Overview of ISO/SAE 21434 Standard

-




ISO/SAE 21434, jointly published by the International Standardization Organization (ISO) and the Society of Automotive Engineers (SAE), serves as a comprehensive cybersecurity framework for electronic systems within road vehicles. Developed to bolster cybersecurity across the entire lifecycle of automotive products, this standard outlines essential vocabulary, objectives, requirements, and guidelines.


Purpose and Scope:

The primary objective of ISO/SAE 21434 is to enhance cybersecurity measures for vehicles throughout their lifecycle. By providing a standardized framework, this standard facilitates the establishment of cybersecurity policies, risk management practices, and a cybersecurity-oriented culture within organizations operating in the automotive industry.


Three Pillars:

ISO/SAE 21434 is structured around three main pillars:

  • Cyber Security Governance:  
    • Establishing policies, processes, and cultural norms to govern cybersecurity activities within organizations.

  • Risk Management:
    • Incorporating threat analysis, risk assessment, supply chain management, and cybersecurity operations to mitigate cybersecurity risks effectively.

  • Cyber Security Culture:
    • Fostering a culture of secure development practices, cybersecurity awareness, and continuous improvement.



Clause 5: Organizational Cybersecurity Management:

This clause delineates the organizational responsibilities and processes essential for effective cybersecurity management. Key elements include defining cybersecurity policies, assigning responsibilities, managing cybersecurity risks, fostering a cybersecurity culture, and conducting cybersecurity audits.


Corresponding Work Products:

Work products associated with Clause 5 include cybersecurity governance documents, RASIC tables, Information Security Charters, Cyber Incident Response Plans, Cybersecurity Culture initiatives, Data Classification Policies, organizational Quality Management Systems (QMS), cybersecurity metrics, and cybersecurity audits.


Clause 6: Project Dependent Cybersecurity Management:

This clause outlines requirements for managing cybersecurity activities specific to individual projects. It encompasses responsibilities allocation, cybersecurity planning, tailoring of cybersecurity activities, component analysis, and risk assessment for off-the-shelf components.


Clause 9: Concept Phase:

During the concept phase, organizations define the item in development, establish cybersecurity goals, and outline cybersecurity concepts necessary to meet these goals. This phase also entails conducting Threat Assessment and Risk Analysis (TARA) to identify potential cybersecurity risks.


Chapter 15: TARA and Risk Management:

This chapter emphasizes asset identification, threat scenario identification, impact rating, attack paths analysis, attack feasibility rating, risk value determination, and risk treatment decision, all integral to effective risk management.


Chapters 10-14: Product Development and Post Development Phases:

These chapters delineate product development activities, including secure system development procedures, architecture design, manufacturing requirements, vulnerability management, component-level and vehicle-level tests, and validation of cybersecurity goals.


Clause 13: Operations & Maintenance Phase:

During this phase, organizations establish cybersecurity incident response procedures, update mechanisms, and define end-of-support and decommissioning protocols to ensure ongoing cybersecurity resilience.


Incident Response Plan:

Preparing a formal incident response plan is crucial for defending against cyberattacks and breaches. Such a plan typically includes remediation actions, communication protocols, assigned responsibilities, progress tracking mechanisms, closure criteria, and lessons learned documentation.


By adhering to the guidelines outlined in ISO/SAE 21434, organizations can fortify their cybersecurity posture, mitigate risks, and foster a culture of vigilance and resilience against emerging cyber threats in the automotive industry.

Comments

Post a Comment

Popular posts from this blog

Cryptography and Encryption Basics - I

-
Image
Cryptography and Encryption Basics I What is encryption Encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized can't.  Converts information from plain text into encrypted ciphertext. But how...? Encryption used algorithm! An algorithm is a procedure that the encryption process follows. The specific algorithm is called the ciper or code. there are many types so encryption algorithms. The encryption's goal and level of security determine the most effective solution. Triple DES, RSA and Blowfish are some examples of encryption algorithms or Ciphers. What is Decryption? Decryption is the process of taking encoded or encrypted text or other data and converting it back into text that you or the computer can read and understand.  converts information from encrypted ciphertext into plain text  Basic Example  Private key vs Public Key Private Key (symmetric key): This means that ...
Read more

UDS Protocol Interview Question

-
UDS Protocol Interview Question  Functional Group in UDS Diagnostic and communicatio management Data Transmission Stored Data Transmission Input/Output Control Remote Activation of Rountine Upload / Download Total (27 )services untill 2020,As Per ISO 14229 2020 there are (28) services. Why it is called UDS Unified       - Term 'Unified' in this context mens  that it is an international and not a Company- Specific Standard Diagnostic - Finding Root cause Service       - checking with existing content What are the types of request in UDS Valid request  Invalid request What are types for Responce in UDS. Positive responce Negative Responce What are type of NRC ISO Specific (0x12,0x13,0x22) ISO Reserved or Manufacture Specific (0x32,0x84 etc) What are the commonly used NRC 0x12 0x13 0x22 0x24 0x33 In Default which session will be active UDS supports different Operating session, which can be changed using the "Diagnostic Session control". Dependi...
Read more