Reading Time: 3 minutes Difficulty: AdvancedISO 21434 sets out the requirements for the cybersecurity management system (CSMS), the compliance of which is proof of cybersecurity of newly approved smart vehicles.
Linked to UNECE Regulation No. 155, the standard is the work of the International Organization for Standardization (ISO) and the Society of Automobile Engineers (SAE); hence it is called ISO/SAE 21434 – Road Vehicles Cybersecurity Engineering.
ISO 21434 sets out the requirements for the cybersecurity management system (CSMS), the compliance of which is proof of cybersecurity of newly approved smart vehicles.
Linked to UNECE Regulation No. 155, the standard is the work of the International Organization for Standardization (ISO) and the Society of Automobile Engineers (SAE); hence it is called ISO/SAE 21434 – Road Vehicles Cybersecurity Engineering.
Fundamentals of ISO 21434
ISO 21434 applies to the electrical and electronic (E/E) systems of mass-produced road vehicles, including software and related components and interfaces.
Although this standard does not prescribe specific technical requirements or technology related to cybersecurity, it is the guide for the overall safety of guidance systems, because:
- it specifies requirements for cybersecurity risk management
- it covers the topic of a product’s lifecycle, from concept through decommissioning, including aspects necessary for the OEM to achieve compliance from an organizational perspective
- it defines a common language for managing cybersecurity risks within the supply chain
Do you want to help our page grow?
Follow us on LinkedINDo you need support for a project that entails the implementation of ISO 21434?
When to apply ISO 21434
ISO 21434 is applicable specifically to the vehicle, meaning that the system outside the vehicle should be considered an interface, thus outside the scope of ISO 21434.
In addition, its application is limited to elements and components relevant to cybersecurity, and includes after-sales and spare parts, as outlined in Annex D: Cybersecurity relevance.
The following fall within the components covered by ISO 21434:
- Gateway
- Infotainment systems
- Sensors
- Cameras
- Security systems
- Communication systems in general
On the other hand, the following are currently deemed parts of the interface, and so are outside the scope of the standard:
- External storage devices
- Back-end servers
- Connectivity systems
- Diagnostic and maintenance applications
Different standards may be applied to the latter parts, such as IEC 62443, ISO 27001, or NIST.
More information
Find out about all the services for Automotive CybersecurityThe security lifecycle according to ISO 21434
The lifecycle, for the purposes of the ISO 21434 management system, outlines the importance of organizational aspects to ensuring cybersecurity of end products.
Just as other cybersecurity standards focus on the roles and responsibilities of OEMs, ISO 21434 also largely emphasizes this topic, devoting large sections to:
- Cybersecurity governance
- Supply of resources
- Cybersecurity culture
- Cybersecurity procedures
- Information sharing
The reasoning and application behind the ISO 21434 security lifecycle is summarized in the diagram below.
ISO 21434 security lifecycle
Read the article
TARA in ISO 21434, the analysis of cyber risks and threatsRead the article
ISO/SAE 21434: Automotive Cybersecurity terms and definitionsGo back to the blog