Today sees the release of the first public draft of the new international standard ISO/SAE 21434 – Road vehicles – Cybersecurity engineering, the first standard to be developed under a new joint agreement between ISO and SAE International.
This eagerly anticipated new document will specify requirements for cybersecurity risk management across the whole vehicle lifecycle, including concept, development, production, operation, maintenance, and decommissioning. The document provides a framework for cybersecurity engineering and management processes, which will enable vehicle manufacturers and suppliers to communicate cybersecurity requirements using a common language but without imposing constraints on technical solutions.
The joint working group developing ISO/SAE 21434 is composed of experts from across the world, from a range of organisations including vehicle manufacturers, the tiered supply chain, cybersecurity consultants, research organisations and government. HORIBA MIRA’s David Ward and Paul Wooderson are members of the working group, and are involved in specifying aspects including risk management, product development and terminology.
Currently at ISO Enquiry stage, the draft international standard has been made available for public comment and for the automotive industry to gain further experience in applying the cybersecurity process requirements contained within it. The standard is due to be published in early 2021 and is expected to become the state-of-the-art for automotive cybersecurity engineering.
HORIBA MIRA’s cybersecurity services are informed by the ongoing development of the standard and as such, we are helping our customers prepare for its introduction by providing expert advice and consultancy. Whatever an organisation’s current level of cybersecurity maturity, we can help with training, process development or cybersecurity design and test consultancy for vehicle or component programmes.
We have also developed a cybersecurity assessment programme, based on the 5StarS assurance framework and closely aligned to the draft requirements of ISO/SAE 21434, which can be used by our customers to obtain an independent assessment of readiness to meet the minimum requirements of the standard, as well as providing confidence in the cybersecurity of their products.
The requirements of the new standard will not only cover cybersecurity during product development; a significant amount of the document is dedicated to specifying activities during the operational phase of the system lifecycle, recognising that the threat landscape is dynamic and new attacks and vulnerabilities will emerge over time. This means that vehicle manufacturers will need to be able to detect, understand and respond to incidents and new threats affecting their products. This topic is the focus of the ResiCAV project, funded by Innovate UK, in which we and our partners are currently exploring the feasibility of solutions for operational resilience. These include requirements for cybersecurity testing facilities and Vehicle Security Operations Centres to support the monitoring requirements of ISO/SAE 21434, and longer-term sustainable methodologies for cyber resilience.