ISO & SAE, responsible for setting global standards, introduced ISO/SAE 21434. This standard is by definition part of the state-of the art for cybersecurity engineering for road vehicles. This is why other standards take it into consideration as well.

Explained in one sentence, it provides guidelines to ensure that cybersecurity is integrated throughout the vehicle lifecycle. A Cybersecurity Management System is the basis for that.

You can say this standard acts as a central hub, interfacing with other standards such as ISO 27001. ISO/SAE 21434 requires the existence of certain management systems, including a QMS, a Quality management system or an ISMS, an information security management system. The Cybersecurity Management System, CSMS for short, builds on these other management systems. However, ISO/SAE 21434 does not specify in detail how these necessary management systems must be implemented. This can be found within the actual standards.

The automotive specifics of such an information security management system are covered by TISAX: The Trusted Information Security Assessment Exchange is based on ISO 27001 and extends information security to include automotive specific topics such as prototype protection. ISO 27001 is applying to all industries, while TISAX is specific to the automotive industry.

Let’s have a closer look at OEM´s. Based on UNECE Regulation 155, OEMs must have a cybersecurity management system in place. Here, too, ISO/SAE 21434 is helpful because it can be used to implement a CSMS. If the CSMS is missing, OEMs are no longer granted type approval for new vehicle types in the UNECE market since July 2022. From July 2024, this will also apply to legacy vehicles which are still in production and need to be registered at the registration office.

To check whether the implemented CSMS meets all requirements, the ISO PAS 5112 can be consulted. In this audit norm you will find guiding questions and the link to the objectives and work products of ISO/SAE 21434. Moreover, there is also an interpretation document publicly available for UNECE R155.

If you want to learn more about CSMS implementation, I recommend watching our other videos on the topic.

Let us draw an interim conclusion: The required cybersecurity management systems only work effectively if other management systems and mature processes are in place. Here, various standards and norms offer guidance.

One objective of the ISO/SAE 21434 is to maintain cybersecurity during and after updates. Unfortunately, the standard does not contain much information on this topic. Therefore, there is a dedicated standard, ISO 24089, which focuses entirely on software update engineering, on the security and safety of the overall process.
ISO 24089 is dependent on conformity with ISO SAE 21434.

With UNECE R 156, there is also a corresponding UN regulation that requires a Software Update Management System, SUMS for short. Again, without an effective SUMS, no vehicle type approvals for the OEM.

Automotive SPICE for Cybersecurity, which is based on the ISO/SAE 21434, can help to assess the process-related cybersecurity risks in your product development. Within that process assessment model there are additional processes for cybersecurity engineering. But the scope of Automotive SPICE is limited to the product development phases. The equally important processes of the post-development phase are not covered.

Enough of looking in the rear-view mirror. Let´s have a look at upcoming standards, which will have an impact on automotive cybersecurity: This following question is currently driving the entire automotive industry: How to do verification and validation according to ISO/SAE 21434 concerning the different implications along the supply chain. In particular, how to perform item-level validation, meaning on vehicle-level, when you are responsible further down the supply chain e.g. for a component rather than the whole item.
But don’t worry, Guidance is coming: The standard is currently work in progress: the ISO/SAE PAS 8477: named Road vehicles - cybersecurity verification and validation.

This document includes technical considerations on the planning and execution of verification and validation (“V&V”) of the cybersecurity of items and components of road vehicles, in the context of ISO/SAE 21434:2021. Release is planned for 2024.

It addresses

Crucial for a non-item-owner is to contribute to the party able to do validation on vehicle level by providing the essential information on their assumptions, claims, corresponding risk information.

From a quality assurance perspective, we need a reliable and systematic approach. We address this question by imagining the training and verification, and testing process like the peels of an onion. This onion illustrates the determined sequence as well as the dependencies.

In automotive cybersecurity, you cannot determine a definite degree to which your system is secure. There is also no correspondence to the capability level in Automotive SPICE or the automotive safety integrity levels in functional safety. This leads to uncertainty whether the measures taken are enough.

For this, another standard in progress is: ISO/SAE PAS 8475: Road Vehicles – Cybersecurity Assurance Levels and Targeted Attack Feasibility. This document elaborates on the Cybersecurity Assurance Level concept and introduces the Targeted Attack Feasibility concept, both within the context of cybersecurity engineering for road vehicles in accordance with ISO/SAE 21434.
 
It describes the conceptual models, main principles, and relationships between CAL, TAF and other concepts. It provides guidelines to determine and use CAL and TAF for cybersecurity engineering of items and components.

As a conclusion, we can formulate this take-away: Cybersecurity Assurance Levels create a concept to determine the state of security for items and components.

ISO/IEC AWI 5888 is an upcoming standard designed to establish security requirements and evaluation procedures for connected vehicle devices. This standard is following the ISO/IEC 15408 framework. It outlines a structured process for formulating precise security requirements and conducting objective evaluation tasks.

Within the context of this standard, „connected vehicle devices“ refer to components found in vehicles, some of which may have known vulnerabilities as listed in R155. These vulnerabilities are particularly relevant to components that are remotely accessible and have the potential to cause significant harm if exploited.

The standard will provide a framework for developers, information security service providers, and ISO/IEC 15408 evaluation laboratories to assess and evaluate the security features of these devices based on the defined security requirements and evaluation activities.

To cope with the software-defined vehicle, ISO/IEC AWI 5888 gives you a framework to determine and handle requirements meticulously. Its release is planned for 2025.