Intro to ISO/SAE 21434

Modern vehicles feature complex E/E architectures, integrating connectivity (e.g., over-the-air updates, infotainment systems) and automation (e.g., ADAS, autonomous driving). While these innovations enhance convenience and safety, they also expand the attack surface.

A successful attack could:

• Compromise passenger safety (e.g., disabling brakes or steering).

• Leak sensitive data (e.g., location tracking, user preferences).

• Disrupt critical infrastructure (e.g., large-scale fleet vulnerabilities).

---

The ISO/SAE 21434 Standard

ISO/SAE 21434 provides a structured framework for managing cybersecurity across a vehicle's lifecycle. Here's an overview of its key clauses:

1

Clause 4 - General Consideration

General considerations is informational and includes the context and perspective of the approach to road vehicle cybersecurity engineering taken in this document.

2

Clause 5 - Organizational Cybersecurity

It includes the cybersecurity management and specification of the organizational cybersecurity policies, rules and processes.

3

Clause 6 - Project Dependent Cybersecurity Management

Project dependent cybersecurity management includes the cybersecurity management and cybersecurity activities at the project level.

4

Clause 7 - Distributed Cybersecurity Activities

It includes requirements for assigning responsibilities for cybersecurity activities between customer and supplier.

5

Clause 8 - Continual Cybersecurity Activities

Continual cybersecurity activities includes activities that provide information for ongoing risk assessments and defines vulnerability management of E/E systems until end of cybersecurity support.

6

Clause 9 - Concept

It includes activities that determine cybersecurity risks, cybersecurity goals and cybersecurity requirements for an item.

7

Clause 10 - Product Development

It includes activities that define the cybersecurity specifications, and implement and verify cybersecurity requirements.

8

Clause 11 - Cybersecurity Validation

Cybersecurity validation includes the cybersecurity validation of an item at the vehicle level.

9

Clause 12 - Production

Production phase includes the cybersecurity-related aspects of manufacturing and assembly of an item or component.

10

Clause 13 - Operation & Maintenance

It includes activities related to cybersecurity incident response and updates to an item or component.

11

Clause 14 - End of Cybersecurity & Decommissioning

It includes cybersecurity considerations for end of support and decommissioning of an item or component.

12

Clause 15 - Threat Analysis and Risk Assessment

TARA methods includes modular methods for analysis and assessment to determine the extent of cybersecurity risk so that treatment can be pursued.

---

Key Cybersecurity Activities

Automotive cybersecurity involves a series of activities to ensure robust protection:

1. Threat Analysis and Risk Assessment (TARA)

   • Identify potential threats and assess their impact and feasibility.

   • For example, evaluating the risk of a remote attacker exploiting the CAN bus to manipulate vehicle controls.

2. Defining Cybersecurity Requirements

   • Translating risks into specific technical measures (e.g., encryption, authentication).

3. Cybersecurity Validation

   • Verifying that the implemented measures meet cybersecurity goals at the system and vehicle levels.

4. Incident Response and Management

   • Preparing for potential cybersecurity incidents with predefined response strategies.

5. End-of-Support Considerations

   • Ensuring secure decommissioning of vehicle components to prevent future exploitation.

By adhering to ISO/SAE 21434, OEMs can ensure compliance with UN R155 requirements, as the standard provides the technical foundation for process and implementing robust cybersecurity practices.

---

Common Attack Scenarios in Automotive Systems

Understanding potential threats helps in designing effective countermeasures:

1. CAN Bus Attacks

   • Exploiting the broadcast nature of the CAN bus to inject malicious messages.

   • Mitigation: Use of secure CAN protocols with message authentication.

2. Man-in-the-Middle (MITM) Attacks

   • Intercepting communications between ECUs or external interfaces.

   • Mitigation: Encryption protocols like TLS.

3. Over-the-Air (OTA) Exploits

   • Tampering with software updates to inject malware.

   • Mitigation: Secure boot and code signing.

4. Unauthorized Diagnostic Access

   • Abusing diagnostic ports (e.g., OBD-II) to manipulate vehicle settings and features.

   • Mitigation: Firewall and Role-based access control.

---

Building a Career in Automotive Cybersecurity

To excel in this field, you should focus on:

1. Understanding Automotive Protocols

   • Study communication protocols like CAN, LIN, and Ethernet, along with diagnostic standards like UDS and DoIP.

2. Learning Security Principles

   • Gain expertise in encryption, secure coding, and penetration testing.

3. Mastering Relevant Standards

   • Familiarize yourself with ISO/SAE 21434 and UNECE WP.29 regulations.

4. Practical Experience

   • Experiment with cybersecurity tools (e.g., python-can, Scapy) and simulate attacks in controlled environments.

5. Staying Updated

   • Cybersecurity is dynamic; continuous learning through certifications (like CISSP, CEH, OSCP) and industry news is crucial.

Conclusion

Automotive cybersecurity is more than a technical discipline; it’s a commitment to ensuring safety and trust in a rapidly evolving mobility landscape. By leveraging standards like ISO/SAE 21434 and building foundational skills, beginners can play a vital role in protecting the vehicles of tomorrow.

If you're intrigued by this field, take the first step by exploring our other resources, building hands-on skills, and staying informed about the latest developments. A safer, more secure automotive future awaits your contributions!

Refer to the Official Standard Page for Understanding More