The modern vehicle comes equipped with a variety of software systems. Especially features that connect it to the outside world, such as online updates, fleet management and communication between vehicles offer attack surface. The security of automotive software is crucial, not only because bug-induced call-backs are costly, but also because the well-being of passengers depends on it.
To keep up with the increasing complexity in modern vehicles, the ISO/SAE 21434 standard is going to set forth a new framework for secure software development in the automotive sector, starting in early 2021. In this article, we will give you an overview of everything you need to know to comply with the new standard.
The Cheat Sheet with 6 tips that will help you comply with ISO 21434 can be found at the end of this article.
ISO/SAE 21434 “Road Vehicles – Cybersecurity Engineering” has been co-developed by the International Standard of Organization (ISO) and the Society of Automotive Engineers (SAE) for the past two years. It will soon be introduced to provide a holistic guideline for secure automotive software development.
The standard covers all software devices within the vehicle, as well as connectivity to external systems. Since existing norms and standards were developed in a time when vehicles did not depend on software too heavily, they do not place too much value on its security.
ISO 21434 offers an approach that prioritizes security throughout the entire lifecycle of a vehicle. This means that car manufacturers, but also OEMs will need to display due diligence when it comes to the security of their software.
ISO 21434 will be implemented with several goals in mind. These are the most important ones:
The main challenge in reaching these goals is that all processes, management systems and vehicle requirements, concern the entire lifecycle of the vehicles. Implementing the new standard will call for a high degree of communication across the entire supply chain.
In software development, there is a distinction between “safety“ and “security“. Safe software describes a system that is generally free of defects or crashes - or simply put “does not fail”. Secure software means that a system is immune to external interference or ungranted access.
In automotive systems such as for example lane-assist or automatic brake systems, safety obviously plays a crucial role, as a defect in these programs can be fatal. Due to the increase in connectivity platforms in modern vehicles however, the importance of security is increasing rapidly.
The famous Jeep case has shown, that exactly these platforms can serve as entry points for hackers to gain control over the entire vehicle. It goes without saying that this needs to be prevented at all costs. This is where ISO 21434 comes into play.
ISO 21434 is not the first standard, that recommends fuzzing. The list above shows some of the recently published standards that recommend feedback-based fuzzing and DevSecOps to improve software security. The reason for this popularity of fuzz-testing among vehicle manufacturers and OEMs is that it perfectly fits their demands:
As mentioned above, there is no room for errors in automotive software. Feedback-based fuzzing allows for accurate bug detection without the disadvantage of time-consuming false-positives. It is a highly automated “shift-left” approach, that paves the way for a decentralized testing culture.
Due to its wide field of application, feedback-based fuzzing can be implemented at different steps of the software development lifecycle, making it the most attractive solution for vehicle manufacturers and OEMs.
If you are interested in finding out how exactly we used feedback-based fuzzing to find bugs in automotive software, catch up on the recordings of our recent webinar “Modern Fuzzing for Automotive Software”. In this webinar we will walk you through a fuzzing process from start to finish and provide you with technical details.
ISO 21434 offers a great opportunity for vehicle manufacturers and OEMs to keep up with the latest developments in automotive software security. Although sustainable testing procedures such as feedback-based fuzzing are one of the key elements for ISO 21434 compliance, security measures should also be regarded in other areas. We have put together a free Cheat Sheet with 6 tips that will help you on your road to ISO 21434 compliance.
On December 2nd, Code Intelligence hosted FuzzCon Automotive Edition an online event for developers and IT-security professionals from the automotive industry, who want to learn more about the latest trends in application security. You can now check out the recordings of each individual talk, as well as the corresponding slides.