The publication of the ISO/SAE 21434 standard in August 2021 – hence the designation ISO/SAE 21434:2021 along the official nomenclature – marks a significant step towards global harmonization of cybersecurity efforts in the automotive industry. Three years later, it is time to take a look at the current status of the standard and provide an outlook on (possible) future developments.
Felix Roth
Development and background
The ISO/SAE 21434 standard arose from the urgent need to establish a uniform understanding and approach to cybersecurity in the automotive industry.
While technological development around the vehicle, particularly with regard to the software defined vehicle (SDV) and Autonomous driving, has already progressed rapidly, the domain of automotive cybersecurity has been slower to pick up speed.
The Society of Automotive Engineers’ (SAE) practical guide, which is the basis for today’s ISO/SAE 21434, is the SAE J3061 Cybersecurity Guidebook for Cyber-Physical Vehicle Systems published in 2016. This year, the ISO and SAE began to join forces to develop a more comprehensive approach in a cooperative effort.
Before the final publication of ISO/SAE 21434 in the official “First Edition” in August 2021, the standard went through several stages, including the Draft International Standard (DIS), which also marked the first publication of the standard in 2020, and the Final Draft International Standard (FDIS). The first supplementary specialist publications to support the standard, such as the ISO/SAE DIS 21434 Pocket Guide or The Essential Guide to 21434, have been on the market since then at the latest.
Scope and content of ISO/SAE 21434
The ISO/SAE 21434 standard covers all E/E systems (electrical/electronic systems) and their components and interfaces in vehicles. It covers the entire product lifecycle, including the concept phase, operating phase, maintenance and ultimately decommissioning and the end of cybersecurity support.
Current status and supporting standards
The publication of ISO/SAE 21434 was accompanied by the need for supporting guidance on auditing the standard. This is understandable, because as soon as ISO/SAE 21434 was published, the associated conformity to the standard became one of the most important topics within the multi-stage value chain.
An important tool for auditing ISO/SAE 21434 is PAS 5112, a publicly available specification document based on ISO 19011.
It was published in 2022 and provides guidelines for conducting internal and external audits of a Cybersecurity Management System (CSMS) in accordance with UN Regulation No. 155.
The development of ISO PAS 5112 began in 2020 along with the finalization of ISO/SAE 21434 and provides for a validity of at least three years before the regular periodic review.
A decision will therefore have to be made in 2025 as to whether ISO PAS 5112 will remain unchanged or whether it will be published as a technical specification. At present, no major changes to the content are expected.
Spoiler: Current view of ISO/SAE 8477 and ISO/SAE PAS 8475
It became clear early on that, in addition to the broad ISO/SAE 21434 standard, other standards would support ISO/SAE 21434. Experts, including those from ISO and SAE, agreed early on that additional efforts would be initiated before a possible “Second Edition” of ISO/SAE 21434 in order to address the most urgent improvements and weaknesses in the standard.
These documents are currently being prepared by the respective working groups, which are made up of leading representatives of the industry:
ISO/SAE PAS 8475 Cybersecurity Assurance Levels
In the current edition of ISO/SAE 21434, Cybersecurity Assurance Levels are only defined as a suggestion, not as a concrete requirement. In the meantime, both OEMs and their suppliers have recognized the benefits of CALs, but the lack of uniform and clear guidelines or a standardized approach has meant that CALs are not yet very widespread.
What is the aim of Cybersecurity Assurance Levels in Automotive?
The main objective of CALs is to specify and communicate a set of activities between supplier and customer to ensure that the cybersecurity engineering is appropriate. In other words, one of the issues is how much cybersecurity verification and validation is required for a component.
Some components are more relevant than others in terms of cybersecurity, which means they have different levels of vulnerability to compromise and the impact varies.
ISO/SAE PAS 8475 should therefore specify different assurance levels and provide guidelines for selecting the correct CAL level for the element or component and for the activities to be performed for each level.
