The ISO/SAE 21434 is the new point of reference for cybersecurity in the automotive industry. It aims to set a common standard and provides a state-of-the-art reference for automotive cybersecurity. Still, there are enormous challenges not only for car manufacturers but also for suppliers.
Get an overview of how it affects your company and how you can effectively handle the implications.
The ISO/SAE 21434 industry standard provides support for meeting the requirements of the UNECE Regulation No. 155 which requires establishment of cybersecurity in all vehicle road types and became mandatory for the approval of all new vehicle types on July 1st 2022, where noncompliance leads to a sales ban in all 64 UNECE member countries.
You can read more about the standard in our Official Publication of ISO/SAE 21434 blog article.
Compliance to more than 100 requirements of ISO/SAE 21434 is the recommended way to comply to UN R155.
Failing to comply with the standard and the regulation will not only lead to a sales ban and financial disasters, but a lack of secure products may also cause you to lose customers and revenue.
In conclusion, insufficient compliance to ISO/SAE 21434 translates into noncompliance with UN R155 and no sales.
Therefore, the sooner you start identifying and closing potential cybersecurity gaps within your organization, processes, or products, with pre-audits, the better. Pre-audits are also best practice in the context of ISO PAS 5112.
Our ISO/SAE 21434 Gap Analysis, developed by CYRES Consulting, offers a field-proven approach to put your organization, your processes around a development project, and your specific engineering activities to the test: Are you compliant with ISO/SAE 21434?
As experts in the ISO/SAE 21434 standard and with experience from countless automotive cybersecurity projects for leading OEMs and supplier organizations worldwide, we offer you not only a benchmark against the specific requirements of the standard, but also incorporate best practices, common practices of comparable market players, and much more. Not only do we explicitly consider ISO/SAE 21434, but our Gap Analysis also addresses UN R155 and beyond.
With the final report, you receive clear recommendations for action and a catalog of measures to ensure the necessary steps on the way to correct application.
Learn more about the ISO/SAE 21434 Gap Analysis.
Regardless of whether a company is OEM or Tier-n supplier for manufacturing passenger cars or trucks –the ISO/SAE 21434 will affect not just all road vehicles at the product level, but also organizations along the entire value chain at every level. Your components may not be allowed to be used within the car. Even worse, the vehicle itself may be banned from final type approval and ban production as for the UNR155:
Organizational level
General awareness about cybersecurity must be given in all relevant departments. In fact, the ISO/SAE 21434 requires cybersecurity risks and mitigation acknowledgment from management. Therefore, decision-makers need to have an understanding on the importance of cybersecurity, necessary certification, documentation for proof of compliance, and how to cascade awareness down.
The Fundamental Principles of Automotive Cybersecurity for Executives and Managers supports in getting the required commitment from management to properly fund cybersecurity activities and foster a cybersecurity culture.
Project level
For decades, automotive products have been developed following project management principles. Now cybersecurity must be embedded at every single step to ensure that the entire product is cyber secure. Plus, ISO/SAE 21434 dedicates Clause 6 to cybersecurity management and cybersecurity activities at the project level. Thus, cybersecurity must be integrated throughout the project lifecycle.
In our experience as an automotive cybersecurity consultancy, working for leading OEMs and Tier-N suppliers worldwide, we already understand that add a burden across the entire automotive chain. Contact us to start a conversation on how we can support.
Engineering level
Steering wheels, headlights, sensors, radar and LiDAR systems, lane keeping systems, software – every single connected component of the vehicle must be cybersecure. Since the ISO/SAE 21434:2021 standard affects almost all structures, procedures, and processes along the entire lifecycle, a varying level of automotive cybersecurity competencies is needed across the organization.
Start building automotive cybersecurity competences for your organization with the CYRES Consulting automotive cybersecurity training and enable your team to become certified automotive cybersecurity professionals with TÜV Rheinland Certified Qualification
At the product level, the ISO/SAE 21434 will be valid for road vehicle type E/E systems, including their components, software and interfaces up to any external network or device. Moreover, all phases of the vehicle lifecycle, including design, engineering, production, operation, maintenance, and decommissioning, are relevant for the compliance with ISO/SAE 21434.
Comparable to the Functional Safety requirements from ISO 26262, the ISO/SAE 21434 requires cybersecurity to be integrated into the automotive development process. Alongside recommended minimum cybersecurity requirements there are as well 42 resulting work products incl. Item Definition, TARA, and Cybersecurity Concept. However, besides the challenge of allocating a high amount of resources and efforts to comply with the standard (low compared to the costs of not complying) and deliver the required work products, the standard does not provide clear guidance on how to create them.
The world’s first ISO/SAE 21434:2021 Workbook incl. all work product requirements, recommendations and permissions – officially licensed by ISO has been released. Available as digital workbook (ebook/PDF) and for ordering here.
Watch and learn. Over +100 learning video courses on ISO/SAE 21434, resulting work products, and relevant regulations such as the UNR155 are also available:
Since the ISO/SAE 21434 leaves free room for interpretation for the scope and definition process, insufficient coverage and non-compliance might arise causing organizations to lose business. Hence, the officially published ISO PAS 5112: 2022 Road Vehicles – Guidelines for auditing cybersecurity engineering was created to help organizations to audit the cybersecurity achieved for their own organization and along the supply chain. This means that ISO PAS 5112 focuses on the overall organization along the entire product lifecycle and entire supply chain in order to ensure compliance end-to-end.
It also focuses on conducting an audit to determine the status of the successful establishment of a Cybersecurity Management System (CSMS). Thus, not only is the ISO PAS 5112 relevant for auditing the ISO/SAE 21434, but it also directly references the CSMS along UN R155 which requires a Certificate of Compliance for CSMS (valid for max. 3 years), allowing ISO PAS 5112 to be used as a supporting guide to prepare for a UN R155 audit.
Therefore, conducting pre-audits for the associated audits and assessments as prerequisite for type approvals is undoubtedly beneficial.
Manuel Sandler is Partner at CYRES Consulting. He has many years of experience in global project and process management in various parts of the value chain, including OEMs and Tier-1. He is ASPICE Provisional Assessor and an expert in Engineering Process Development, ISO 26262, ISO/IEC 15288 and ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering.
Please note: Use the form for your first non-binding inquiry. In the following dialogue we will present you the scope of our specific services and define the organizational details together with you.
Phone: +49 (0) 89 9542 808 00
E-Mail: office (at) cyres-consulting.com