Download our FREE whitepaper on data loss prevention best practices. Download Now

Automotive cyber security standards: ISO/SAE 21434 and more

The automotive industry is one of the victims of the extremely rapid onset of the digital age. For a few decades, the car computer was just a fancy name for a very simple electronic control unit (ECU) monitoring the engine. The road vehicle would run fine with the computer turned off, it would just be less fuel-efficient.

That is no longer the case in the age of connected cars and, especially, fully autonomous vehicles. Today, we have cars with many advanced electronic systems – lights that adjust to road conditions, self-parking systems, advanced cruise control, all the way to vehicles that run by themselves with no need for a driver at all. Your car can no longer run without a computer. And if the computer goes awry, for example, as a result of a cyberattack, it can have severe consequences both for the driver and for everyone else on the road.

Are connected cars under threat of cyberattacks?

Since the connected vehicle concept is relatively new, malicious hackers are yet to exploit it en-masse, and the impact of cyberattacks is much lower than in the case of other applications of computer technology such as websites, mobiles, and IoT. However, be not mistaken; such attacks were already proven possible. While such cases are not yet making headlines due to their limited impact, it’s only a matter of time before malicious actors, such as those working for hostile governments, start seeking ways to eliminate people by steering their connected cars into canyons.

The more functionality and connectivity we introduce into the connected vehicles ecosystem, the easier it is to hack into connected cars. Vehicles and their electronic modules already need regular software updates, which could be delivered over the air instead of over cable, through publicly accessible Wi-Fi or a mobile network. Such update mechanisms sound like perfect interfaces for an attacker to exploit.

While it is amazing how quickly the industry has developed in such a short time, it made the same mistake as many other quickly developing industries – vehicle manufacturers often didn’t stop to think enough about every aspect of cybersecurity, and even if they did, they had very little guidance and the approach was not unified.  The last two years, however, have seen a lot of improvement in this scope thanks to the development of the global standard – ISO/SAE 21434 and the UNECE WP.29 requirements. These standards cover the most important cybersecurity requirements when it comes to the automotive industry – those concerned with vehicle safety itself.

Overview of ISO/SAE 21434

The ISO/SAE 21434 international standard, released in August 2020, was developed together by the International Organization for Standardization and SAE International (formerly known as the Society of Automotive Engineers). While this is a completely new standard, it was inspired by older ones: ISO 26262 for functional safety and SAE J3061 for cybersecurity. It represents the common language of organizations concerned with vehicle cybersecurity risk management. Its introduction was welcomed with open arms by all stakeholders because, until that time, they were faced with a long list of potentially usable standards.

Just from the first look at ISO/SAE 21434, it is clear that this safety standard is primarily concerned with vehicle software and hardware – it focuses on cyber threats caused by malicious hackers, security risk management for vehicles and their parts, and mitigation of cybersecurity incidents. This automotive security standard aims at helping manufacturers make sure that vehicles are developed with the lowest possible risk of a cyberattack. This includes the most serious cyberattacks that could pose a danger to the driver and other road users but also, for example, those that would endanger vehicle user privacy and their sensitive data.

ISO 21434 promotes road vehicle cybersecurity engineering based on the concept of security by design. It aims to help organizations develop programs and procedures that cover cybersecurity from the earliest stages of vehicle design throughout the entire vehicle lifecycle, including post-production, all the way to decommissioning. It nourishes a cybersecurity culture throughout the organization, makes sure the manufacturer doesn’t ignore important cybersecurity activities such as vulnerability analysis, vulnerability management, and threat analysis and risk assessment (TARA), as well as guides them toward clearly defining and managing cybersecurity risks through the establishment of a cybersecurity management system (CSMS).

Like all standard ISO recommendations, ISO/SAE 21434 is voluntary. Organizations are welcome to adopt it to improve their cybersecurity measures as part of due diligence but are not legally required to follow it. However, the standard may be a business requirement in the supply chain, and vehicle manufacturers may impose this requirement on automotive OEMs, automotive developers, service providers, and other stakeholders involved in product development.

UNECE WP.29 requirements

UNECE WP.29 is not a standard in itself, but a working party called the World Forum for Harmonization of Vehicle Regulations, formed by the Sustainable Transport Division of the United Nations Economic Commission for Europe (UNECE). It focuses not just on vehicle cybersecurity but on all aspects of regulating the construction, approval, and periodic technical inspections of wheeled vehicles. The rise in the number of connected vehicles drove UNECE WP.29 to include cybersecurity regulations in their vehicle safety requirements.

While in certain countries, manufacturers do not have to undergo any type of validation or attain the approval of the organization to introduce new vehicles onto the market, they still are required to follow the guidelines, and if discrepancies are found later, they could face recalls and major fines. This makes cybersecurity, which is now part of these requirements, no longer an option for vehicle manufacturers.

The requirements of UNECE WP.29 are more generic than those of ISO SAE 21434, and if the manufacturer meets the requirements of ISO 21434, they usually also meet all the requirements of WP.29. This assumption strengthens the position of ISO 21434 even more and encourages every vehicle manufacturer to adopt it, not just for easy type approval.

The role of DLP in automotive cybersecurity

Due to the fact that ISO/SAE 21434 covers a very specific scope of cybersecurity processes, it does not specifically concern itself with data privacy and security safeguards. However, these aspects are mentioned in the standard. The standard assumes that there is a way to ascertain information security. It expects the organization to go beyond ISO 21434 and develop cybersecurity processes to cover information security by building an information security management system with the help of standards such as ISO/IEC 27001. This is clearly mentioned in one of the sections of ISO 21434:

5.4.6 Information security management
Work products should be managed in accordance with an information security management system.

To ensure that the vehicle production processes in the entire value chain are safe from information theft, the information security management system mentioned in section 5.4.6 should include data loss prevention solutions such as the Endpoint Protector. While such solutions do not specifically apply to automotive software development, they protect the systems used in the development process of connected vehicles, which is just as important to ensure vehicle safety and owner safety.

Frequently Asked Questions

Why does the new ISO/SAE 21434 automotive cybersecurity standard matter?
The ISO/SAE 21434 is the first global automotive cybersecurity standard. It was received very well because, until its release, vehicle manufacturers were faced with many imperfect standards and recommendations.
Why is DLP important for the automotive industry?
To be able to design secure vehicle information systems, manufacturers must be able to rely on a robust information security management system, which is also one of the requirements of ISO/SAE 21434. DLP is an essential part of every information security management system.
What is the biggest security threat in the automotive industry?
The automotive industry, with the rapid development of connected and autonomous vehicles, faces a threat of malicious actors seeking ways to take control over such vehicles with potentially deadly consequences. Current security standards primarily focus on reducing the chance of cyberattacks and managing security incidents.
Why adopt a DLP solution?
When developing secure connected vehicles, manufacturers must ensure that sensitive information related to these vehicles does not reach malicious actors or it may increase the chance of cyberattacks. You should adopt a DLP solution as one of many cybersecurity mechanisms supporting secure product development.
explainer-c_learning

Download our free ebook on
Data Loss Prevention Best Practices

Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.

In this article:

    Request Demo
    check mark

    Your request for Endpoint Protector was sent!
    One of our representatives will contact you shortly to schedule a demo.

    * Your privacy is important to us. Check out our Privacy Policy for more information.