It is safe to assume that the automotive OEMs don't enjoy being regulated. And yet, regulation is a fact of life for the folks in the car business, and that's the reason every OEM needs to pay careful attention to a document titled ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering (August 2021).
ISO/SAE 21434 specifies the practices that safeguard against design, development, production, operation, maintenance, and decommissioning risks in the electrical and electronic systems of road vehicles. The standard applies to all aspects of vehicular cybersecurity, including internal connection and embedded systems and all external interfaces, for instance cloud services, interfaces to telematics, and backend infrastructures such as GPS and cellular networks.
ISO/SAE 21434 is a product of Technical Committee 2, Subcommittee 32. Thus, it is sanctioned by the International Standards Organization, which is the world's commonly acknowledged standards body. It is relevant to all lifecycle concept, development, and operation stages, and it applies to management of risk to all products and components of series road vehicles. In addition to the traditional vehicle manufacturing and service OEMs, ISO/SAE 21434 also applies up and down the supply chain and it includes both the aftermarket and the service sectors.
Realistically though, 21434's laundry list of expensive "thou shalts" would be ignored by the industry if it weren't tied to a United Nations Economic Commission for Europe (UNECE) directive titled, UNECE R-155 "Uniform Provisions Concerning the Approval of Vehicles with Regards to Cyber Security and Cyber Security Management Systems." UNECE's historical mandate is to promote European-wide agreement on a range of mutually beneficial economic issues. And so, UNECE regulations carry general effect in the European business community.
R-155 imposes the accountability to ensure against cyberattacks. It requires every OEM planning to do business in the European Economic Community to provide proof that they have implemented a functioning Cyber Security Management System (CSMS). The proof of performance then serves as the precondition for obtaining type approvals. Or in more prosaic terms, an OEM will not be able to sell cars in Europe if they cannot provide audited certification that they have a fully functioning CSMS in place.
The scary part is that in addition to documenting due diligence, OEMs must also provide the proof that their suppliers have complied. Accordingly, an OEM's suppliers will also need to develop a CSMS in accordance with R-155. And because of that, it is beginning to look like R-155 conformance via ISO/SAE 21434 will be an inextricable part of everyone's business life going forward, at least in the European car market.
UNECE R-155 came into effect in January of 2021. However there are two dates that every automotive CEO should circle on their calendar. Those are July 2022 and July 2024. That’s because these are the dates that every one of the fifty-four member countries in the UNECE will begin to require certification of a properly functioning CSMS. R-155 will first apply to approvals for new vehicle types (July of 2022). Then as of July of 2024, R-155 requirements will apply to all vehicle type approvals. Of course these deadlines could change, as the OEMs jockey with the UNECE, and It should also be noted that this mandate is for Europe only. Still, it seems prudent for everybody in the automobile industry to start thinking about ISO 21434/R-155 compliance.
[RESOURCE: Visit the Automotive Information Sharing and Analysis Center (Auto-ISAC) website here.]
A look at the future
Here's what this brave new world looks like. Anybody with a passing knowledge of large governance frameworks understands that implementation requires a complete set of fully operational processes, developed in accordance with the detailed requirements of the given standard. The clauses that must be addressed for the ISO/SAE 21434 standard involve the following:
Clause 5 (Organizational Cybersecurity Management Practices), which entails the creation of the overall governance model for cybersecurity, including the explicit approach and the particular way that a cybersecurity culture, information sharing, and general process compliance audit will be implemented.
Clause 6 (Project Dependent Cybersecurity Management Practices), which are the management level risk control activities. These detail the organization's proposed risk management actions at the project level. Including how the cybersecurity case and the resulting security plan will be developed, how accountability for specific actions will be assigned, and the rules for tailoring the standard's action items to the various OEM component processes.
Clause 7 (Distributed Cybersecurity Activities), which specifies the practices to coordinate how the large accountabilities between customer and supplier will be assigned, specifically how supplier capability evaluations and the alignment of accountability among organizations will be undertaken.
Clause 8 (Continual Cybersecurity Activities), which covers all activities for lifecycle risk assessment, including event identification, monitoring and evaluation, and vulnerability analysis/mitigation.
Clause 9 (Concept) , which details the activities that underwrite development of the cybersecurity requirements for a particular component within the product baseline. That includes standard practices for item definition and a description of the overall cybersecurity configuration management process
Clause 10 (Product Development), which are the defined practices for the elicitation of cybersecurity requirements and the creation and verification of secure designs, which of course also includes all requirements elicitation practices and product design outcomes.
Clause 11 (Cybersecurity Validation), which defines the requisite cybersecurity validation practices to be conducted at the vehicle and component level including common itemization of testing methods.
Clause 12 (Production), which specifies the unique cybersecurity-related practices for manufacturing and assembly of an item or component.
Clause 13 (Operations and Maintenance), which specifies the organization's specific practices for incident response, as well as those that will be used to ensure the baseline status of an item or component after it has been maintained or updated.
Clause 14 (End of Cybersecurity Support and Decommissioning), which entails secure disposal practices proposed for the end of support and/or decommissioning of an item or component.
Clause 15 (Threat Analysis and Risk Assessment Methods), which entails the practical methods to be used for the analysis and assessment of risks in the vehicle ecosystem. That includes defined practices for asset identification, threat scenarios, impact rating, attack path analysis, attack feasibility rating, and risk treatment.
How will we make this happen?
The obvious question is, "How can we implement this?" The solution should be obvious in the way R-155 is written. The regulation calls out 21434 as the framework to underwrite due diligence. So, if you are doing the things that 21434 stipulates, then you can consider yourself in compliance with R-155.
Fortunately, there is precedent, as well as two historical examples of the implementation process. In the past, other big picture compliance standards—like ISO 9000 Quality Management System (QMS) and ISO 27000 Information Security Management System (ISMS)—were implemented in the exact same fashion: top down, tailored one clause at a time in a hierarchy. This approach could obviously be used here. The organization would go through the 21434 requirements one effective clause at a time and document the individual actions that it will take to satisfy the outcomes stipulated for each of the control clauses specified in the generic 21434 framework.
There is no ignoring the fact that this process will be expensive and time-consuming. However, in an era when cyberattacks are as prevalent as the common cold, the safety and security of road vehicles is a prominent issue. Therefore, this mandate will be a part of every automotive OEM’s future. Fortunately, the means for accomplishing the task are well-defined and standardized, and the automobile industry has a long history of rising to challenges. Even so, it is safe to assume that the automotive OEM of the future won't be your father's Oldsmobile.
