sufficient in order to comply to ISO/SAE 21434 and UN R155 in the future? If there are any cybersecurity aspects that have been neglected, or even forgotten while setting up the development of your vehicle component or car itself? Will your product or process fulfill tough cybersecurity requirements?
It is of central importance to have answers to those central questions. Only then you can initiate or continue adequate measures on each level, implement them at the right time, and adjust them where necessary. Detecting gaps at an early stage will pay off in the end, as it will prevent costly corrections afterwards. It will ensure full compliance to ISO/SAE 21434, ISO PAS 5112, and ultimately to UN R155 in the future.
In our function as pioneers in the field of automotive cybersecurity, we have already gained deep knowledge and much experience around ISO/SAE 21434. (CYRES Consulting is a member of the DIN and ISO working group, which is covering cybersecurity topics such as the ISO/SAE 21434 and ISO PAS 5112, and is, for example, designing guidelines for auditing cybersecurity engineering related to road vehicles.)
It is of particular interest to us to not only define those cybersecurity guidelines and criteria of compliance, but also to apply and practically evaluate them in real cases with our clients.
Our approach is to offer cybersecurity expertise to pioneers who want to start applying cybersecurity already today.
- Is your organization a car manufacturer or supplier?
- Are you already dealing with ISO/SAE 21434 or UN R155, but are not sure if your actions and measures are sufficient to meet the new requirements?
- You have only heard about ISO/SAE 21434 and UN R155, but have not started cybersecurity measures at all?
The ISO/SAE 21434 gap analysis covers not only principles from ISO/SAE 21434 and ISO PAS 5112, but also the scope of UN R155 and makes use of the best practices in the automotive industry.
Together we can make sure that none of your scarce resources are wasted, and that you initiate or adjust your investments and measures the right way at the right time.
Find out more about our ISO/SAE 21434 Gap Analysis.
Philipp Veronesi is founder and managing director of CYRES Consulting, one of the leading automotive cybersecurity consultancies. He has many years of practical experience not only in engineering but also in the management of technically challenging development projects for leading players in the automotive industry, including BMW, Audi, Rolls Royce, and others.