Menu

Automotive Software: 6 Tips to Comply with ISO 21434 (Cheat Sheet)

October 8 2020 | 5 min

The modern vehicle comes equipped with a variety of software systems. Especially features that connect it to the outside world, such as online updates, fleet management and communication between vehicles offer attack surface. The security of automotive software is crucial, not only because bug-induced call-backs are costly, but also because the well-being of passengers depends on it. 

To keep up with the increasing complexity in modern vehicles, the ISO/SAE 21434 standard is going to set forth a new framework for secure software development in the automotive sector, starting in early 2021. In this article we will give you an overview of everything you need to know to comply with the new standard.

 

Busy highway

The Cheat Sheet with 6 tips that will help you comply with ISO 21434 can be found at the end of this article.

What Is ISO 21434? 

ISO/SAE 21434 “Road Vehicles – Cybersecurity Engineering” has been co-developed by the International Standard of Organization (ISO) and the Society of Automotive Engineers (SAE) for the past two years. It will soon be introduced to provide a holistic guideline for secure automotive software development. The standard covers all software devices within the vehicle, as well as connectivity to external systems. Since existing norms and standards were developed in a time when vehicles did not depend on software too heavily, they do not place too much value on its security. ISO 21434 offers an approach that prioritizes security throughout the entire lifecycle of a vehicle. This means that car manufacturers, but also OEMs will need to display due diligence when it comes to the security of their software.

 

Goals

ISO 21434 will be implemented with several goals in mind. These are the most important ones:

  • Creating a standardized terminology for software security within the automotive landscape
  • Defining minimal requirements for software security engineering
  • Improving collaboration within the automotive value chain
  • Becoming the new security benchmark
  • Incorporating security early on in the development lifecycle
  • Establishing a security culture

The main challenge in reaching these goals is that all processes, management systems and vehicle requirements, concern the entire lifecycle of the vehicles. Implementing the new standard will call for a high degree of communication across the entire supply chain.

 

Software Security vs Software Safety

In software development, there is a distinction between “safety“ and “security“. Safe software describes a system that is generally free of defects or crashes - or simply put “does not fail”. Secure software means that a system is immune to external interference or ungranted access. In automotive systems such as for example lane-assist or automatic brake systems, safety obviously plays a crucial role, as a defect in these programs can be fatal. Due to the increase in connectivity platforms in modern vehicles however, the importance of security is increasing rapidly. The famous Jeep case has shown, that exactly these platforms can serve as entry points for hackers to gain control over the entire vehicle. It goes without saying that this needs to be prevented at all costs. This is where ISO 21434 comes into play.

 

Standards with fuzzing as a recommended testing method

  • ISO 26262 - Road vehicles – Functional safety
  • ISA/IEC 62443-4-1 - Secure product dev lifecycle req.
  • ISO/SAE 21434 - Road vehicles — Cybersecurity engineering
  • Standards benefiting from fuzzing (e.g. pentesting required)
  • ISO/IEC/IEEE 29119 - Software and systems engineering - Software testing
  • ISO/IEC 12207 - Systems and software engineering
  • ISO 27001 - Information technology – Security techniques 
  • ISO 22301 - Security and resilience
  • IT-Grundschutz (Germany) - Based on ISO 27001
  • and others

 

Which role does Fuzzing play in ISO 21434 Compliance?

ISO 21434 is not the first standard, that recommends fuzzing. The list above shows some of the recently published standards that recommend feedback-based fuzzing and DevSecOps to improve software security. The reason for this popularity of fuzz-testing among vehicle manufacturers and OEMs is that it perfectly fits their demands: 

As mentioned above, there is no room for errors in automotive software. Feedback-based fuzzing allows for accurate bug detection without the disadvantage of time-consuming false-positives. It is a highly automated “shift-left” approach, that paves the way for a decentralized testing culture. Due to its wide field of application, feedback-based fuzzing can be implemented at different steps of the software development lifecycle, making it the most attractive solution for vehicle manufacturers and OEMs.

If you are interested in finding out how exactly we used feedback-based fuzzing to find bugs in automotive software, catch up on the recordings of our recent webinar “Modern Fuzzing for Automotive Software”. In this webinar we will walk you through a fuzzing process from start to finish and provide you with technical details.

 

Complying with ISO 21434

ISO 21434 offers a great opportunity for vehicle manufacturers and OEMs to keep up with the latest developments in automotive software security. Although sustainable testing procedures such as feedback-based fuzzing are one of the key elements for ISO 21434 compliance, security measures should also be regarded in other areas. We have put together a free Cheat Sheet with 6 tips that will help you on your road to ISO 21434 compliance.

Free Cheat Sheet

 

Recent Post

Share Article

Subscribe to updates

Feel free to leave us a comment.