Gap analysis of ISO/SAE 21434 – Improving the automotive cybersecurity engineering life cycle
Paper i proceeding, 2023
Due to the ongoing legislative shift towards mandated cybersecurity for road vehicles, the automotive cybersecurity engineering standard ISO/SAE 21434 is seeing fast adoption throughout the industry. Early efforts are focusing on threat analysis and risk assessment (TARA) in the concept and development phases, exposing the challenge of managing TARA results coherently throughout the supply chain and life cycle.
While the industry focuses on TARA, other aspects such as vulnerability or incident handling are receiving less attention. However, the increasing threat landscape makes these processes increasingly important, posing another industry challenge.
In order to better address these two challenges, we analyze the cybersecurity engineering framework of ISO/SAE 21434 for gaps or deficiencies regarding TARA management and vulnerability and incident handling, as well as similar processes for incident handling in IT security. The result is a proposal for modifications and augmentations of the ISO/SAE 21434 cybersecurity engineering framework. In particular, we propose a TARA management process to facilitate the coordination and information exchange between different systems and life cycle phases, and we propose improvements to the vulnerability and incident handling processes in ISO/SAE 21434 so that they are more aligned with established standards. This amounts to 13
new terminology definitions, 4 new process steps, 2 modified process steps and 1 entirely new process.
While the industry focuses on TARA, other aspects such as vulnerability or incident handling are receiving less attention. However, the increasing threat landscape makes these processes increasingly important, posing another industry challenge.
In order to better address these two challenges, we analyze the cybersecurity engineering framework of ISO/SAE 21434 for gaps or deficiencies regarding TARA management and vulnerability and incident handling, as well as similar processes for incident handling in IT security. The result is a proposal for modifications and augmentations of the ISO/SAE 21434 cybersecurity engineering framework. In particular, we propose a TARA management process to facilitate the coordination and information exchange between different systems and life cycle phases, and we propose improvements to the vulnerability and incident handling processes in ISO/SAE 21434 so that they are more aligned with established standards. This amounts to 13
new terminology definitions, 4 new process steps, 2 modified process steps and 1 entirely new process.
automotive cybersecurity engineering
ISO/SAE 21434
Författare
Daniel Grimm
Karlsruher Institut für Technologie (KIT)
Aljoscha Lautenbach
Nätverk och System
Magnus Almgren
Nätverk och System
Tomas Olovsson
Nätverk och System
Eric Sax
Karlsruher Institut für Technologie (KIT)
IEEE Conference on Intelligent Transportation Systems, Proceedings, ITSC
21530009 (ISSN) 21530017 (eISSN)
1904-1911979-8-3503-9946-2 (ISBN)
26th IEEE International Conference on Intelligent Transportation Systems, ITSC 2023
Bilbao, Spain,
Bilbao, Spain,
RICS2: Säkra IT-system för drift och övervakning av samhällskritisk infrastruktur
Myndigheten för samhällsskydd och beredskap, 2021-01-01 -- 2023-12-31.
Datasäkerhet för fordonssystem i en föränderlig miljö (CyReV fas 2)
VINNOVA (2019-03071), 2019-01-10 -- 2022-03-31.
RIOT: Ett resilient sakernas internet
Myndigheten för samhällsskydd och beredskap (MSB2018-12526), 2019-01-01 -- 2023-12-31.
Styrkeområden
Informations- och kommunikationsteknik
Transport
Ämneskategorier (SSIF 2025)
Säkerhet, integritet och kryptologi
Ämneskategorier (SSIF 2011)
Datorsystem
DOI
10.1109/ITSC57777.2023.10422100