In addition, a further attribute is to be introduced that has not yet been mentioned in ISO/SAE 21434: Targeted Attack Feasibility (TAF).
TAF describes the expected attack potential of an item or component after the assignment of cybersecurity controls. The aim of TAF is to support customers in communicating technical requirements more precisely to their suppliers
The publication of ISO/SAE PAS 8475 is currently planned for the second half of 2025, the DPAS for the middle of the year.
ISO/SAE 8477 Verification and Validation
Another urgent topic that has already been introduced but has not yet been fully defined for practical use is the verification and validation process for vehicle cybersecurity.
Although ISO/SAE 21434 already contains some requirements and examples for verification and validation (V&V) activities, there are several calls in the industry for more guidelines on this topic.
However, the difficulties here begin with the interpretation of the difference between “verification” and “validation” in practice.
Do suppliers carry out verification and OEMs focus on validation? Is verification only requirements-based testing? Does validation only include penetration testing?
A more detailed technical report will clarify these issues and provide a standardized definition of V&V along with examples for each of the activities.
Tipp: Learn more about V&V and vehicle cybersecurity in our concise learning course V&V demystified: Verification & Validation in automotive cybersecurity explained β incl. V&V methods and strategy (Video Course)
- Learning Advice
About the challenge of V&V in automotive cybersecurity
Another possible reason for the intense focus on this topic is that cybersecurity is not binary. In many cases, it is not a question of “if”, but of “how”.
When conducting cybersecurity V&V, it’s important to go beyond testing against requirements and have a solid strategy that builds confidence in the component’s cybersecurity.
A clear reference such as ISO/SAE TR 8477 can therefore be very useful for the entire field of V&V in automotive cybersecurity. In particular, establishing clear and consistent processes requires a framework that must be defined in some way in order to simplify implementation in practice.
Originally planned as a PAS, this standard could be published as a Technical Report and include technical considerations for the planning and implementation of verification and validation.
- Three years after its official publication, ISO/SAE 21434 has established itself as the most important reference for all E/E systems and their components and interfaces with respect to cybersecurity engineering throughout the automotive product lifecycle.
- While ISO/SAE 21434 still defines CALs as a proposal, OEMs and suppliers have recognised the need for standardisation resulting in ISO/SAE PAS 8475 Cybersecurity Assurance Levels planned for the second half of 2025.
- Further guidance is also to be provided on Verification and Validation (V&V) activities - ISO/SAE TR 8477 is a planned supplementary technical report, which is intended to provide more detail on the planning and execution of V&V activities.
- Following the 'First Edition' of ISO/SAE 21434, which was published in 2021, it is currently anticipated that work on the 'Second Edition' can begin as early as 2025. This would allow publication of ISO/SAE 21434 βSecond Editionβ as early as 2028 according to the defined working group cycles.
- Key Learnings
Future developments and outlook
ISO/SAE 21434 in the “First Edition” of 2021 remains the central reference for cybersecurity management and cybersecurity engineering issues for the internationally networked automotive and vehicle industry.
At the same time, it can be assumed that further refinements and extensions to the standard can be expected in the coming years in order to meet the changing requirements of cybersecurity and the response from the industry.
A “Second Edition” of the standard is likely to be published by the end of this decade at the latest, possibly as early as 2028, incorporating the experience gained to date and new findings – work on this could begin as early as 2025.
The participating organizations are already collecting feedback at a higher level of application.
The high level of abstraction and the lack of support for concrete application and elaboration are repeatedly pointed out.
At the same time, however, no serious structural adjustments are currently being discussed.
What adaptations a possible “Second Edition” of ISO/SAE 21434 could entail
It can be assumed that cybersecurity assessment issues will be given more weight in the future, that cybersecurity issues in out-of-context and off-the-shelf scenarios will be given more priority and, ultimately, that ISO/SAE 21434 could become a management system standard (corresponding to the ISO MSS structure).