With the rapid development of concepts and technologies such as smart cars, vehicle networks, 5G, intelligent driving and V2X, automotive information security has become a crucial topic in the vehicle research and development process. The security of vehicles extends from the original vehicle security to the security of the connected network, and the security risks and technical challenges faced by automotive R&D teams will increase exponentially. At the beginning of 2020, through the unremitting efforts of nearly 100 internationally renowned enterprises/organizations in the automotive industry, the ISO/SAE 21434 road vehicle network security research and development standard was released, which has been officially implemented in the industry.
At the same time, the United Nations World Forum for the Harmonization of Vehicle Regulations (UN/WP.29) issued three important regulations R155/R156/R157 on intelligent connected vehicles in June 2020, namely information security (Cybersecurity/Software Upgrade (OTA)/Automatic Lane Keeping System (ALKS), which clearly requires the information security of vehicles sold to the European Union and other OECD countries after 2021. R155 is also the world's first mandatory regulation on automotive information security, which means that vehicle information security has moved from compliance to regulatory compliance. Correspondingly, our country's Ministry of Industry and Information Technology officially issued GB 44495: 2024 "Technical Requirements for Automotive Information Security" mandatory standard on August 23, 2024, which will be officially implemented on January 1, 2026.
The promulgation of these security development standards and mandatory regulations undoubtedly means that automotive cybersecurity has become the general trend, and they all pose new challenges to the product development and operation of automakers, Tier 1 and Tier 2 suppliers at all levels. So how can we follow these standards to quickly implement specific development and testing work?
What is ISO/SAE 21434?
ISO/SAE 21434 is the first cybersecurity standard for the automotive industry jointly developed by SAE and ISO, which comprehensively specifies the cybersecurity requirements for road vehicles and their components and interfaces, covering all relevant areas and major development processes of automotive R&D and manufacturing, including information security, cybersecurity management, requirements management, development, testing, production and O&M. ISO/SAE 21434 describes in detail how to achieve cybersecurity management objectives based on cybersecurity issues, covering all electronic systems, components, sensors, and software in vehicles, and covering the entire supply chain. ISO/SAE 21434 is considered an industry consensus and is an important reference document for regulatory and certification bodies in cybersecurity. The release of ISO/SAE 21434 provides strong support and guidance for OEMs, Tier 1 and Tier 2 to ensure information security and network security. The purpose of this set of standards (ISO/SAE 21434) is threefold:
1. Identify a structured process to ensure secure information design;
2. Reduce the likelihood of successful attacks and reduce losses;
3. Provide a clear approach to help car companies address information security threats faced by the global industry.
ISO/SAE 21434 mainly describes vehicle cybersecurity from 15 aspects, and contains the main chapters as shown in the figure below. Similar to ISO 26262, ISO/SAE 21434 is also based on the overall design idea of the "V model", which provides a layered solution for risk assessment and mitigation, which will greatly aid in monitoring and suppressing hacker attacks. ISO/SAE 21434 mainly includes: terms and definitions related to information security; Information security management: including the organizational level and the specific project level; Threat Analysis and Risk Assessment (TARA); Information security concept stage development; Threat mitigation measures and security design at the architecture and system levels; Information security development at the software and hardware level, including information security design, integration, verification and validation; information security systematic testing and confirmation methods; Support processes in the information security development process, including requirements management, traceability, change management and configuration management, monitoring, and event management; Prediction, prevention, detection, response, and recovery of information security incidents in the production, operation, maintenance, and end-of-life stages.
Demands and Challenges
-
The shift from automotive functional safety to a research and development philosophy and methodology that also takes automotive cybersecurity into account presents a significant barrier to entry in terms of experience.
-
How to meet the mandatory regulatory requirements of UN R155 and GB44495:2024?
-
How can the development and testing work required by the ISO/SAE 21434 standard be quickly implemented?
-
How to effectively establish a CSMS process that complies with automotive cybersecurity standards, and how to automate its management?
-
How can we achieve platformization and automation of secure development to address the shortage of automotive cybersecurity talent and experience?
-
How to respond to the ban on Chinese-made vehicle connectivity system (VCS) hardware and software products issued by the US Department of Commerce's Bureau of Industry and Security (BIS) in March 2025?
Solutions
-
Platform-based Automotive Cyber Security Management System
-
Threat Analysis and Risk Assessment
-
Static Security Scanning
-
Software Bill of Materials / Firmware Security Inspection
-
Software Composition Analysis/Open Source Component Security
-
Fuzzing
-
Penetration Testing
-
Klocwork
A modern static code quality testing tool for C/C++/Java/C# code, utilizing leading-edge deep data flow analysis technology to identify software code defects or security vulnerabilities across classes and files, and pinpoint the paths where errors occur.
Learn More
-
Cybellum
A product cybersecurity integration management system driven by core binary file analysis technology, providing an integrated platform solution covering security management centers, SBOM, network compliance, vulnerability detection, incident response, and
Learn More
-
HydraVision
A security testing system for penetration testing and fuzz testing of automotive and industrial ECUs, supporting automated security testing throughout the entire security lifecycle of ECUs. It comes with a variety of hardware modules suitable for differen
Learn More
-
Vultara
A software system specifically designed for automotive network and information security development and management, featuring a powerful and continuously updated security database and threat analysis engine. It automates the threat analysis and risk asses
Learn More
RELATED RESOURCES
