Which of these milestones has your organization reached, so far?
The ISO/SAE 21434 standard covers all stages of a vehicle’s cybersecurity lifecycle, from designs through decommission, and implementation of security safeguards throughout the supply chain. Although ISO/SAE 21434 is a relatively new standard, there are already compelling milestones that pave the way to complete compliance.
We can divide the standard into four major requirements:
- Risk assessment and management – where organizations must identify, assess, and manage cybersecurity risks, and create a plan to address cyber incidents
- Security controls – requiring organizations to implement cyber risk mitigations such as Authentication and Integrity
- Information sharing – which obligates manufacturers to share information with suppliers, customers, and other stakeholders
- Mitigation strategies – to minimize the impact of incidents on automotive systems
These significant requirements align with a 15-section structure and additional annexes. The projected milestones are listed below.
- Sections 1-4: General organizational project topics such as scope, terms and abbreviations, and a cybersecurity ecosystem.
- Section 5: Organizational cybersecurity management aspects. Cybersecurity governance, cybersecurity culture, policies and strategies.
- Section 6: Project-specific cybersecurity management. Planning and identifying the extent of the risk.
- Section 7: Distributed cybersecurity activities that include sub-suppliers’ distribution and Cybersecurity Interface Agreements for development.
- Section 8: Continual cybersecurity activities requiring monitoring and analyzing vulnerabilities, and vulnerability management throughout the vehicle lifecycle.
- Section 9: The concept phase: determining cybersecurity risks, defining cybersecurity-related goals, and developing the cybersecurity concept.
- Sections 10-11: Production development: Design, integration, verification, and validation of cybersecurity controls, related to all items at the ECU level and at the vehicle level.
- Sections 12-13-14: Post-development processes that include: manufacturing and assembly, operation, maintenance, incident response and updates, and cybersecurity considerations for end of support and decommissioning of an item or component.
- Section 15: Includes modular methods for TARA scenarios; Serves as the input to the concept phase (Section 9).
