The Digitalist Team
November 30, 2021

From 2022: increased responsibility due to new automotive standards


min reading time

Technology is evolving at an ever-faster pace in every area of business, and the car industry is no exception. Twenty years ago, someone buying a new car would be climbing into a totally inanimate object: responsive to your touch, yes, but essentially a physical collection of nuts, bolts, and bodywork. Now, innovations such as self-driving cars, computer-controlled vehicle systems (CVS), and in-vehicle infotainment have revolutionized our relationships with our vehicles. Today, you will find yourself face-to-face with a computerized, connected, and increasingly sophisticated piece of tech. With increased sophistication, however, comes greater risk.

An issue of complexity

There is no question that safety has been an integral part of the automotive development process for decades. FMEA (Failure Mode and Effects Analysis) and FTA (Fault Tree Analysis) are keys to every automotive development process. The concept of ASIL levels (Automotive Safety Integrity Levels) is well understood and consistently applied throughout the supply chain. Indeed, most drivers today consider their vehicles to be ‘safe’.

At the same time, it is clear the car industry faces a huge challenge to meet the inevitable increase in cybersecurity threats and attacks. And not only are external entities communicating with cars remotely on a regular basis, these increasingly computerized vehicle systems mean other issues – such as fire safety, battery life, engine performance, and fuel levels – are also in danger of being compromised. The bottom line is, if you fail to identify key vulnerabilities and implement the right controls, your stakeholders may find themselves under severe threat in terms of operations, finance, privacy, and functional safety.

So what’s the solution?

With all this in mind, ISO and SAE have partnered to create ISO/SAE 21434. This new international standard has been produced by a joint working group of more than 100 experts from the fields of engineering, product development, and cybersecurity. ISO/SAE 21434 will come into force in the EU for new car types in July 2022, and for all newly produced cars from July 2024.

ISO/SAE 21434’s goal is to establish a new standard in automotive cybersecurity. It outlines the development of a robust Cybersecurity Management System (CSMS) to ensure a structured level of care on an organizational level, as well as a Software Update Management System (SUMS) that can provide the legal basis for Over-the-Air (OTA), updates to on-board vehicle software.
With ISO/SAE 21434, car manufacturers themselves will be responsible for ensuring they comply with the regulations and are able to ensure a high level of cybersecurity throughout their value chain. The cybersecurity management system that complies with the requirements of the standard can be easily integrated into existing development procedures and tools. For example, TARA – Threat Analysis and Risk Assessment – is a useful tool, which presents methods to determine the extent to which a road user can be impacted by a threat scenario. These methods can be called on systematically and from any point in the lifecycle of a single item or component.

Areas of application

Of course, the vehicle itself is just one aspect of overall safety and security issues. This is why when it comes to setting up an effective level of cybersecurity risk assessment, ISO/SAE 21434 recommends further breaking down assessment into several subsets, each of which requires specific care and attention:

  • Organizational scope: How the organization manages its cybersecurity activities
  • Project dependent: The planning and implementation of cybersecurity activities within individual projects. Outlining responsibilities of those involved
  • Distributed activities: Ensuring cybersecurity in the supply chain, e.g. inspection of suppliers
  • Continual activities: Continual cybersecurity activities (monitoring, vulnerability analysis, etc.)
  • Risk assessment methods: Establishing the right methods to assess risk within the organization
  • Secure by design: Cybersecurity activities in terms of design, development, production, and operation

How can you become compliant?

We can highlight four key stages to obtaining ISO/SAE 21434 certification: awareness, planning, implementation, and sustainability. Imagine you are just about to begin developing a new car model. Naturally, the first step is to be aware of the existence of ISO/SAE 21434 and understand all of its requirements. The second is to begin integrating these recommendations into every aspect of the car’s design. During the manufacturing process, it is essential to continually assess the impact of these developments in terms of the car’s production, distribution, and end-use. Finally, you need to make sure that the changes made are sustainable and the car model continues to maintain the highest level of cybersecurity and vehicle safety in the long term.

What does this mean for companies?

As we have said, automotive cybersecurity is an incredibly complex and wide-ranging topic. To put it as simply as we can, ISO/SAE 21434 risk management is about the responsibility of car manufacturers to examine every single aspect of their business cycle in the minutest detail, from the initial design of their vehicles to distribution points and road users, working continuously to eliminate any threats. And in the event of any future cyber incidents, ISO/SAE 21434 certification will serve as evidence that the manufacturer performed every necessary activity to effectively mitigate cybersecurity risks in accordance with the principle of proportionality.

The good news is that with the right approach, ISO/SAE 21434 compliance can be about far more than just following the latest rules or another bullet point in the marketing pamphlet. The key is to use it as a springboard and an inspiration to take the cybersecurity of your vehicles to a new level. Companies who fail to do so not only risk penalties for non-compliance, they also leave themselves open to cyber-attacks and persistent safety issues. But if you are able to harness the power of the wide array of new technologies to your advantage while reducing risks to an absolute minimum, the potential for further growth and a genuine competitive advantage is enormous.