Skip to content
Sergej Dechand5 min read

The Role of Cybersecurity Assurance Levels in ISO 21434

The automotive industry constantly evolves, particularly in software development. From electronic control units and hardware security modules to advanced driver-assistance systems (ADAS), the complexity and functionality of automotive software have increased exponentially. This has opened new frontiers in efficiency, safety, and user experience but also introduced significant security threats. In light of these threats, ISO/SAE 21434 addresses the unique challenges of automotive software security by providing a much-needed framework in an era where vehicles offer more attack surface than ever before.

Integral to ISO 21434 are Cybersecurity Assurance Levels (CALs), which provide a structured approach to classify and communicate the required rigor for automotive cybersecurity measures. In this article, we will discuss the role of Cybersecurity Assurance Levels (CALs) as outlined in ISO/SAE 21434 and explore their role in automotive cybersecurity.

 how cybersecurity assurance levels (CALS) work in ISO 21434


ISO 21434 Cybersecurity Assurance Levels (CALs) Explained

The main aim of ISO 21434 is to regulate the cybersecurity of automotive software systems. The standard addresses vulnerabilities that attackers could exploit to disrupt vehicle functionality or compromise driver safety. Cybersecurity assurance levels (CALs) represent a categorization framework within ISO 21434 and other automotive ISO standards. CALs specify the criteria required to maintain security throughout each stage of a product's lifecycle. They span four tiers, from Level 1, denoting the least criticality, to Level 4, signifying the highest.

A CAL is established based on factors expected to remain stable over the lifecycle of a vehicle component, such as the assets involved and their associated risks, before considering cybersecurity controls. A good example is a vehicle's infotainment system. It is a critical component that accesses sensitive user data and might therefore be assigned a higher CAL. This implies more stringent cybersecurity measures and rigorous testing to ensure security.

Hence, the assignment of CALs during the concept phase determines the rigor of subsequent software testing activities. Each cybersecurity goal inherits a CAL, guiding the development and testing methods. This approach ensures sufficient cybersecurity measures, especially for components integral to the vehicle's overall cybersecurity. 

Cyber Security Assurance Levels vs Risk Values

Cybersecurity Assurance Levels and risk values are similar in nature, as they both serve to standardize security measures. However, one cannot be directly derived from the other. Compared to CALs, risk values are dynamic. Risk values fluctuate based on several factors, such as evolving requirements, models, and working conditions of a unit. The determination of risk values depends on the likelihood of potential security incidents. Meanwhile, Cybersecurity Assurance Levels represent a consistent level of assurance, constant over time. They are determined based on the overall security-criticality of the component in question.

Utilizing Cybersecurity Assurance Levels for Robust Risk Assessment

Under ISO 21434, CALs are pivotal in risk assessment and risk management. As explicitly as possible, CALs define security objectives and metrics. Manufacturers use these security objectives and metrics to assess and address vulnerabilities within vehicle systems.

Beyond risk mitigation, CALs foster cross-functional collaboration within an organization, allowing teams to set clear goals for securing automotive systems before deployment. They enable clear and coherent communication of cybersecurity goals. As a result, various departments of an organization, suppliers, and external partners align more effectively around these goals. This alignment results in a unified and robust approach to cybersecurity across the automotive industry's complex supply chains.

The Role of Fuzzing in ISO 21434

As briefly explained above, ISO 21434 recommends fuzz testing, or fuzzing for components rated CAL 2 or higher. For components with a CAL of 3 or 4, the standard even recommends advanced fuzz testing using adaptive input selection.

1200x627_text_2Learn more by downloading the free white paper "How fuzz testing helps automotive companies comply with ISO/SAE 21434."
Inside the white paper, you'll discover:

  • The specifics of cybersecurity validation and verification requirements.
  • How suppliers and OEMs comply with ISO.
  • The benefits of source code fuzz testing, aka white-box fuzzing.

Modern fuzzing is one of the most effective testing methods for identifying hidden vulnerabilities and weaknesses in software. Fuzzing allows for continuous testing throughout the development process, allowing dev teams to easily find and fix issues long before pentesting. While rudimentary fuzz testing tools generate test inputs at random or based on predefined values, advanced fuzzing technology leverages self-learning AI to improve test inputs continuously with each feedback loop. For maximum results, advanced fuzz testing can be implemented into CI/CD pipelines for automated tests at each code change.

As vehicles become increasingly connected and reliant on complex software, ISO 21434 remains indispensable in directing manufacturers and suppliers to adhere to secure practices. Autonomous driving, EVs, and interconnected vehicles aren't passing fads. These trends are elevating the reliance of automotive software systems on effective software security measures. The industry can anticipate more rigorous cybersecurity requirements, reflecting the escalating complexity and scope of potential cyber threats. This evolution will need continuous adaptation and innovative strategies for ensuring automotive cybersecurity. 

At Code Intelligence,  we provide software testing solutions that enable ISO 21434 compliance while accelerating development and reducing testing overhead. To align with ISO 21434’s requirements, Code Intelligence provides a platform for automated fuzz testing throughout the automotive software development process. This meets the fuzzing recommendations for components rated CAL 2 and above and enables continuous and automated reporting, including a full auditing trail. Book a demo to learn about the scalable way to achieve ISO 21434 compliance.

Book a Demo


What are the steps to determine the appropriate CAL for a component?

To determine a CAL, assess the component's risk profile based on its functionality, exposure to threats, and potential impact of a breach. Then, choose a CAL that aligns with this risk level and the manufacturer's overall cybersecurity strategy.

How often should CALs be reviewed or updated?

CALs should be reviewed regularly, especially when there are significant changes in the threat landscape, technology, or operational environment. An annual review is a common practice, but some situations may warrant more frequent assessments.


Related Articles