Joint Standardization Project ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
Joint Standardization Project ISO/SAE 21434
Road Vehicles – Cybersecurity Engineering
AgendaISO/SAE Joint Standard on Road Vehicles – Cybersecurity Engineering
1. Background
2. Setup of project and Joint Working Group
3. Scope, contents and structure
Seite 2Joint Standardization ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
AgendaISO/SAE Joint Standard on Road Vehicles – Cybersecurity Engineering
1. Background
2. Setup of project and Joint Working Group
3. Scope, contents and structure
Seite 3Joint Standardization ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
Why another security standard?
• Automotive Industry identified the need to establish an International Standard• on cybersecurity engineering • suitable for automotive industry • with a risk-based approach
• Regulatory bodies (e.g. UNECE) are preparing legal requirements on Vehicle Cybersecurity
Seite 4Joint Standardization ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
§
Goals of the standard
The standard shall describe the state-of-the-art
of cybersecurity engineering in automotive e/e development
Seite 5Joint Standardization ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
state-of-the-artestablished and accepted
in the industry and proven in use
The standard shall provide a consistent
terminology for cybersecurity engineering
The standard shall specify minimum requirements on the
cybersecurity engineering processes and central activities
The standard shall support and enhance collaboration in the
industry
AgendaISO/SAE Joint Standard on Road Vehicles – Cybersecurity Engineering
1. Background
2. Setup of project and Joint Working Group
3. Scope, contents and structure
Seite 6Joint Standardization ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
First Joint ISO/SAE Project under PSDO agreementEstablishing a standard in both organizations
ISO/SAE Joint Working Group (JWG) Road Vehicles – Cybersecurity Engineering
Seite 7Joint Standardization ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
• ISO TC22 and SAE selected Cybersecurity Engineering as joint project under PSDO agreement
• for joint standard: drafts have to pass approval processes of both ISO and SAE
• ISO/SAE Joint Working Groups (JWG) consists of experts from both organizations
• JWG selects contents and drafts standard texts
• JWG co-convenors and co-secretaries:
• SAE: Lisa Boran (Ford) and Tim Weisenberger (SAE)
• ISO: Gido Scharfenberger-Fabian (Carmeq/VW) and Stephan Krähnert (VDA/DIN)
Challenge to achieve consensusThe ISO way, the SAE way and the JWG way
Seite 8Joint Standardization ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
• SAE: lean process, focusing on expert group consensus
• ISO: broad, formal process, aiming at global (industry) consensus
• JWG: trying for the best of both worlds, while satisfying all requirements
ISO project stages
Joint ISO – SAE Standard guarantees the worldwide best achievable coverage!
Consensus building on international levelComposition of the JWG
Seite 9Joint Standardization ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
Road Vehicles – Cybersecurity EngineeringGlobal participation in the joint ISO/SAE project
Seite 10
13 Countries involved:
• Austria• Belgium• China• Germany• Israel• Italy• Japan• Korea• Netherlands• Spain• Sweden• United Kingdom• United States
Joint Standardization ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
Sou
rce:
pow
erpo
ints
lides
.net
Road Vehicles – Cybersecurity EngineeringISO/SAE 21434 – current timeline
Seite 11Joint Standardization ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
Structure of the Joint Working Group and its Project Groups
ISO/SAE Joint Working Group Road Vehicles – Cybersecurity Engineering
PG 1 Risk Management
(mainly risk assessment methodology)
PG 2 Product Development
(ends at product release)
PG 3 Operations and
Maintenance
(post product release)
PG 4 Overview and
Interdependencies(planning and
management activities)
Seite 12Joint Standardization ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
• JWG assigns topics to PGs• PGs discuss details and draft contents
AgendaISO/SAE Joint Standard on Road Vehicles – Cybersecurity Engineering
1. Background
2. Setup of project and Joint Working Group
3. Scope, contents and structure
Seite 13Joint Standardization ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
Road Vehicles – Cybersecurity EngineeringScope
• Requirements w.r.t. product cybersecurity engineering activities• Cybersecurity risk management throughout engineering, production,
operations and maintenance• Applicable to road vehicles, E/E systems, interfaces• Common language for communicating among stakeholders• Reference cybersecurity process framework
• NOT: prescription of specific technology, solutions or tools related to cybersecurity
Seite 14Joint Standardization ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
Structure overviewOne single part covering all topics
Seite 15Joint Standardization ISO/SAE 21434Road Vehicles – Cybersecurity Engineering
methodology for risk analysis and assessment
general management activities
cybersecurity management in concept and development
cybersecurity management in product lifecycle
concept development monitoring and incidents handling
general considerations, supporting processes, examples, informative annexes, etc.
Selected discussion topics Within and among Project Groups
Seite 16
PG 4 Overview and
Interdependencies
PG 2 Product
Development
PG 1 Risk
Management
PG 3 Operations and
Maintenance
Joint Standardization ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
• Terms and Definitions for Cybersecurity Risk Management and Engineering
• Methodology for risk assessment
• Alignment of process models
Selected discussion topics Within and among Project Groups
Seite 17
PG 4 Overview and
Interdependencies
PG 2 Product
Development
PG 1 Risk
Management
PG 3 Operations and
Maintenance
Joint Standardization ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
• Communication and interfaces between organizations (diverse modes of collaboration)
• Requirements vs. guidelines
• Level of detail and prescriptiveness
• Self-containedness: Security vs. general quality aspects
Interaction of Risk Management and Engineering Tentative diagram
Seite 18Joint Standardization ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
Development
Validation
Rollout / Production
Maintenance /Monitoring
Cybersecurity Risk
Management
SOPConcept
Events /Incidents
VulnerabilityHandling /
IncidentResponse
Scrapping / Decommisioning
Outreach and interaction
• Liaison with UNECE WP29 – IWG AD/ITS – TF CS/OTA• Prepared rules for vehicle cybersecurity potentially relevant for type approval
• Liaison with ISO/IEC JTC1/SC27 (IT – IT security techniques)• Development of 27xxx standards series, Common Criteria ISO 15408 and further
standards of relevance to our project
• Liaison with ISO/TC22/SC31 (Road vehicles –Data communication)• Development of several automotive standards that include cybersecurity mechanisms
specifications
• Exchange with NHTSASeite 19Joint Standardization ISO/SAE 21434
Road Vehicles – Cybersecurity Engineering
Summary
• Road vehicles – Cybersecurity engineering is the first joint standardization project of ISO and SAE and has started in October 2016
• The ISO/SAE Joint Working Group has established four Project Groups for technical discussions and drafts generation• Risk Management
• Development Process
• Operations and Maintenance
• Overview and Interdependencies (incl. Cybersecurity Management)
• Scheduled publication of the joint standard: end of 2020
Seite 20Joint Standardization ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
Thank you for your attention
Joint Standardization ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering