Skip to content
Sergej Dechand 6 min read

Automotive Software: 6 Tips to Comply With ISO 21434

The modern vehicle comes equipped with a variety of software systems. Especially features that connect it to the outside world, such as online updates, fleet management and communication between vehicles, offer attack surface. The security of automotive software is crucial, not only because bug-induced call-backs are costly, but also because the well-being of passengers depends on it.

To keep up with the increasing complexity in modern vehicles, the ISO/SAE 21434 standard is going to set forth a new framework for secure software development in the automotive sector. In this article, we will give you an overview of everything you need to know to comply with the new standard.

Automotive Software: Comply with ISO 21434 (Cheat Sheet)

Cheat sheet: 6 tips that will help you to comply with ISO 21434 [PDF]

What Is ISO 21434?

ISO/SAE 21434 “Road Vehicles – Cybersecurity Engineering” has been developed by the International Standard of Organization (ISO) and the Society of Automotive Engineers (SAE) for the past two years. It will soon be introduced to provide a holistic guideline for secure automotive software development.

The ISO standard covers all software devices within the vehicle, as well as connectivity to external systems. Since existing norms and standards were developed in a time when vehicles did not depend on software too heavily, they do not place too much value on its security.

ISO 21434 offers an approach that prioritizes security throughout the entire lifecycle of a vehicle. This means that car manufacturers, but also OEMs will need to display due diligence when it comes to the security of their software.

Goals

ISO 21434 will be implemented with several goals in mind. These are the most important ones:

  • Creating a standardized terminology for software security within the automotive landscape
  • Defining minimal requirements for software security engineering
  • Improving collaboration within the automotive value chain
  • Becoming the new security benchmark
  • Incorporating security early on in the development lifecycle
  • Establishing a security culture

The main challenge in reaching these goals is that all processes, management systems and vehicle requirements, concern the entire lifecycle of the vehicles. Implementing the new standard will call for a high degree of communication across the entire supply chain.

Software Security vs Software Safety

In software development, there is a distinction between "safety" and "security". Safe software describes a system that is generally free of defects or crashes - or simply put "does not fail". Secure software means that a system is immune to external interference or ungranted access.

In automotive systems such as for example lane-assist or automatic brake systems, safety obviously plays a crucial role, as a defect in these programs can be fatal. Due to the increase in connectivity platforms in modern vehicles, however, the importance of security is increasing rapidly.

The famous Jeep case has shown, that exactly these platforms can serve as entry points for hackers to gain control over the entire vehicle. It goes without saying that this needs to be prevented at all costs. This is where ISO 21434 comes into play.

What Standards and ISO Norms Recommend Fuzzing?

Which Role Does Fuzzing Play in ISO 21434 Compliance?

ISO 21434 is not the first standard, that recommends fuzzing. The list above shows some of the recently published standards that recommend feedback-based fuzzing and DevSecOps to improve software security. The reason for this popularity of fuzz testing among vehicle manufacturers and OEMs is that it perfectly fits their demands: 

As mentioned above, there is no room for errors in automotive software. Feedback-based fuzzing allows for accurate bug detection without the disadvantage of time-consuming false positives. It is a highly automated "shift-left" approach, that paves the way for a decentralized testing culture.

Due to its wide field of application, feedback-based fuzzing can be implemented at different steps of the software development lifecycle, making it the most attractive solution for vehicle manufacturers and OEMs.

If you are interested in finding out how exactly we used feedback-based fuzzing to find bugs in automotive software, catch up on the recordings of our recent webinar "Modern Fuzzing for Automotive Software". In this webinar, we will walk you through a fuzzing process from start to finish and provide you with technical details.

Complying With ISO 21434

ISO 21434 offers a great opportunity for vehicle manufacturers and OEMs to keep up with the latest developments in automotive software security. Although sustainable testing procedures such as feedback-based fuzzing are one of the key elements for ISO 21434 compliance, security measures should also be regarded in other areas. That's why we have put together a free Cheat Sheet with 6 tips that will help you on your road to ISO 21434 compliance. 

Download Cheat Sheet

The cheat sheet contains an executive summary of ISO21434, best practices and a guide how to improve software security in the automotive domain.  

COMMENTS