The moment the first manufacturer introduced internet connectivity to a vehicle, cars became vulnerable to cyberattack.
The price of functionality - from live traffic updates to wi-fi for passengers - is vulnerability. At the lower end of the scale, cyber attackers could steal your personal information, but at the higher end, we’re talking a serious risk to life.
As far back as 2015, hackers proved it was possible to take control of a Jeep’s systems, literally driving it off the road. And cybersecurity experts have continued to probe connected cars for weaknesses. In 2019, they managed to trick a Tesla’s self-driving software into swerving into oncoming traffic. It was clear that connected cars need robust cybersecurity protections.
To help the automotive industry produce safe, protected vehicles, a new standard is being launched: ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering Standard. It’s the first ISO to focus specifically on cybersecurity for vehicles. It provides a detailed framework to guide manufacturers through creating processes and policies to manage risk and foster a security culture.
Here’s what everyone in the automotive industry’s supply chain needs to know, so they can start the process of certification:
1. It isn’t just about vehicles
It extends beyond the vehicle to elements you might not expect to be included, such as systems, components and interfaces on the inside of the vehicle and on its perimeter. It even extends to service parts and any work or elements included in the aftermarket (replacement parts not made by the original manufacturer). This is a holistic standard that really drills down into granular detail; assume every part is covered.
2. It isn’t just for car manufacturers
This new security standard is relevant to any company in the vehicle’s supply chain, not just the vehicle’s Original Equipment Manufacturer (OEM). Basically, it applies to the entire industry – and beyond. If what you produce contributes in any way to a vehicle’s components or interfaces, you’ll need to put assessment and compliance processes around them to comply. The standard’s requirements cover every type of supplier and relationship.
3. It covers the full life cycle of a vehicle
As long as the vehicle exists, this standard applies. It provides cybersecurity guidelines across all stages, from design and engineering, through production, operation and maintenance, and on to decommissioning. This means some key processes will have to be realigned to meet requirements. The standard uses a V-model approach to link requirements and design with verification and validation activities. One of the prerequisites is that cybersecurity validation of an item will be performed at vehicle level, once the component is integrated into the vehicle.
4. It will soon be more than ‘just’ a standard
A standard is, by definition, voluntary, but this standard is expected to be the foundation of binding world regulations for cybersecurity in vehicles. The largest international vehicle regulator in the world (the United Nations Economic Commission for Europe World Forum for the Haromization of Vehicle Regulations, known as WP.29), recently published a regulation influenced by and linked to ISO 21434. This “UN Regulation on uniform provisions concerning the approval of vehicles with regard to cybersecurity and of their cybersecurity management systems” is expected to be adopted by the EU and other countries around the world. There are already indications that Korea and Japan will adopt it.
5. It doesn’t recommend cybersecurity solutions and technologies
The standard’s objective is limited to creating a framework and a common language for communicating and managing cybersecurity. A security partner can help you analyse your specific requirements and identify any gaps you have in provision, to help you towards certification.
Preparing the automotive supply chain for a secure future
ISO 21434 is a game changer, touching every aspect of the automotive ecosystem, elevating cybersecurity to a strategic level.
We can help you assess how the standard will impact your business. And, because we’re an agnostic provider, we can offer the right combination of world-leading cybersecurity technology solutions for you - matching your needs and supporting your journey to certification.
To find out more about our security advisory and threat management services, please visit our solution homepage, or get in touch with your account manager.
You may also be interested in our webinar on 30 March - When two worlds collide: How to define your IT / OT Security strategy.