ISO/SAE 21434 – WORKSHOP REPORT

There are actually quite a lot of parallels, especially on the macro and process level. About halfway into the 90s, I was working with Bonifaz Maag at Alcatel where we introduced and rolled out the capability maturity model (CMM) to be used for software development in ISDN and mobile telephony. The current standard in the automotive sector is Automotive SPICE®, but it’s remarkably similar to CMM which has since moved forward. Even if the software has become much more complex, on a fundamental level the standards for the development process are still the same.

Some of the conceivable attacks that could take place are that a car is immobilised, that it can be started without a key, or that its total mileage is reduced artificially to raise its value. WIRED magazine has shown what an attack would look like with the example of a Jeep. Security systems should prevent such attacks. What we’re dealing with here is a moving target, because for a start the software used in cars is constantly being updated, but also hackers find ways to sneak in through security loopholes that no one even had on their radar 24 hours ago. The potential number of angles of attack rises continuously with each interface to the car (Bluetooth, MP3 player, internet, USB, smartphone, video camera, sensors, etc). If a new weak point is discovered, you generally need a patch within hours or days, and this patch has to make its way quickly and securely to vehicles in all corners of the globe.

Kugler Maag Cie is one of the European representatives on the ISO/SAE 21434 project. We’re tapping into expertise gained through nearly 15 years of working on processes in the automotive industry to contribute to the development of the standard. Of course this in turn benefits our customers, who we’re already helping to prepare for working with the new standard.

The standard will not lay down specific technologies or solutions. That wouldn’t make sense because they become obsolete again much too quickly. It’s more about formulating the requirements of cybersecurity risk management, for all stages of a product’s life cycle – from components to development, design, production, operation and maintenance, right up to decommissioning. This is because even if a car does have to be scrapped at some point, the personal data of its users has to be protected. The standard lays down uniform definitions for factors that could be considered a weakness or vulnerability, also defining the conditions security has to be tested under.

Companies have to meet the standard, but it’s not that straightforward simply implementing it. That’s because this standard is a framework for companies, so it forms a basis for defining security management. It provides a foundation based on well-developed processes, and then there are things like awareness training for staff, suitable organisational rules and technical expertise. The standard also tells manufacturers that they should always be up to speed with the latest advancements in technology. This requires them to keep their eyes on the market and technology.

ISO standards aren’t laws. Companies aren’t obliged to adhere to them. But they will do, because if something or someone is damaged, that has a bearing on liability. If a vehicle manufacturer doesn’t adhere to a standard, the onus reverses – it has to prove that it nonetheless did everything it was required to do to avoid damage.

SAE is an American professional association. It’s already issued a security standard for the United States. The rest the world isn’t going to simply adopt it the way it is. Coming the other way, SAE are also not going to give up their standard for a new global standard. So after many rounds of discussion, the various parties agreed to work together on a new common standard.