Gap analysis of ISO/SAE 21434 – Improving the automotive cybersecurity engineering life cycle
Paper in proceeding, 2023
Due to the ongoing legislative shift towards mandated
cybersecurity for road vehicles, the automotive cybersecurity
engineering standard ISO/SAE 21434 is seeing fast
adoption throughout the industry. Early efforts are focusing on
threat analysis and risk assessment (TARA) in the concept and
development phases, exposing the challenge of managing TARA
results coherently throughout the supply chain and life cycle.
While the industry focuses on TARA, other aspects such as
vulnerability or incident handling are receiving less attention.
However, the increasing threat landscape makes these processes
increasingly important, posing another industry challenge.
In order to better address these two challenges, we analyze
the cybersecurity engineering framework of ISO/SAE 21434
for gaps or deficiencies regarding TARA management and
vulnerability and incident handling, as well as similar processes
for incident handling in IT security. The result is a proposal
for modifications and augmentations of the ISO/SAE 21434
cybersecurity engineering framework. In particular, we propose
a TARA management process to facilitate the coordination and
information exchange between different systems and life cycle
phases, and we propose improvements to the vulnerability and
incident handling processes in ISO/SAE 21434 so that they are
more aligned with established standards. This amounts to 13
new terminology definitions, 4 new process steps, 2 modified
process steps and 1 entirely new process.
cybersecurity for road vehicles, the automotive cybersecurity
engineering standard ISO/SAE 21434 is seeing fast
adoption throughout the industry. Early efforts are focusing on
threat analysis and risk assessment (TARA) in the concept and
development phases, exposing the challenge of managing TARA
results coherently throughout the supply chain and life cycle.
While the industry focuses on TARA, other aspects such as
vulnerability or incident handling are receiving less attention.
However, the increasing threat landscape makes these processes
increasingly important, posing another industry challenge.
In order to better address these two challenges, we analyze
the cybersecurity engineering framework of ISO/SAE 21434
for gaps or deficiencies regarding TARA management and
vulnerability and incident handling, as well as similar processes
for incident handling in IT security. The result is a proposal
for modifications and augmentations of the ISO/SAE 21434
cybersecurity engineering framework. In particular, we propose
a TARA management process to facilitate the coordination and
information exchange between different systems and life cycle
phases, and we propose improvements to the vulnerability and
incident handling processes in ISO/SAE 21434 so that they are
more aligned with established standards. This amounts to 13
new terminology definitions, 4 new process steps, 2 modified
process steps and 1 entirely new process.
ISO/SAE 21434
automotive cybersecurity engineering
Author
Daniel Grimm
Karlsruhe Institute of Technology (KIT)
Aljoscha Lautenbach
Network and Systems
Magnus Almgren
Network and Systems
Tomas Olovsson
Network and Systems
Eric Sax
Karlsruhe Institute of Technology (KIT)
IEEE Conference on Intelligent Transportation Systems, Proceedings, ITSC
21530009 (ISSN) 21530017 (eISSN)
1904-1911979-8-3503-9946-2 (ISBN)
26th IEEE International Conference on Intelligent Transportation Systems, ITSC 2023
Bilbao, Spain,
Bilbao, Spain,
RICS2: Resilient Information and Control Systems
Swedish Civil Contingencies Agency, 2021-01-01 -- 2023-12-31.
RIOT: Resilient Internet of Things
Swedish Civil Contingencies Agency (MSB2018-12526), 2019-01-01 -- 2023-12-31.
Cyber Resilience for Vehicles - Cybersecurity for automotive systems in a changing environment (CyReV phase 2)
VINNOVA (2019-03071), 2019-01-10 -- 2022-03-31.
Areas of Advance
Information and Communication Technology
Transport
Subject Categories
Computer Systems
DOI
10.1109/ITSC57777.2023.10422100