Play

International automotive cybersecurity standards

Are you wondering what you need to do in order to comply with internationa regulations on cybersecurity – and how these standards can help you achieve a high level of cybersecurity? Here, you'll find the necessary information including a free whitepaper and an informative video clip.

Back to Automotive Cybersecurity
Your free white paper

Interested in a summary of the regulatory compliance? Our free white paper provides you with all key information?

In this video, we‘ will explore the complex regulatory framework on cybersecurity governing the automotive industry. For this, we take a closer look at selected international standards and guidelines and their interfaces with ISO/SAE 21434.

These regulations come from different organizations and are applicable in different regions, including

  • International Organization for Standardization (ISO)
  • UNECE WP.29, the United Nations Economic Commission for Europe‘s World Forum for Harmonization of Vehicle Regulations
  • NHTSA, the National Highway Traffic Safety Administration
  • Additional European and Chinese regulations
We're here for you

Need support with a key project? We’re your first port of call when it comes to management consulting and improvement programmes in electronics development.

Steffen Herrmann and the sales team

Process-oriented standards

ISO & SAE, responsible for setting global standards, introduced ISO/SAE 21434. This standard is by definition part of the state-of the art for cybersecurity engineering for road vehicles. This is why other standards take it into consideration as well.

Explained in one sentence, it provides guidelines to ensure that cybersecurity is integrated throughout the vehicle lifecycle. A Cybersecurity Management System is the basis for that.

You can say this standard acts as a central hub, interfacing with other standards such as ISO 27001. ISO/SAE 21434 requires the existence of certain management systems, including a QMS, a Quality management system or an ISMS, an information security management system. The Cybersecurity Management System, CSMS for short, builds on these other management systems. However, ISO/SAE 21434 does not specify in detail how these necessary management systems must be implemented. This can be found within the actual standards.

The automotive specifics of such an information security management system are covered by TISAX: The Trusted Information Security Assessment Exchange is based on ISO 27001 and extends information security to include automotive specific topics such as prototype protection. ISO 27001 is applying to all industries, while TISAX is specific to the automotive industry.

Let’s have a closer look at OEM´s. Based on UNECE Regulation 155, OEMs must have a cybersecurity management system in place. Here, too, ISO/SAE 21434 is helpful because it can be used to implement a CSMS. If the CSMS is missing, OEMs are no longer granted type approval for new vehicle types in the UNECE market since July 2022. From July 2024, this will also apply to legacy vehicles which are still in production and need to be registered at the registration office.

To check whether the implemented CSMS meets all requirements, the ISO PAS 5112 can be consulted. In this audit norm you will find guiding questions and the link to the objectives and work products of ISO/SAE 21434. Moreover, there is also an interpretation document publicly available for UNECE R155.

If you want to learn more about CSMS implementation, I recommend watching our other videos on the topic.

Let us draw an interim conclusion: The required cybersecurity management systems only work effectively if other management systems and mature processes are in place. Here, various standards and norms offer guidance.

One objective of the ISO/SAE 21434 is to maintain cybersecurity during and after updates. Unfortunately, the standard does not contain much information on this topic. Therefore, there is a dedicated standard, ISO 24089, which focuses entirely on software update engineering, on the security and safety of the overall process.
ISO 24089 is dependent on conformity with ISO SAE 21434.

With UNECE R 156, there is also a corresponding UN regulation that requires a Software Update Management System, SUMS for short. Again, without an effective SUMS, no vehicle type approvals for the OEM.

Automotive SPICE for Cybersecurity, which is based on the ISO/SAE 21434, can help to assess the process-related cybersecurity risks in your product development. Within that process assessment model there are additional processes for cybersecurity engineering. But the scope of Automotive SPICE is limited to the product development phases. The equally important processes of the post-development phase are not covered.

Enough of looking in the rear-view mirror. Let´s have a look at upcoming standards, which will have an impact on automotive cybersecurity: This following question is currently driving the entire automotive industry: How to do verification and validation according to ISO/SAE 21434 concerning the different implications along the supply chain. In particular, how to perform item-level validation, meaning on vehicle-level, when you are responsible further down the supply chain e.g. for a component rather than the whole item.
But don’t worry, Guidance is coming: The standard is currently work in progress: the ISO/SAE PAS 8477: named Road vehicles - cybersecurity verification and validation.

