Cybersecurity Meets Automotive Business

The automotive industry is well known for its security standards regarding the road safety of vehicles. All processes regarding vehicle development — from drawing board to sales — were standardized and refined over the years. Both internal tests, as well as globally renowned companies like NHTSA or EuroNCAP, are working hard on making the vehicle safe in all road conditions — for both passengers and other participants of road traffic.

Safety engineering is currently an important part of automotive engineering and safety standards, for example, ISO 26262 and IEC 61508. Techniques regarding safety assessment, like FTA (Fault Tree Analysis), or FMEA (Failure Mode and Effects Analysis) are also standardized and integrated into the vehicle development lifecycle.

With the advanced driver assistance systems starting to be a commodity, the set of tests started to quickly expand adapting to the market situation. Currently, EuroNCAP takes into account automatic emergency braking systems, lane assist, speed assistance, or adaptive cruise control. The overall security rating of the car highly depends on modern systems.

But the security is not limited to crash tests and driver safety. In parallel to the new ADAS systems, the connected car concept, remote access, and in general, vehicle connectivity moved forward. Secure access to the car does not only mean car keys but also network access and defense against cybersecurity threats.

All of these resulted in the definition of the new standard called ISO 21434 “Road vehicles — cybersecurity engineering. The work started last year, but currently, it’s at the “Approval” phase, so we can quickly go through the most important topics it tackles.

In general, the new norm provides guidelines for including cybersecurity activities into processes through the whole vehicle lifecycle. The entire document structure is visualized below:

The important aspect of the new standard is that it does not only handle vehicle production but all activities until the vehicle is decommissioned — including incident response or software updates. It does not just focus on singular activities but highly encourages the continuous improvement of internal processes and standards.

The document also lists the best practices regarding cybersecurity design:

The requirements do not end on the architectural and design level. They can go as low as the hardware (identification of security-related elements, documentation, and verification for being safe, as they are potential entry points for hackers), and source code, where specific principles are also listed:

The standard documentation is comprehensive, although clearly visible in the provided examples rather abstract and not specific to any programming languages, frameworks, and tools. There are recommendations, but it’s not intended to answer all questions, rather give a basis for further development. While not a panacea to all cybersecurity problems of the industry, we are now at the point when we need standardization and common ground for handling security threats in-vehicle software and connectivity, and the new ISO 21434 is a great start.

If this post was helpful, please click the clap 👏 button below a few times to show your support for the author 👇

Related posts:

It is so exciting to be able to announce the winners of this year’s writing competition, whose theme, old vines and old vineyards, really seems to have struck a chord. The standard of entries was the…

Reading about influential figures in Black history is a powerful way to inspire your students. Learning about people who thought of new ideas, stood up against injustice, and pursued their passions…

Since 2018 and the introduction of the notorious General Data Protection Regulation (GDPR,) all member states have been required to establish a national data protection authority. The role of these…