[Cyber Security] 1. ISO/SAE 21434 Basic

ISO/SAE 21434 Basic

In this post series, we will focus on cyber security in the automotive electronics industry and cover the essentials that system engineers must know. Since the field of cyber security is so broad, my knowledge is limited and it would take a lot of time to cover everything in detail, so I will focus on some important topics.

The importance of cyber security is further emphasized by the recent legislation that came into effect in the EU, UNR155-Car Cyber ​​Security Management (CSMS) and UNR156-SW Update Management (SUMS). In this post, we will focus on UNR155 and discuss UNR156 in a later post.

UNR155 consists of two main requirements:

  1. Automobile manufacturers must properly establish various processes and management systems for cybersecurity and prove their suitability. (Cyber ​​Security Management System, CSMS)
  2. Manufacturers must have a CSMS certificate and perform verification tests, including risk assessment and security measures, on their vehicles. (Vehicle Type Approval, VTA)

In other words, automobile manufacturers must demonstrate that they have successfully implemented the cybersecurity engineering process applying the Cyber ​​Security Management System (CSMS) through Vehicle Type Approval (VTA) for each vehicle type.

UNR 155 and 156 target automobile manufacturers directly, but also impact partners and service providers by requiring cybersecurity dependency management through the establishment of a cybersecurity management system. Additionally, certain automobile manufacturers may directly require partners or service providers to establish a CSMS when bidding. Accordingly, partner companies must also establish a cyber security management system.

UNR155 requires the establishment of a cybersecurity management system, but does not specify how to do so. This is where the ISO/SAE 21434 standard comes in handy, which is already an established industry standard for cybersecurity management.


Now let’s take a quick look at the ISO/SAE 21434 standard.

ISO/SAE 21434 consists of a total of 15 clauses (divided into phases) and 41 sub-clauses as shown below. Additionally, the standard defines 101 requirements, 13 recommendations, 4 permits, and 42 outputs to achieve CSMS.

This image shows all causes of ISO/SAE 21434 in order to understand ISO/SAE 21434 basic

Each provision is briefly explained in the following table.

ChapterContent
5. Organizational Cybersecurity ManagementCybersecurity Policies and Culture: Guidelines for developing regulations and processes related to cybersecurity that must be implemented within an organization.
Information Sharing: Guidelines for effectively sharing cybersecurity information.
Management System Integration: Procedures for managing other management systems and tools.
Cybersecurity Auditing: Procedures for assessing the compliance status of cybersecurity within the organization.
6. Project-Dependent Cybersecurity ManagementCybersecurity Planning: Process for identifying and planning project-specific cybersecurity requirements.
Project Assessment: Procedures for evaluating the cybersecurity level of each project.
7. Distributed Cybersecurity ActivitiesPartner Management: Processes for aligning cybersecurity standards with partners.
Request for Quotation and Responsibility Coordination: Methods for coordinating quotations and responsibilities from external vendors.
8. Continuous Cybersecurity ActivitiesSecurity Monitoring: Process for continuously monitoring security events and information.
Vulnerability Management: Procedures for identifying and managing system vulnerabilities.
9. ConceptItem Definition and Development: Defining the cybersecurity requirements of a product and establishing a development plan.
TARA Execution: Performing Threat Analysis and Risk Assessment (TARA) to develop the concept.
10. Product DevelopmentCybersecurity Product Development Process: Integrating cybersecurity requirements during the product development stages.
11. Cybersecurity ValidationProduct Validation: Process for validating the effectiveness of the developed cybersecurity solutions.
12. ProductionProduction Management: Guidelines for integrating cybersecurity requirements into the production process.
13. Operations and MaintenanceIncident Response: Methods for responding to security incidents.
Software Updates: Processes for maintaining security through software updates.
14. Termination and Disposal of Cybersecurity SupportCybersecurity Termination: Procedures for ending and disposing of product cybersecurity support.
15. Threat Analysis and Risk Assessment (TARA)Risk Analysis Methodology: A systematic approach to analyzing and assessing security risks.