This document includes technical considerations on the planning and execution of verification and validation (“V&V”) of the cybersecurity of items and components of road vehicles, in the context of ISO/SAE 21434:2021. Release is planned for 2024.

It addresses

  • Strategic approaches for V&V activities;
  • Lists or references to methods that can be applied;
  • Guidance on distribution of V&V activities between customer and supplier.

Crucial for a non-item-owner is to contribute to the party able to do validation on vehicle level by providing the essential information on their assumptions, claims, corresponding risk information.

From a quality assurance perspective, we need a reliable and systematic approach. We address this question by imagining the training and verification, and testing process like the peels of an onion. This onion illustrates the determined sequence as well as the dependencies.

In automotive cybersecurity, you cannot determine a definite degree to which your system is secure. There is also no correspondence to the capability level in Automotive SPICE or the automotive safety integrity levels in functional safety. This leads to uncertainty whether the measures taken are enough.

For this, another standard in progress is: ISO/SAE PAS 8475: Road Vehicles – Cybersecurity Assurance Levels and Targeted Attack Feasibility. This document elaborates on the Cybersecurity Assurance Level concept and introduces the Targeted Attack Feasibility concept, both within the context of cybersecurity engineering for road vehicles in accordance with ISO/SAE 21434.
 
It describes the conceptual models, main principles, and relationships between CAL, TAF and other concepts. It provides guidelines to determine and use CAL and TAF for cybersecurity engineering of items and components.

As a conclusion, we can formulate this take-away: Cybersecurity Assurance Levels create a concept to determine the state of security for items and components.

ISO/IEC AWI 5888 is an upcoming standard designed to establish security requirements and evaluation procedures for connected vehicle devices. This standard is following the ISO/IEC 15408 framework. It outlines a structured process for formulating precise security requirements and conducting objective evaluation tasks.

Within the context of this standard, „connected vehicle devices“ refer to components found in vehicles, some of which may have known vulnerabilities as listed in R155. These vulnerabilities are particularly relevant to components that are remotely accessible and have the potential to cause significant harm if exploited.

The standard will provide a framework for developers, information security service providers, and ISO/IEC 15408 evaluation laboratories to assess and evaluate the security features of these devices based on the defined security requirements and evaluation activities.

To cope with the software-defined vehicle, ISO/IEC AWI 5888 gives you a framework to determine and handle requirements meticulously. Its release is planned for 2025.

SINCE 2008

We’re proud that we have been one of the pioneers of functional safety since 2008 and that this has given us the opportunity to leverage our experience in developing the ISO 26262 safety standard.

Functional safety in automotive electronics? We’re the experts!

700+ PROJECTS

We have a wealth of experience in functional safety according to ISO 26262, having conducted over 700 projects with more than 100 clients worldwide.

Functional safety in automotive electronics? We’re the experts!

+100 SPECIALISTS

To date, we have trained more than 100 specialists under the TÜV Rheinland Functional Safety (Automotive) certification scheme.

Functional safety in automotive electronics? We’re the experts!

18 Experts

We already have 18 experts certified under the TÜV Rheinland Functional Safety (Automotive) scheme, or privately approved as official trainers.

Functional safety in automotive electronics? We’re the experts!

+250 YEARS

If we add up the experience of our experts in the field of functional safety, it comes to no less than 250 years.

Functional safety in automotive electronics? We’re the experts!

Classic manual

Who wrote the classic manual on Functional Safety in Practice, or Functional Safety Essentials? We did.

Functional safety in automotive electronics? We’re the experts!

WE CAN SUPPORT YOU WITH

  • Fostering awareness for the need for comprehensive end-to-end safeguards
  • Detailed assessments of any threats posed 
  • Matching your cybersecurity policies to processes, products and IT requirements; managing involved specialists
  • Assessing and improving your development processes with respect to security issues
  • Adapting existing workflows and procedures to address key cybersecurity issues
  • Ensuring systems conform to UNECE homologation guidelines
  • Definition and introduction of new development processes in keeping with the requirements of ISO/SAE 21434
  • Evaluation, development and implementation of cybersecurity management systems
  • Selection of relevant security technology and industry standards according to your requirements

Download Report