Implementation Strategy for ISO/SAE 21434:2021

ISO/SAE 21434:2021(en) provides a detailed implementation strategy for the security of road vehicles. The standard sets out a comprehensive methodology for the development and implementation of security measures in the automotive industry, covering the entire life cycle of a vehicle from design and development to production, operation, and maintenance.

The standard's implementation strategy includes the following key steps:

1. Define the security requirements: Identify the security requirements for the vehicle, including functional, performance, and security requirements. This should be done in consultation with relevant stakeholders, such as vehicle manufacturers, suppliers, and regulatory bodies.

2. Establish a security management system: Establish a security management system that outlines the policies, procedures, and processes that will be used to ensure the security of the vehicle throughout its life cycle. This should include a risk management process that is aligned with the ISO 31000 standard.

3. Conduct a threat and risk assessment (TARA): Conduct a TARA to identify potential threats and vulnerabilities to the vehicle's systems and components, as well as the potential impacts of these threats and vulnerabilities. This should be done in accordance with the ISO/SAE 21434 standard's guidelines for TARA.

4. Develop and implement countermeasures: Develop and implement countermeasures to mitigate the identified risks. These countermeasures should be validated in a controlled environment or by simulating the identified threats and vulnerabilities.

5. Document the security measures: Document the security measures that have been implemented, including the security assessment plan and the TARA report. This documentation should be used to demonstrate compliance with relevant regulatory and industry standards.

6. Monitor and maintain the security measures: Continuously monitor the vehicle's systems and components for new threats and vulnerabilities, and update the countermeasures as needed to ensure the security of the vehicle.

7. Continuously improve the security: Continuously improve the security of the vehicle by regularly reviewing and updating the security management system and the security measures in response to new threats and vulnerabilities.

Here is the table of contents for ISO/SAE 21434:2021(en) Road vehicles — Cybersecurity engineering:

1 Scope

2 Normative references

3 Terms and definitions

4 Abbreviations and acronyms

5 Cybersecurity concept and model

6 Risk assessment and management

7 Security by design and security assurance

8 Cybersecurity requirements specification

9 Cybersecurity verification and validation

10 Cybersecurity management and supporting processes

11 Cybersecurity documentation

12 Cybersecurity monitoring, response and improvements

13 Cybersecurity requirements for external parties

14 Supply chain management for automotive cybersecurity

15 Cybersecurity operations

Annex A (informative) Threats, threat agents, and threat events for road vehicles

Annex B (informative) Example of a vulnerability analysis

Annex C (informative) Example of an attack tree

Annex D (informative) Example of a security risk assessment

Annex E (informative) Example of a cybersecurity requirements specification

Annex F (informative) Example of a security test plan

Annex G (informative) Example of a security assurance plan

Annex H (informative) Cybersecurity management during production and post-production activities

Annex I (informative) Guidelines for secure over-the-air updates

Annex J (informative) Guidance on cybersecurity for heavy commercial vehicles

Annex K (informative) Example of a threat model

Annex L (informative) Example of a threat intelligence process

Annex M (informative) List of cybersecurity standards and guidelines Bibliography

Annex B of ISO/SAE 21434:2021(en) provides an example of a vulnerability analysis to assist organizations in identifying potential cybersecurity vulnerabilities in their road vehicles. The example is based on a simplified use case of a telematics unit in a passenger car.

The vulnerability analysis is divided into four main steps:

1. Identify potential assets: In this step, the assets are identified, and a preliminary list of assets is created, such as the telematics unit, communication buses, and the vehicle's firmware.

2. Identify potential threats: In this step, potential threats to the assets are identified. These can include hardware and software attacks, physical attacks, and social engineering attacks. For example, an attacker might try to connect to the telematics unit through an unsecured Bluetooth connection.

3. Identify potential vulnerabilities: In this step, the vulnerabilities in the assets are identified. Vulnerabilities can include software bugs, insecure communication protocols, and weak authentication mechanisms. For example, the telematics unit might have a known software vulnerability that an attacker could exploit.

