ISO 21434 Compliance in Automotive Cybersecurity – PlaxidityX Ep 17

Today, most vehicles come with built in connectivity options for receiving and transmitting information. However, these benefits also carry a price. New software enabled technologies from connectivity to cloud based functionality and autonomous driving expose vehicles to greater cyber risk. Automotive cybersecurity regulations such as UNR one fifty five and ISO SAE twenty one four thirty four, are designed to protect connected vehicles from cyber attacks and ensure vehicle safety. This podcast provides automotive manufacturers with a guide to the rapidly growing automotive regulatory landscape, focusing on the challenges and benefits of a cybersecurity management system, and offering practical advice on the best way to implement such a system.

The growing need for automotive cybersecurity, connected and software defined vehicles or SDVs, are revolutionizing the way we drive. With 10 times more lines of code than a fighter aircraft, today's SDVs are aptly referred to as code on wheels. The more software in a vehicle, the greater the risk. New software vulnerabilities are published regularly, impacting millions of vehicles across virtually all brands. Software vulnerabilities in open source code can be exploited by hackers to compromise safety critical systems, for example, braking, steering, access personal data, or even start a car from a remote location.

For example, a recently published software vulnerability in the Kia Connect system allowed a hacker to track a car's location via GPS, lock and unlock its doors, and start and stop its engine. These challenges are likely to increase in the future. Autonomous vehicles will have several times more code than today's SDV, while communicating with the infrastructure and other cars using v two x and other technologies. To ensure the safety and security of tomorrow's vehicles, OEMs must implement secure software development processes. Meeting regulatory expectations.

In response to these growing risks, dramatic changes in standardization and regulation of automotive cybersecurity practices have taken place in recent years. Notable examples include UN regulations one fifty five and one fifty six, and ISO SAE twenty one four thirty four, which together have become a de facto guide for vehicle manufacturers of how to ensure a cyber security minded development process and product. These and other global cyber security directives have had a major impact on the way OEMs and their suppliers develop and manage their products. UNR one fifty five requires that OEMs implement a risk based management framework, AKA cybersecurity management system, for detecting potential cyber threats and protecting vehicles against cyber attacks. UNR one fifty five specifies the processes that need to be implemented during the development, production, and post production phases, but does not stipulate specific tools or products to be used to execute such processes.

UNR one fifty six specifies requirements for software update management systems. Together, these regulations set a new bar for the industry and require OEMs to demonstrate that their vehicles meet strict standards for cybersecurity and software updates. ISO SAE twenty one four thirty four is a global industry standard that complements UNR one fifty five. This standard specifies engineering requirements for cybersecurity risk management regarding the concept, product development, production, operation, and maintenance. ISO SAE twenty one four thirty four works to protect vehicle and automotive security, providing guidance on integrating cybersecurity into the product development process of road vehicles.

What are the differences between UNR one fifty five and ISO SAE twenty one four thirty four? UNR one fifty five is a mandatory regulation in 54 UNECE member countries, like the EU, UK, Japan, and South Korea, requiring OEMs to implement a cybersecurity management system or CSMS. It outlines what needs to be done for vehicle cybersecurity, listing specific threats and how they must be addressed. It became mandatory in 2022 for new vehicle types, and by 2024, it extended to all newly manufactured vehicles. ISO SAE twenty one four thirty four, on the other hand, is a global standard that's non mandatory, but widely adopted.

It provides a process focused approach for identifying and managing cybersecurity risks across a vehicle's entire life cycle, from concept to decommissioning. Published in 2021, it was developed by over 100 experts from dozens of countries and gives more detailed guidance on how to meet the goals set forth in regulations like UNR one fifty five. Essentially, UNR one fifty five tells you what's required, while ISO SAE twenty one four thirty four shows you how to achieve it. UNR one fifty five and ISO SAE twenty one four thirty four are only the tip of the iceberg. Today, most vehicle manufacturers are well aware of the need to comply with cybersecurity regulations and standards such as UNR one fifty five and one fifty six, and ISO SAE twenty one four thirty four.

