With the rapid development of concepts and technologies such as smart cars, vehicle networks, 5G, intelligent driving, and V2X, automotive cybersecurity has become a critical issue in vehicle R&D. Vehicle safety has expanded from the safety of the vehicle itself to the security of connected networks, and the security risks and technical challenges faced by automotive R&D teams will grow exponentially. In early 2020, the ISO and SAE standards organizations joined forces, and after relentless efforts by nearly 100 internationally renowned companies and organizations in the automotive industry, the ISO/SAE 21434 standard for cybersecurity in road vehicles was released and has been officially implemented within the industry.
Meanwhile, the United Nations World Forum for Harmonization of Vehicle Regulations (UN/WP.29) released three important regulations in June 2020 regarding intelligent connected vehicles: R155/R156/R157, which specify information security (Cybersecurity)/ Software Updates (OTA)/Automatic Lane Keeping System (ALKS), which clearly stipulate the cybersecurity requirements for vehicles sold in the EU and other OECD countries after 2021. R155 is also the world's first mandatory regulation on automotive cybersecurity, marking the transition from compliance with standards to adherence to regulations. In response, China's Ministry of Industry and Information Technology officially released the mandatory standard GB 44495:2024 “Technical Requirements for Cybersecurity of Motor Vehicles” on August 23, 2024, which will take effect on January 1, 2026.
The promulgation of these security development standards and mandatory regulations undoubtedly signifies that automotive cybersecurity is an inevitable trend, and they all present new challenges to product development and operations for automotive manufacturers, Tier 1, and Tier 2 suppliers at all levels. So, how should we adhere to these standards and swiftly implement specific development and testing work?
What is ISO/SAE 21434?
ISO/SAE 21434 is the first cybersecurity standard for the automotive industry jointly developed by SAE and ISO. It comprehensively specifies cybersecurity requirements for road vehicles, their components, and interfaces, covering all relevant areas and major development processes in automotive research, development, and manufacturing, including information security, cybersecurity management, requirements management, development, testing, production, and operations. ISO/SAE 21434 provides detailed guidance on how to achieve cybersecurity management objectives in response to cybersecurity issues, covering all electronic systems, components, sensors, and software within vehicles, as well as the entire supply chain. ISO/SAE 21434 is regarded as an industry consensus and serves as an important reference document for regulatory and certification bodies in the field of cybersecurity. The publication of ISO/SAE 21434 provides strong support and guidance for OEMs, Tier 1, and Tier 2 suppliers on how to ensure information security and cybersecurity. The objectives of this standard (ISO/SAE 21434) are threefold:
1. Establishing a structured process to ensure information security design;
2. Reducing the likelihood of successful attacks and minimizing losses;
3. Providing clear methods to help automotive companies address the information security threats faced by the global industry.
ISO/SAE 21434 addresses vehicle cybersecurity from 15 key areas and includes the main chapters shown in the figure below. Similar to ISO 26262, the ISO/SAE 21434 standard is also based on the “V-model” design approach. The use of the “V-model” method provides a layered solution for risk assessment and mitigation, which will significantly aid in monitoring and suppressing cyberattacks. ISO/SAE 21434 primarily includes: information security-related terminology and definitions; information security management: including organizational and project-specific levels; threat analysis and risk assessment (TARA); Information security concept phase development; threat mitigation measures and security design at the architectural and system levels; information security development at the software and hardware levels, including information security design, integration, verification, and validation; systematic testing of information security systems and their validation methods; support processes during the information security development process, including requirements management, traceability, change management, configuration management, monitoring, and incident management; prediction, prevention, detection, response, and recovery of information security incidents during the production, operation, maintenance, and disposal phases.
Demands and Challenges
-
The shift from automotive functional safety to a research and development philosophy and methodology that also takes automotive cybersecurity into account presents a significant barrier to entry in terms of experience.
-
How to meet the mandatory regulatory requirements of UN R155 and GB44495:2024?
-
How can the development and testing work required by the ISO/SAE 21434 standard be quickly implemented?
-
How to effectively establish a CSMS process that complies with automotive cybersecurity standards, and how to automate its management?
-
How can we achieve platformization and automation of secure development to address the shortage of automotive cybersecurity talent and experience?
-
How to respond to the ban on Chinese-made vehicle connectivity system (VCS) hardware and software products issued by the US Department of Commerce's Bureau of Industry and Security (BIS) in March 2025?
Solutions
-
Platform-based Automotive Cyber Security Management System
-
Threat Analysis and Risk Assessment
-
Static Security Scanning
-
Software Bill of Materials / Firmware Security Inspection
-
Software Composition Analysis/Open Source Component Security
-
Fuzzing
-
Penetration Testing
-
Klocwork
A modern static code quality testing tool for C/C++/Java/C# code, utilizing leading-edge deep data flow analysis technology to identify software code defects or security vulnerabilities across classes and files, and pinpoint the paths where errors occur.
Learn More
-
Cybellum
A product cybersecurity integration management system driven by core binary file analysis technology, providing an integrated platform solution covering security management centers, SBOM, network compliance, vulnerability detection, incident response, and
Learn More
-
HydraVision
A security testing system for penetration testing and fuzz testing of automotive and industrial ECUs, supporting automated security testing throughout the entire security lifecycle of ECUs. It comes with a variety of hardware modules suitable for differen
Learn More
-
Vultara
A software system specifically designed for automotive network and information security development and management, featuring a powerful and continuously updated security database and threat analysis engine. It automates the threat analysis and risk asses
Learn More
RELATED RESOURCES