Knowledge of ISO26262 is greatly helpful in understanding the ISO/SAE 21434 standard. Some sections of ISO/SAE 21434 have a similar structure to certain parts of ISO26262:

  • Sections 5 and 6: Like Parts 2 and 8 of ISO26262, covers organization-wide and project-related processes.
  • Section 7: The Cyber ​​Security Interface Agreement (CIA), the main document for distributed cybersecurity activities, plays a similar role to the DIA covered in Part 8, Section 8-5 of ISO26262.
  • Clauses 9, 10, 11: These sections related to cybersecurity development are similar to the activities of Parts 3, 4, 5, and 6 of ISO26262.
  • Section 12, 13: It is carried out similarly to the activities of Part 7 of ISO26262.

Clauses 8 and 15 of ISO/SAE 21434 differentiate it from ISO26262 and describe significant differences in the objectives and ongoing requirements of the two standards:

  • ISO 26262: The goal is to eliminate risks due to hardware failures or systematic errors potentially present in electrical/electronic systems. Once product development is complete, the product is considered to be of reasonable risk and no additional ISO 26262-related work is required.
  • ISO/SAE 21434: The goal is to protect electrical/electronic components and functions from external attacks such as hackers. Because external attack methods continue to evolve, ongoing cybersecurity support is required even after product development is complete.
    • Section 8 (Ongoing Cybersecurity Activities): We monitor and respond to new threats that are continuously discovered during product operation.
    • Section 15 (Threat Analysis and Risk Assessment): Provides a methodology for continuously discovering and analyzing threats throughout the product life cycle.


Now, among the various sections of ISO/SAE 21434, I will briefly explain Sections 9, 10, 11, and 15, which are areas of cybersecurity development that can be considered to be of major interest as engineers designing systems in the automotive electronics industry.

Section 15 will be covered in the next post, so in this post, I will briefly explain the concept (Section 9), product development (Section 10), and cybersecurity validation (Section 11).

Section 9 Concept Stage

The concept stage is the stage where the item and its operating environment are systematically defined by considering the functions implemented at the vehicle level. The following main activities take place in this phase:

1. Item Definition:

  • Clearly identify and define the item and its operating environment.
  • The item’s boundary, item’s function, and preliminary architectural information must be identified.
  • The item definition is similar to the item definition in ISO 26262 Part 3, but when creating a preliminary architecture in ISO/SAE 21434, the operating environment includes not only the external interface of the item boundary but also an interface that can be used as an attack path, such as Celluar or Bluetooth. Must include . (see picture below)
  • This item definition forms the basis for all subsequent activities in the project.

image 15

2. Cybersecurity Risk Assessment (TARA):

  • Assess and understand your cybersecurity risks through Threat Analysis and Risk Assessment (TARA).
  • This assessment provides an important baseline for setting cybersecurity goals.
  • Upon completing TARA, cybersecurity goals and claims are derived. (TARA will be discussed in the next post.)

3. Set your cybersecurity goals:

  • State your cybersecurity goals, which are the highest level requirements for your item.
  • This goal is set based on the operating environment and the characteristics of the item.

4. Cybersecurity Claim Statement:

  • Specifies the cybersecurity claims needed to determine whether to maintain, reduce, or share risk.
  • This claim plays an important role in clarifying how and why risks are managed.

5. Cybersecurity Concept Development:

  • Develop requirements, including a description of cybersecurity controls to achieve cybersecurity goals.
  • Developed by combining operational environment requirements and cybersecurity requirements.
  • All of these requirements are derived based on cybersecurity goals and start from a comprehensive view of the item.
  • Example:
    • Cyber ​​security Goal: Integrity of vehicle speed information shall be ensured.
    • Requirement 1: The VS ECU shall send the accurate vehicle speed information with integrity to the AC ECU.
    • Requirement 2: The AC ECU shall power to the actuator after checking integrity for VS Information.
    • Requirement 3: The actuator shall be activated only when powered by the AC ECU.


Section 10. product development

The product development phase details the architectural design along with the specification of cybersecurity requirements. This phase includes critical activities to realize cybersecurity goals through design and implementation.

