The modern vehicle comes equipped with a variety of software systems. Especially features that connect it to the outside world, such as online updates, fleet management and communication between vehicles, offer attack surface. The security of automotive software is crucial, not only because bug-induced call-backs are costly but also because the well-being of passengers depends on it.
To keep up with the increasing complexity in modern vehicles, the ISO/SAE 21434 standard is going to set forth a new framework for secure software development in the automotive sector. In this article, we will give you an overview of everything you need to know to comply with the new standard.
Fact sheet: 6 tips that will help you to comply with ISO 21434 [PDF]
What Is ISO 21434?
ISO/SAE 21434 “Road Vehicles – Cybersecurity Engineering” has been developed by the International Standard of Organization (ISO) and the Society of Automotive Engineers (SAE) for the past two years. It will soon be introduced to provide a holistic guideline for secure automotive software development.
The ISO standard covers all software devices within the vehicle, as well as connectivity to external systems. Since existing norms and standards were developed in a time when vehicles did not depend on software too heavily, they do not place too much value on its security.
ISO 21434 offers an approach that prioritizes security throughout the entire lifecycle of a vehicle. This means those car manufacturers, but also OEMs will need to display due diligence when it comes to the security of their software.
Goals of ISO 21434
ISO 21434 will be implemented with several goals in mind. These are the most important ones:
- Creating a standardized terminology for software security within the automotive landscape
- Defining minimal requirements for software security engineering
- Improving collaboration within the automotive value chain
- Becoming the new security benchmark
- Incorporating security early on in the development lifecycle
- Establishing a security culture
The main challenge in reaching these goals is that all processes, management systems, and vehicle requirements, concern the entire lifecycle of the vehicles. Implementing the new standard will call for a high degree of communication across the entire supply chain.
Software Security vs Software Safety
In embedded software development, there is a distinction between "safety" and "security". Safe software describes a system that is generally free of defects or crashes - or simply put "does not fail". Secure software means that a system is immune to external interference or ungranted access.
In automotive systems such as for example lane-assist or automatic brake systems, safety obviously plays a crucial role, as a defect in these programs can be fatal. Due to the increase in connectivity platforms in modern vehicles, however, the importance of security is increasing rapidly.
The famous Jeep case has shown, that exactly these platforms can serve as entry points for hackers to gain control over the entire vehicle. It goes without saying that this needs to be prevented at all costs. This is where ISO 21434 comes into play.
What Standards and ISO Norms Recommend Fuzzing?
- ISO 26262: Road vehicles – Functional Safety
- UNECE WP.29: United Nations World Forum for Harmonization of Vehicle Regulations
- ISA/IEC 62443-4-1: Secure Product Development Lifecycle Requirements
- ISO/SAE DIS 21434: Road Vehicles — Cybersecurity Engineering
- UL2900-1 and UL2900-2-1: Healthcare and Wellness Systems - Software Cybersecurity for Network-Connectable Products
- ISO/IEC/IEEE 29119: Software and Systems Engineering - Software Testing
- ISO/IEC 12207: Systems and Software Engineering – Software Life Cycle Processes
- ISO 27001: Information Technology – Security Techniques – Information Security Management Systems
- ISO 22301: Security and Resilience — Business Continuity Management Systems
- IT-Grundschutz (Germany): Based on ISO 27001
- and others
Which Role Does Fuzzing Play in ISO 21434 Compliance?
ISO 21434 is not the first standard, that recommends fuzzing. The list above shows some of the recently published standards that recommend feedback-based fuzzing and DevSecOps to improve software security. The reason for the popularity of fuzz testing among vehicle manufacturers and OEMs is that it perfectly fits their demands:
As mentioned above, there is no room for errors in automotive software. Feedback-based fuzzing allows for accurate bug detection without the disadvantage of time-consuming false positives. It is a highly automated "shift-left" approach, that paves the way for a decentralized testing culture.
Due to its wide field of application, feedback-based fuzzing can be implemented at different steps of the software development lifecycle, making it the most attractive solution for vehicle manufacturers and OEMs.
If you are interested in finding out how exactly we used feedback-based fuzzing to find bugs in automotive software, catch up on the recordings of our recent webinar "Modern Fuzzing for Automotive Software". In this webinar, we will walk you through a fuzzing process from start to finish and provide you with technical details.
Complying With ISO 21434's Testing Requirements
ISO 21434 offers a great opportunity for vehicle manufacturers and OEMs to keep up with the latest developments in automotive software security. Although sustainable application security testing procedures such as fuzzing are essential to comply with ISO 21434, implementing such measures adds value beyond compliance. Done right, automated fuzzing enables accelerated software development while ensuring robust code and automating reporting trails. If you want to learn more about how Code Intelligence's platform for CI/CD-integrated fuzz testing simplifies ISO 21434 compliance while accelerating development, you can now book a demo with one of our colleagues.