However, these regulations and standards are only the tip of the iceberg. On a global scale, there are dozens of cybersecurity regulations, standards, guidelines, and best practices that are relevant for the automotive industry. Here are just a few prominent examples. GBT. China's adaptation of UNR one fifty five, known as GBT, is already at a very mature development stage and is planned to become effective in 2025.

These standards specify the requirements and test methods for cybersecurity of remote service and management systems for electric vehicles, General technical requirements for vehicle cybersecurity, technical requirements and test methods for cybersecurity of vehicle gateway, etcetera. ASPICE for cybersecurity. Automotive SPICE, which stands for software process improvement and capability determination, defines a set of processes and practices that automotive software development organizations should follow to ensure that their software products meet the quality and safety standards required by the industry. ASPICE covers the entire software development lifecycle, from requirements, elicitation, to software testing and validation. The ASPICE extension for cybersecurity was issued in February 2022.

Serving as a baseline for OEMs and suppliers, this extension defines new areas for cybersecurity assessment, including requirements, elicitation, cybersecurity implementation, risk treatment verification, and risk treatment validation. ANISA. The European Union Agency for Cybersecurity, also known as ANISA, is the union's agency dedicated to achieving a high common level of cybersecurity across Europe. Established in 02/2004 and strengthened by the EU cybersecurity act, ANISA contributes to EU cyber policy, enhancing the trustworthiness of ICT products, services and processes with cybersecurity certification schemes. NIST.

The NIST cybersecurity framework helps businesses of all sizes better understand, manage and reduce their cybersecurity risk, and protect their networks and data. The NIST cybersecurity framework is built on five core functionalities or pillars. Identify, protect, detect, respond, and recover. Implications of regulatory compliance for OEMs. UNR one fifty five went into full effect for all newly manufactured vehicles in July 2024.

Accordingly, OEMs must demonstrate compliance with UNR one fifty five type approval requirements for every new vehicle registered in a country subject to UNR one fifty five, for example, EU member states. This was a major milestone for the global automotive industry, posing serious challenges and triggering intensive activity across the automotive value chain. Since OEMs must now demonstrate compliance in order to achieve type approval, they are demanding that their software suppliers also bake cyber resilience into their vehicle design, development, operation, and maintenance processes. And the business implications of this sea change are already being felt. Late last year, Porsche announced that its best selling ice powered Macan SUV will be discontinued from markets within the European Union in spring of twenty twenty four due to cybersecurity regulations.

Porsche explained that the updates required for the SUV to comply with the new rules were deemed excessively complex and costly. This is just one in a series of similar announcements from OEMs regarding other vehicles, including VW and Audi models. What is a cybersecurity management system? CSMS is a systematic approach to finding organizational processes, responsibilities and governance to ensure that cybersecurity practices and measures are adequately applied across every phase of the development process and vehicle life cycle. Unlike traditional measures that often focus on specific security tools or isolated practices, a CSMS provides a holistic approach to managing an organization's cyber security risks.

Detailed specifications for the CSMS are provided in the UNR one fifty five documentation. The core components of a CSMS include the following, policies and procedures, best practices, policies, and controls to proactively combat threats and protect sensitive information. It provides a structured approach for identifying, assessing, and addressing cyber risks throughout an organization's operations. Risk management. The system enables organizations to identify, assess, and mitigate cyber risks in a timely manner throughout the entire life cycle of their products or services.

Incident response. Protocols for responding to and managing cyber security incidents, often referred to as a cyber incident response plan. Today, OEMs and UNECE member states must receive a CSMS certificate of compliance in order to receive type approval for new vehicles. The certificate of compliance is granted following a rigorous audit process carried out by an authorized type approval authority. How to implement a CSMS.

Establishing a CSMS and achieving regulatory compliance is a complex effort, requiring automotive cybersecurity knowledge, skilled resources and purpose built tools. Fortunately, ISO SAE twenty one four thirty four provides an internationally recognized guideline for the implementation of a CSMS that many OEMs and tier one suppliers use as a reference. At the organizational level, OEMs should have processes in place to monitor development and production at the organizational level, including procedures, policies, and strategies aligned with ISO SAE twenty one four thirty four, quality management requirements. This includes areas such as company culture, training, awareness, and more. Threat analysis and risk assessment or TARA is the first step in the CSMS implementation at the product level.

