The future ISO/SAE 21434 security standard was drafted after the International Organization for Standardization (ISO) pooled its knowledge with the know-how of the Society of Automotive Engineers (SAE International). Automotive security expert Dr Thomas Liedtke explains the goals of ISO/SAE 21434 and what it is hoped the new standard will achieve.BACK TO AUTOMOTIVE SECURITY
There are actually quite a lot of parallels, especially on the macro and process level. About halfway into the 90s, I was working with Bonifaz Maag at Alcatel where we introduced and rolled out the capability maturity model (CMM) to be used for software development in ISDN and mobile telephony. The current standard in the automotive sector is Automotive SPICE®, but it’s remarkably similar to CMM which has since moved forward. Even if the software has become much more complex, on a fundamental level the standards for the development process are still the same.
Cars are changing from mechanical devices into computers on wheels. These computers have to be protected from attacks from the outside, just like any other system. The goals of ‘security’ are fundamentally different from the goals of classic ‘safety’, which are more about ensuring that the key parts of a car that are supposed to protect the lives and limbs of vehicle occupants in critical situations actually function properly. There’s been an automotive-specific standard for functional safety since 2011: ISO 26262. But there are no such things as compulsory guidelines for security in Europe, only the SAE J3061TM security standard in the United States. So there’s no global uniformity, and that has to change.
Dr Thomas Liedtke is a computer scientist by background. A family man and father of several children, after completing his PhD at the University of Stuttgart Liedtke entered the telecommunications industry. At Alcatel-Lucent he soon rose to a role of responsibility and over the course of 14 years he successfully spearheaded a variety of projects, also managing different departments.
Liedtke entered consulting more than a decade ago and has been offering his wealth of experience to clients in a variety of industries ever since, primarily in the areas of safety, security, privacy and project management. Beyond his responsibilities as a principal at Kugler Maag Cie, Liedtke is involved in a number of committees, particularly the working group for Automotive Cybersecurity at the German Electrical and Electronic Manufacturers’ Association (ZVEI) and the VDA Cybersecurity Work Group organised by the Association of the German Automotive Industry (DIN standard NA052-00-32-11AK and ISO standard TC22/SC32/WG11).
Some of the conceivable attacks that could take place are that a car is immobilised, that it can be started without a key, or that its total mileage is reduced artificially to raise its value. WIRED magazine has shown what an attack would look like with the example of a Jeep. Security systems should prevent such attacks. What we’re dealing with here is a moving target, because for a start the software used in cars is constantly being updated, but also hackers find ways to sneak in through security loopholes that no one even had on their radar 24 hours ago. The potential number of angles of attack rises continuously with each interface to the car (Bluetooth, MP3 player, internet, USB, smartphone, video camera, sensors, etc). If a new weak point is discovered, you generally need a patch within hours or days, and this patch has to make its way quickly and securely to vehicles in all corners of the globe.
Kugler Maag Cie is one of the European representatives on the ISO/SAE 21434 project. We’re tapping into expertise gained through nearly 15 years of working on processes in the automotive industry to contribute to the development of the standard. Of course this in turn benefits our customers, who we’re already helping to prepare for working with the new standard.
The standard will not lay down specific technologies or solutions. That wouldn’t make sense because they become obsolete again much too quickly. It’s more about formulating the requirements of cybersecurity risk management, for all stages of a product’s life cycle – from components to development, design, production, operation and maintenance, right up to decommissioning. This is because even if a car does have to be scrapped at some point, the personal data of its users has to be protected. The standard lays down uniform definitions for factors that could be considered a weakness or vulnerability, also defining the conditions security has to be tested under.
Companies have to meet the standard, but it’s not that straightforward simply implementing it. That’s because this standard is a framework for companies, so it forms a basis for defining security management. It provides a foundation based on well-developed processes, and then there are things like awareness training for staff, suitable organisational rules and technical expertise. The standard also tells manufacturers that they should always be up to speed with the latest advancements in technology. This requires them to keep their eyes on the market and technology.
ISO standards aren’t laws. Companies aren’t obliged to adhere to them. But they will do, because if something or someone is damaged, that has a bearing on liability. If a vehicle manufacturer doesn’t adhere to a standard, the onus reverses – it has to prove that it nonetheless did everything it was required to do to avoid damage.
SAE is an American professional association. It’s already issued a security standard for the United States. The rest the world isn’t going to simply adopt it the way it is. Coming the other way, SAE are also not going to give up their standard for a new global standard. So after many rounds of discussion, the various parties agreed to work together on a new common standard.
The working relationship between ISO and SAE is a new experience for everyone involved. There were a lot of things that had to be cleared up in terms of the approach to be adopted, so the original roadmap slipped back a bit. The current plan is to announce the first public version around the middle of 2019. Companies will be able to use this as a basis for preparing for ISO/SAE 21434. The final version will come into effect in the summer of 2020. So there’s still plenty of time to get ready.
This interview was recorded in November 2018.
The ISO/SAE 21434 cybersecurity standard was due to come into effect in November 2019.