Key activities include:

1. Cybersecurity Requirements and Architectural Design Specification:

  • We document all cybersecurity requirements in detail and proceed with architecture design based on this.
  • During the design process, not only functional requirements but also security requirements must be met.
  • Unlike the ISO 26262 standard, the ISO/SAE 21434 standard does not distinguish system, hardware, and software specifications. Additionally, requirements and architecture design specifications are not explained separately. However, Section 10 of ISO/SAE 21434, similar to ISO 26262, includes both cybersecurity requirements and architectural design for systems, hardware, and software. Therefore, it is sufficient to include all system, hardware, and software requirements and architecture design in a single document called ‘Cyber ​​Security Specification’.
image 16

2. Integration and verification activities:

  • Along with the integration of designed systems, ensure that cybersecurity-related controls and defense mechanisms are appropriately integrated.
  • Systemically review whether the designed cybersecurity requirements have been met through verification activities and make corrections if necessary.
  • Verification methods may include:
    • Requirements-based testing
    • Interface testing
    • Assess resource usage
    • Check control flow and data flow
    • Dynamic analysis
    • Static analysis
  • If verification by testing is adopted, test methods may include:
    • Cybersecurity functional testing (requirements-based): Testing security-related requirements
    • Vulnerability scanning: Scan for (known) vulnerabilities on the system.
    • Fuzzing test: Detect (new) vulnerabilities by sending input data in random format
    • Penetration testing: Conducting experience-based hacking attempts to exploit vulnerabilities

3. Iterative improvement activities:

  • Cybersecurity design and implementation are performed iteratively and improved through continuous feedback and evaluation.
  • This process continues until cybersecurity controls no longer require improvement.

4. Definition and Verification of Cybersecurity Specification:

  • Based on the cybersecurity specifications defined during the development process, final verification is performed to ensure that the final product satisfies the set cybersecurity goals.

This section emphasizes systematic verification of meeting cybersecurity objectives, which plays an important role in ensuring the overall security of the product. This thorough approach during product development is key to effectively protecting your products from cyber threats.


Section 11. Cybersecurity Feasibility Check

This section describes important activities to ensure the cybersecurity adequacy of items at the vehicle level. This process is performed taking into account the vehicle’s operating environment before the item enters series production.

Main activities include:

1. Review Cybersecurity Requirements:

  • Perform a comprehensive review of cybersecurity requirements defined at vehicle level.
  • Evaluate whether these requirements match security threats in the actual vehicle operating environment.

2. Cybersecurity Feasibility Assessment:

  • Verify that the design and implementation are reasonable to meet the item’s cybersecurity requirements.
  • This assessment prior to series production ensures that all necessary cybersecurity measures have been properly integrated.

3. Consider vehicle-level operating environment:

  • Considers various environmental factors when the item is actually used in the vehicle.
  • Evaluates security in various situations such as external threats, physical accessibility, and network connectivity.

4. Prepare for series production:

  • Based on the results of the cybersecurity feasibility review, we provide final confirmation that the item is ready for series production.
  • Promote additional security measures or design changes when necessary.

These activities ensure that items at the vehicle level meet the cybersecurity standards required in real-world operational environments and that necessary security measures can be applied in a timely manner. This process strengthens the overall cybersecurity structure of the vehicle and contributes to providing a safe driving environment for end users.


This is a brief description of automotive cybersecurity and ISO/SAE 21434, as well as sections 9, 10, and 11 of the standard. In the next post, we will learn about ISO/SAE 21434 Section 15 Threat Analysis and Risk Assessment Methodology (TARA).


[Cyber Security] 2. TARA

[Cyber Security] 3. cyber security cryptography technology

[Cyber Security] 4. External, internal communication security and GATEWAY security

[Cyber Security] 5. Security Controls : Diagnostic Security Features

[Cyber Security] 6. Access Control : Diagnostic Security Features

[Cyber Security] 7. Security Updates : Diagnostic Security Features

[Cyber Security] 8. Secure Boot, Secure Debug, Secure Storage

[Cyber Security] 9. Other application security

[Cyber Security] 10. Common Security Requirements

Leave a Comment