For example, ECU. Tara breaks down the vehicle architecture, identifies critical software components, assesses potential cyber threats, and analyzes the impact and feasibility of these threats. This step often includes penetration testing and fuzz testing in order to expose risks and gaps. The OEM takes the results of the Tara and, depending on the severity of the risks, implements the necessary fixes, for example, changes to the software, to mitigate the risks and vulnerabilities. The last step in this process is validation and verification, which includes a final round of testing to ensure that the entire system is secure and that all vulnerabilities have been patched.

The entire cycle is documented in ISO SAE twenty one four thirty four. CSMS implementation challenges. Due to the complex domain specific challenges of the automotive industry, OEMs and tier ones face several key challenges when implementing a CSMS under ISO SAE twenty one four thirty four. Seamless integration with other standards. Cybersecurity is only one of many standards.

For example, ISO 9,001, ISO two six two six two, ASPICE, that OEMs need to adhere to. The CSMS must work with all the other quality and safety standards seamlessly at the organizational level. Cybersecurity affects the development cycle. Cybersecurity also affects the product development cycle because you need to implement the security aspects within the overall development flow. ISO SAE twenty one four thirty four states, that the cybersecurity cycle should be ongoing and cover the production and post production phases.

Automotive cybersecurity requires dedicated tools. Traditional IT tools used to protect OEM's corporate networks are not equipped to handle the domain specific challenges of connected vehicles. Because automotive cybersecurity also needs to cover the development phase, many common standards, procedures, and tools used for IT environments, for example, ISO 27,001, are not relevant here. Supply chain integration. Suppliers need to ensure cybersecurity practices are implemented throughout their own supply chain.

This can be particularly challenging when dealing with sub suppliers who may not be familiar with automotive cybersecurity standards. Continuous vulnerability management. The standard calls for ongoing monitoring, assessment, and mitigation of vulnerabilities throughout the full vehicle lifespan, ten to fifteen years. Establishing and maintaining these processes can be complex and resource intensive. Documentation and traceability, ISO SAE twenty one four thirty four, demands extensive documentation of cyber security related activities, decisions, and justifications.

Maintaining this level of documentation and ensuring traceability can be a significant challenge for many suppliers. Resource constraints. Implementing a CSMS requires significant time, personnel, and financial resources. Many suppliers, especially smaller ones, may find it challenging to allocate sufficient resources to meet all the standards requirements. Skill gap.

Not all manufacturers have the internal resources or cyber security domain expertise required to carry out the CSMS implementation. Many OEMs hire external consultants or service providers specializing in CSMS compliance to do the project for them. Certification process. Preparing for and undergoing the certification audit can be a complex and time consuming process, requiring significant preparation and potentially multiple iterations to achieve compliance. How PlexityX can help.

As the complexity of automotive cybersecurity regulations continues to grow, achieving compliance requires a deep and comprehensive understanding of automotive processes, cybersecurity know how, and proven compliance experience. PlacidityX cybersecurity experts have worked with OEMs and tier ones in dozens of compliance projects to establish the processes mandated by CSMS and type approval requirements at the vehicle and ECU levels. Our proven, battle tested methodology for CSMS implementation, including gap analysis, process definition, deployment, and ongoing support, helps vehicle manufacturers minimize cyber risk and achieve automotive security compliance. A comprehensive set of automotive cybersecurity services, including automotive penetration testing, Tara, and cybersecurity architecture design, and UNR one fifty five and ISO twenty one four thirty four cybersecurity compliance, are designed to help vehicle manufacturers integrate cybersecurity processes through every stage of product development and production. That's all for today's episode.

Keep your engines running smooth and your cyber defenses sharp. Stay connected by subscribing and visiting plaxidityx.com. Until next time, stay safe on the road and in the cloud.