4. Analyse the potential consequences: In this step, the consequences of each identified vulnerability are analysed. The consequences can range from minor to severe and can include data theft, physical harm to occupants, or even vehicle theft. For example, an attacker exploiting the software vulnerability in the telematics unit might be able to access sensitive data, such as the vehicle's location, speed, and driving behaviour.

Annex C of ISO/SAE 21434:2021(en) provides an informative example of an attack tree. An attack tree is a graphical representation of the different steps that an attacker may take to exploit a vulnerability and reach their goal. The attack tree in Annex C is an example related to the theft of a car, and it is divided into levels that represent the different stages of the attack.

The first level of the attack tree represents the objective of the attacker, which is to steal the car. The second level is the attack point, which in this case is the entry to the car. The third level includes the different methods that the attacker can use to gain entry, such as picking the lock, breaking a window, or using an electronic device to bypass the security system.

The fourth level shows the options available to the attacker once they have gained entry to the car, such as hotwiring the ignition, using a key that was left inside the car, or stealing personal belongings from the car. Each of these options has its own set of sub-options, represented in the fifth level of the attack tree.

The sixth level shows the different ways that the attacker can leave the scene undetected, such as disabling the alarm or leaving the car in a location where it won't be seen by the owner or law enforcement. The seventh level represents the attacker's overall goal of being able to use or sell the stolen car.

This attack tree serves as an example of how to use an attack tree to identify potential attack paths and prioritize the security measures that should be implemented to prevent or mitigate such attacks. It can also be used as a template to create attack trees for other scenarios or systems.

Annex D of ISO/SAE 21434:2021 provides an example of a security risk assessment. The annex describes a hypothetical case study of a vehicle manufacturer that is conducting a security risk assessment for a new vehicle model. The assessment is divided into four phases:

1. Asset Identification: In this phase, the manufacturer identifies all the assets of the vehicle, such as the Electronic Control Units (ECUs), sensors, actuators, and communication networks. The assets are then categorized based on their criticality and the impact of a security breach on them.

2. Threat Analysis: In this phase, the manufacturer identifies the potential threats to the vehicle assets. The threats can be internal or external, intentional or unintentional. The manufacturer uses various techniques such as brainstorming, historical data analysis, and interviews with experts to identify the threats.

3. Vulnerability Analysis: In this phase, the manufacturer identifies the vulnerabilities of the assets to the identified threats. The vulnerabilities can be related to software, hardware, or communication networks. The manufacturer uses various techniques such as penetration testing, code review, and design analysis to identify the vulnerabilities.

4. Risk Assessment: In this phase, the manufacturer evaluates the risks associated with each asset based on the identified threats and vulnerabilities. The risks are calculated using a risk matrix that takes into account the likelihood and impact of the risk. The manufacturer then prioritizes the risks based on their severity and formulates a risk treatment plan.

Annex E of ISO/SAE 21434:2021(en) provides an informative example of a cybersecurity requirements specification. This annex contains a sample document that outlines the cybersecurity requirements for an automotive system, including hardware, software, and communication systems. The purpose of this document is to ensure that the cybersecurity needs of the automotive system are clearly defined and communicated to the relevant stakeholders.

The cybersecurity requirements specification is divided into several sections, including an introduction, scope, definitions, and requirements. The introduction provides a brief overview of the document, while the scope defines the boundaries of the system to which the requirements apply. The definitions section clarifies any terminology used in the document, ensuring a common understanding among stakeholders.

The requirements section is the most substantial part of the cybersecurity requirements specification. It outlines the specific security requirements that the automotive system must meet. These requirements are derived from the results of the security risk assessment and other considerations such as the regulations, the organization's security policies, and the best security practices.

The requirements section is further divided into subsections, each addressing a specific aspect of the automotive system's security. These subsections may cover areas such as access control, authentication, encryption, secure boot, and secure updates.

For each requirement, the cybersecurity requirements specification specifies the criteria that must be met to fulfil that requirement. These criteria may include specific algorithms, key lengths, or protocols, as well as guidelines for testing or validating the requirement.

The cybersecurity requirements specification concludes with a verification section that outlines the methods for verifying that the requirements have been met. This section also specifies the documentation and evidence required to demonstrate compliance with the requirements.