According to Juniper Research, 206 million vehicles will have embedded connectivity by 2025 — with 30 million vehicles utilizing 5G connectivity. The connected car now contains units for communication, in-voice assistant, geolocation sensors and cloud-platforms that connect vehicles to mobility services. 

To ensure that these hyper-connected vehicles remain secure, a standard known as ISO SAE 21434 was developed. This standard is designed to guide automotive product developers and OEMs in following effective cybersecurity strategies and measures for connected vehicles. The status of ISO/SAE 21434 is currently ‘under development’, but it’s trending towards acceptance, which means it will be a part of compliance requirements in the near future.

An ISO/SAE 21434 Summary

ISO/SAE 21434 is a standard co-developed by the International Standard of Organization (ISO) and the Society of Automotive Engineers (SAE). ISO SAE 21434 “Road vehicles — Cybersecurity engineering” focuses on cybersecurity risks in the design and development of car electronics. The standard covers cybersecurity governance and structure, secure engineering throughout the life cycle of the vehicle and post-production security processes. 

This process is designed to cover automotive security of any connected vehicle from design until deployment.  The standard is to ensure that from the very first stage of vehicle development, any connective aspect included or all software implemented within that vehicle is secure from cyberattacks.  Vehicle suppliers must maintain regular security testing during this development to keep potential attack targets minimized. The earlier testing is implemented during design, the more time risks can be uncovered and remediated before vehicles are out on the road. 

Why is ISO/SAE 21434 necessary for the automotive industry?

The automotive industry saw a 605% increase in cybersecurity incidents in connected cars between 2016 to 2019. In 2022, the biggest attack targets were telematic application controls, keyless entry denial, and electronic vehicle charging systems. The increases in these attacks are surprisingly high, but threat actors targeting automotive computers is relatively new. Not only have more exploits been introduced in recent years, but the consequences in some successful attacks threaten the lives of drivers. Now that the industry has a framework to base its cybersecurity, testing for vulnerabilities during the vehicle’s lifecycle will be normalized. Standards also work together with other frameworks: in the case of ISO/SAE 21434, NIST SP-800-30 and standard ISO/IEC 31010 can be used to establish a foundation of risk assessment using tried and tested methodologies.

Improving your cybersecurity with testing

Good cybersecurity practices involve being proactive, and automotive developers and manufacturers can be proactive by integrating testing into their development lifecycle. Fuzzing an automotive computer is somewhat similar to a standard computer. The fuzzers launch tests against the automotive computer’s functionality attempting to trigger a vulnerability and exploit it. It’s done in a similar way an attacker launches an exploit, only testing performed as the product is developed can be used to improve cybersecurity rather than reactively patching a system using recalls.

Imagine a driver with a connected car experiences an attacker fuzzing the system for a buffer overflow. Specially crafted data is sent to the engine that runs on feedback from various components on the car. A buffer overflow has potential to shut down the engine. It would be a frightening experience for a driver to experience an engine shutdown while on the freeway, and this type of scenario is exactly what ISO/SAE 21434 tries to stop. By fuzzing an automotive computer during the development lifecycle, the manufacturer can avoid putting drivers in dangerous situations from lack of cybersecurity testing.

The Ramifications of Not Implementing ISO SAE 21434 Standards 

Since ISO/SAE 21434 has a primary focus on electronic automotive device connectivity security, the biggest penalty for a company would be an actual security breach.  Any company that has their vehicles cyberattacked could potentially harm the customers and the general public.  That company would instantly lose credibility with the public and face potential compliance fines depending on the country, the successful type of cyberattack, and jurisdiction since ISO/SAE 21434 is a global regulation. 

Is ISO 21434 Released? 

As of August 31, 2021, ISO/SAE 21434 has been released.  This release is being referred to as ISO/SAE 21434:2021 Road Vehicles – Cybersecurity Engineering and replaces the previous drafts from February 2020.  There are no serious changes from the previous version, namely creates mandates for: 

  • Scanning and creating risk assessments 
  • Recognizing cybersecurity vulnerabilities 
  • Ensuring safeguards are added to development to find and correct any vulnerabilities 
  • Continuously test applications, software, and hardware to ensure risks have been mitigated 

The Future of ISO/SAE

The automotive industry is at an important juncture in its history. The connected car is offering drivers an exciting new era in car ownership. But this expanded capability introduces cybersecurity risks that could threaten the safety of drivers. The ISO/SAE 21434 standard was introduced by automotive stakeholders to address the security issues that connectivity brings. The standard provides a framework for hardened security to build safer vehicles using better fuzzing and testing methodologies.

Need to get ISO/SAE 21434 compliant? Learn more about Black Box Fuzzing with beSTORM and how it can be used as an automotive security testing tool.

What Role Does ISO Play in Cybersecurity? 

ISO is a technical committee that is part of a worldwide regulatory body of national standards in cybersecurity engineering. Members are part of international regulatory committees, governmental, and non-governmental organizations. ISO works closely with the International Electrotechnical Commission (IEC) on everything that includes electrotechnical standardization. 

How Did Automotive Cybersecurity Standards Started?

The precursor to ISO/SAE 21434 is ISO 26262 “Road vehicles – Functional safety”. This does not cover software development or car sub-systems, nor does it cover how to deal with cybersecurity incidents.

ISO/SAE 21434 covers every aspect of cybersecurity — from initial design to end-of-life decommissioning of a vehicle. The supply chain is also included to cover each step in automotive production. 

All phases of a connected vehicle’s lifecycle covering electrical and electronic systems, including their components and interfaces, are covered in ISO/SAE 21434 including:

  • Design and engineering
  • Production
  • Operation by customer
  • Maintenance and service
  • Decommissioning

This lifecycle approach to cybersecurity management makes ISO/SAE 21434 one of the most comprehensive approaches to connected vehicle cybersecurity.

The Impact of Automotive Cybersecurity ISO Standards for OEMs and Developers

Although the standard is still in development, any manufacturer, developer, or OEM should consider proactively integrating ISO/SAE 21434 into their current production process. The primary concern with the new standard revolves around cybersecurity. The standards focus on providing better safety to automotive consumers by regulating the way manufacturers test their products.

ISO/SAE 21434 requires that manufacturers and developers perform a risk assessment. Before you can identify risk, you need to know what causes it. An assessment will identify any component, API, or software function that could be vulnerable to attack. With the assessment done, you then identify vulnerabilities. Blackbox fuzzing scans the system to find potential vulnerabilities in the same way an attacker would scan your system. Using the right fuzzing tools, you can ensure that development is done with security as a priority.

The impact to automotive developers and manufacturers is that they have the benefit of producing applications and components that are tested before being launched, which benefits drivers and their safety. Fuzzing applications and finding vulnerabilities before they cause harm to drivers safeguards them and your organization’s reputation. 

Black Box Fuzzers Can Protect Against Unknown Vulnerabilities

See how black box fuzzers like beSTORM can protect against known and unknown vulnerabilities prior to product launch. Read the guide, How Black Box Fuzzers Protect Against The Unknown to learn more.