Relevance of ISO 21434 for the automotive development process
In this blog article, I am going to explain the relevance of the ISO 21434 standard to the development process in the automotive industry. Learn more about the benefits of cybersecurity standards and how a model-based security risk assessment can help you deal with these issues in an optimal way today.
The first Draft International Standard (DIS) of the upcoming ISO/SAE 21434 “Road vehicles – Cybersecurity engineering” is expected to be available at the end of 2019 or early 2020. The final standard is expected to to be released in 2020.
For all participants in the automotive supply chain, this raises the question of the relevance of this standard for the automotive product development and all related processes.
Safety has been an integral part of the automotive development process for decades. Even before the introduction of ISO 26262 “Road vehicles – Functional safety” in 2011. Performing FMEAs (Failure Mode and Effects Analysis) and FTAs (Fault Tree Analysis) has been part of every automotive development process. The concept of ASIL levels (Automotive Safety Integrity Levels) is well understood and applied in the entire automotive supply chain. As a result, today most drivers consider their vehicles “safe”.
Cybersecurity – the new challenge
With highly-connected and (semi-)autonomous vehicles entering the stage, new challenges emerge. Cars are now increasingly subjected to cybersecurity attacks. With multiple interfaces like Wi-Fi, Bluetooth, GSM, other mobile communications standards, or USB, cars have become “connected computers on wheels”. Combined with autonomous driving functions and a life span of 10 years or more, cars are vulnerable to cyber hacking activities and related damages. As cybersecurity risks are not covered by existing safety norms for road vehicles, new guidelines and standards for automotive cybersecurity need to be established.
Acknowledging the need for a specific automotive cybersecurity standard, ISO/SAE 21434 “Road vehicles – Cybersecurity engineering” is currently in the process of being finalized.
ISO and SAE have a cooperation agreement covering the area of road vehicles and intelligent transport systems. ISO/SAE is the first standard both organizations jointly work on. 82 companies including OEMs, ECU suppliers, cybersecurity companies, governing organisations, and others are actively working on the standard.
There are a number of benefits of having a global standard for automotive cybersecurity. The standard defines the common terminology to be used across the entire supply chain. The target is to drive an industry-wide consensus related to key cybersecurity issues in the automotive domain. With a defined set of criteria for cybersecurity engineering, the industry can demonstrate that it takes the new security challenges seriously.
ISO/SAE 21434 will furthermore become the main reference for regulators with the aim to minimize contradictions on a national or international level.
Scope of ISO/SAE 21434
The standard will be applicable to road vehicles including their sub-systems, components, connections, and software. The purpose of the norm is to ensure that OEMs and all participants in the supply chain have structured processes in place that support a “security by design” process.
Similar to ISO 26262, the new ISO/SAE 21434 looks at the entire development process and life cycle of a vehicle. It follows the V-model. During all phases, including requirements engineering, design, specification, implementation, test, and operations, security aspects need to be taken into consideration.
A secure vehicle is the result of security-aware requirements analysis, design, and product specification. The protection needs of a vehicle must be established in an iterative process.
ISO/SAE 21434 will not describe specific cybersecurity technologies or solutions. It will also not include specific recommendations on countermeasures, like encryption methods, telecommunication systems, or back-office solutions.
Security risk assessment in ISO/SAE 21434
Determining the security risk level of a vehicle and its components will be one of the key activities defined in the standard.
The current committee draft dedicates an entire section to “Risk Assessment Methods & Treatments”. More than 50 participants of the ISO/SAE 21434 project group are working on the topic of risk assessment methods.
The goal is to achieve a reasonably high security level – not the highest possible level. In the safety domain, a risk assessment is done by performing a “hazard and risk analysis” (HARA). The equivalent in the security domain is TARA: the “threat assessment and remediation analysis” or “threat analysis and risk assessment”.
Steps that need to be performed during the security risk assessment include the identification of assets and the determination of potential damages as a result of a violation of security properties. Potential threats, attacks and vulnerabilities need to be identified and analyzed. Based on the damage scenarios and the likelihood of successful attacks, the risk level can be determined. In an iterative process, countermeasures like encryption need to be applied to the system until the remaining risk level is acceptable.
Important steps and results of the risk assessment process will have to be documented in reports. This includes, e.g., asset lists, damage scenarios, attack reports, or risk reports.
Rationale for a model-based security risk assessment
Most of the steps in the automotive development process are already model-based. Examples are the usage of SysML or UML in the architecture process or model-based software development approaches. In the safety domain, FMEAs and FTAs are also based on functional models.
A model-based security risk assessment would benefit from the existing models in the development process. Existing structural or functional models can be used to determine assets, damages, vulnerabilities, and threats. Countermeasures like encryption mechanisms including the encryption keys become an integral part of the system model.
By tracing requirements, functions, architectural elements, source code, and tests across the entire V-model and connecting them to the security risk analysis, key tasks can be performed in an efficient manner during the lifespan of the system: documentation, reporting and impact analysis are only some of the examples.
We at itemis strongly believe in the advantages of model-based systems and software engineering. This includes our tooling approach for security risk analysis for ISO/SAE 21434.
With YAKINDU Security Analyst, we provide an out-of-the-box security risk analysis solution for the automotive domain – ready for ISO/SAE 21434.
Request additional information on YAKINDU Security Analyst or sign up for a free webinar.