This document summarizes ISO/SAE 21434, which specifies requirements for cybersecurity risk management for road vehicles throughout their lifecycle. It defines a framework with four parts: (1) risk management, (2) product development, (3) operation/maintenance, and (4) an overview of processes and interdependencies. Each part addresses different phases like concept, design, and operation. The framework requires identifying assets, assessing vulnerabilities and threats, analyzing and treating risks, and information sharing. It applies to vehicles with electrical/electronic systems but does not prescribe specific cybersecurity technologies or solutions.

1. ISO / SAE 21434
Overview
Christoph Schmittner

2. INTRO
Scope, Structure

3. Road Vehicles - Cybersecurity Engineering
ISO / SAE 21434
• Scope:
This document specifies requirements for cybersecurity risk
management for road vehicles, their components and interfaces,
throughout engineering (e.g. concept, design, development),
production, operation, maintenance, and decommissioning.
A framework is defined that includes requirements for cybersecurity
process and a common language for communicating and managing
cybersecurity risk among stakeholders.
This document is applicable to road vehicles that include electrical and
electronic (E/E) systems, their interfaces and their communications.
This document does not prescribe specific technology or solutions
related to cybersecurity.
3
2017-10-30

4. 4
2017-10-30
• 4 Part Groups
• PG1 Risk Management
• PG2 Product Development
• PG3 Operation, Maintenance and other Processes
• PG4 Process Overview and Interdependencies
• Cross-PG Terms&Definition Group
• Sub-PG Groups for specific topics or clauses
• Threat Analysis
• Concept Clause
• Safety&Security interaction
• Privacy consideration
• All PGs are developing stand alone documents, but they could be integrated
(number of parts could change)
STRUCTURE

5. ISO 21434
Part content overview
5
2017-10-30

6. 6
2017-10-30
ISO / SAE 21434 PG1
Cybersecurity
Scoping
Asset
identification
Vulnerability
Assessment
Threat Analysis
Risk analysis
Risk treatment
Risk Management framework
Information sharing
Cybersecurity Assurance Level
Asset Impact / CIA Profile
Open Issues:
Likelihood estimation

7. Concept phase
System
development
phase
Software
development
phase
Hardware
development
phase
Release for
production
Verification &
Validation
System
integration and
test
ISO / SAE 21434 PG2

8. ISO / SAE 21434 PG3
Post Production Vehicle Lifecycle
Production
Monitoring
during
Operation
Incident
Handling
Updates

9. ISO / SAE 21434 PG4
Bucket List
Group
Everything agreed
but without a clear
position
Prozess / Organization:
 Cybersecurity management across the organization
 Cybersecurity incident management system
 Management of identified vulnerabilities
 Cybersecurity awareness and competence management
 Interactions between security and functional safety
 Example of a role model regarding cybersecurity
Open Issues:
 Development of a cybersecurity-related element out of
context
Project:
 Project dependent cybersecurity management
 Tailoring of the reference cybersecurity lifecycle
 Cybersecurity planning
 Cybersecurity audit
 Cybersecurity assessment
 Management of residual cybersecurity risk
Distributed Development:
 Evaluation of supplier capability
 Engineering Interface Agreement

10. THANK YOU!
Christoph Schmittner, 17.10.2017