LDRA welcomes the news that the ISO/SAE 21434 automotive cybersecurity standard has now been formally released. The guidance it contains relating to the development of secure code is less explicit than was once anticipated, which presents a different kind of challenge to ensuring compliance with extensive and detailed objectives. LDRA are looking forward to working with customers to help develop compliant interpretations of the new standard.
The ISO/SAE 21434 standard is focused on the issue of cybersecurity in automotive software.
Over the past few years, there has been a proliferation of automotive electrical and/or electronic systems (E/E/PE) such as adaptive driver assistance systems, anti-lock braking systems, steering and airbags. ISO 26262 “Road vehicles – Functional safety” was first published in 2012 in response to this explosion in automotive E/E/PE system complexity and the associated risks to public safety, bringing with it an opportunity for automotive manufacturers to embrace best functional safety practices throughout the development process life cycle.
ISO 26262 remains pertinent today, but because it was introduced before the emergence of the connected car it does not specifically address the risks associated with connectivity. ISO/SAE 21434 is therefore complementary to ISO 26262,and common language is used in the two standards recognition of that. ISO/SAE 21434 is applicable to road vehicles’ systems (including their components and interfaces) whose development or modification began after its publication.
Consider what is at risk if a connected car’s systems are accessible to “bad actors”.
Automotive cybersecurity is focused on preventing these attacks – whether from expert white hat hackers like Miller and Valasek, or black hat chancers abusing (say) Kali Linux to compromise any vulnerable systems they can find.
ISO/SAE 21434:2021 “Road vehicles — Cybersecurity engineering” describes an automotive security engineering process. It is complementary to ISO 26262 and focuses on cybersecurity risks in the development of automotive electronics. The standard requires the implementation of cybersecurity best practices throughout development, production, and operation.
However, it is seen by many as a missed opportunity. ISO 26262 runs to 12 parts, many of which have a direct impact on how compliant application software is developed. Part 6 alone, entitled “Product development at the software level”, runs to 66 pages. In contrast, the whole of ISO/SAE 21434 is 81 pages long, and its scope stretches across all aspects of electrical and electronic (E/E) systems within road vehicles, for automotive OEMs and suppliers throughout the supply chain.
Developers can expect to find details of what needs to be achieved in ISO 26262 from the perspective of functional safety, and ISO/SAE 21434 from the perspective of cybersecurity. But unlike ISO 26262, ISO/SAE 21434 does not presents details of exactly how to achieve its aims.
Automotive embedded applications were traditionally isolated, static, fixed-function, device-specific implementations, and practices and processes have relied on that status. But the advent of the connected car changed all that, and now cybersecurity is seen as vitally important with respect to both the safety of the vehicle, and to data protection.
ISO/SAE 21434:2021 was officially released on August 31, 2021, superseding SAE International’s 2016 publication SAE J3061TM Cybersecurity Guidebook For Cyber-Physical Vehicle Systems.
The two international standards differ a little in style in that SAE J3061 related the security and ISO 26262 safety processes to each other, and ISO/SAE 21434 decouples them.
The failure of ISO/SAE 21434 to give detailed guidance on how to achieve its objectives means that from a software perspective, the standard does little more than ratify the document it replaces. However, both ISO/SAE 21434 and SAE J3061 present a worthy set of goals for software developers to achieve, and the lack of detail affords flexibility on how they are achieved.
The new UNECE WP.29 regulation R155 for CSMS (Cyber Security Management System) has been adopted by UNECE’s World Forum for Harmonization of Vehicle Regulations, making compliance obligatory for vehicle type approval from June 2022. ISO/SAE 21434 is cited in R155 as an appropriate reference for appropriate cybersecurity skills.
This V-model illustrates the relationships between the sections of the standard that have the most impact on software development.
Developers familiar with functional safety development are used to defending the world against their system. Once that system is developed in a functionally safe manner, the world remains protected for as long as the system is in service.
Secure software development involves defending a system against an aggressive world that is forever evolving new and more sophisticated methods of attack, as addressed by ISO/SAE 21434 requirements [RQ‑08‑01], [RQ-08-02] and [RQ-08-03]. Unlike the world of functional safety, the development lifecycle for a secure system continues after a product is released as reflected by [RQ-13-01] and [RQ-13-02].
The ability to enforce coding standards on software modifications, re-run unit tests (regression testing), and to apply impact analysis when security is breached are all invaluable tools in ensuring an effective and efficient response to changes during development, or breaches after deployment. The LDRA tool suite provides all of these capabilities in a single, integrated environment.
Unlike functional safety requirements, cybersecurity requirements are derived by means of a process of Threat Analysis and Risk Assessment (TARA). However, traceability of the resulting cybersecurity requirements traceability is a key objective of ISO/SAE 21434, just like functional safety requirements traceability in ISO 26262.
ISO/SAE 21434 requirements [RQ‑09‑08], [RQ‑09‑09], and [RQ‑09‑10] discuss the derivation of cybersecurity requirements from cybersecurity specifications, and that principle of traceability is established throughout the development lifecycle – for example,
Keeping track of both traceability to the project requirements and to the objectives of the standard itself can present a project management nightmare, especially when changes occur. In many cases ISO 26262 will be applied concurrently, and standards such as AUTOSAR and ASPICE may also apply. The TBmanager component of the LDRA tool suite can help by automating traceability not only to the collated objectives from one or more standards, but also to project requirements.
Automated traceability ensures access to a requirements traceability matrix that is always pertinent and up-to-date, facilitating instant feedback on the likely impact of any failed tests or changes to requirements.
The TBvision component of the LDRA tool suite provides a suitable mechanism for checking adherence to the chosen language subset, and TBexclude allows any deviations from that subset to be justified and documented.
ISO/SAE 21434 requirement [RQ-10-05] suggests that an appropriate language subset (often known as a coding standard) is used. Both MISRA C and CERT C are cited as examples of appropriate language subsets for this purpose. The MISRA language subsets are also recommended by ISO 26262 from a functional safety perspective.
ISO/SAE 21434 includes requirements [RQ-10-09] and [RQ-10-10] which are concerned with the integration of the components into subsystems and systems, to the verification that the result fulfils the cybersecurity specifications. [RQ-10-10] highlights the following methods for verification, each of which is supported by the LDRA tool suite:
Dynamic analysis (or DAST) in the context of code during development and integration usually implies “white box” analysis, such that the source code is available and mapped to the execution of the object code.
More traditional “black box” security techniques such as fuzz testing and penetration testing still have a place in the ISO/SAE 21434 development lifecycle, but these are used after the system is complete to confirm the success of the precautions taken during development.
Email: info@ldra.com
EMEA: +44 (0)151 649 9300
USA: +1 (855) 855 5372
INDIA: +91 80 4080 8707