ISO/SAE 21434 is ready

Binary ghostS. Hermann & F. Richter
Binary ghost

This standard for road-vehicles cybersecurity engineering finally sees the light of day. It was developed under both the International Standards Organisation and the Society of Automotive Engineers, after a lot of hard work from many contributors across the industry. The standard gives a framework within which designers of vehicles, and the electronic control units within them, can provide an appropriate level of cybersecurity. Processes need to be defined and followed, threat analysis performed in order to assess the risks present in a product, according to impact and likelihood, and appropriate decisions taken about how to respond to those risks. In some cases they will be accepted, in others a mitigation will be appropriate. Alternatively, the risk may be shared (with some higher-level system supplier perhaps) or transferred (to an insurance company maybe) or the feature that introduces the risk be removed completely to remove the risk.

What may surprise some is that it does not provide a list of cybersecurity controls which are expected to be implemented. Assuming the surrounding processes in place (cybersecurity management, both in general and project-specific, incident response etc.) one could technically create a vehicle with no cybersecurity controls and still claim compliance with ISO21434 if you have performed all the appropriate steps to assess the risks and have decided they are acceptable.

Leave a comment

Your email address will not be published. Required fields are marked *