What is ISO 21434?
ISO/SAE 21434 is the international standard for Cybersecurity in the automotive sector, specifically focused on electrical and electronic systems in vehicles. The standard describes processes, requirements and measures for making vehicles cyber-resilient throughout the entire lifecycle — from concept through to decommissioning.
ISO 21434 is complementary to ISO 26262 (functional safety) but focuses on intentional attacks rather than unintended faults.
🧠 Why is ISO 21434 important?
Modern vehicles contain:
- An ever-increasing number of software-driven systems
- External interfaces: WiFi, Bluetooth, V2X, OTA updates
- Electronics that operate as part of critical functions (e.g. steering, braking, ADAS)
This makes vehicles vulnerable to cyberattacks such as man-in-the-middle, spoofing or injection via the CAN bus.
🧱 Structure of ISO 21434
| Part | Topic |
|---|---|
| Part 1–2 | Introduction, definitions |
| Part 3–4 | Cybersecurity management |
| Part 5–7 | Concept phase and risk analysis (Threat Analysis & Risk Assessment – TARA) |
| Part 8–11 | Design, implementation, verification and validation |
| Part 12–15 | Production, operational phase, maintenance, decommissioning |
| Annexes | Examples of processes, threats, control measures |
🔐 Key concepts
| Term | Meaning |
|---|---|
| TARA | Threat Analysis and Risk Assessment (core of ISO 21434) |
| Cybersecurity Goals | What needs to be protected (assets, interfaces, functions) |
| Cybersecurity Claims | What the system does to deliver this |
| Attack Path | The route an attacker may take |
| Risk Value | Determination of threat impact and likelihood |
🚗 Examples of risks in vehicles
| Component | Possible attack | Impact |
|---|---|---|
| Infotainment system | Malware via USB or Bluetooth | Access to the CAN bus |
| Over-the-air updates | Spoofed server or fake firmware | Remote code execution |
| Keyless entry | Replay attack, signal relaying | Vehicle theft |
| V2X communication | Spoofed signal, DoS attack | Traffic manipulation |
✅ Best practices in line with ISO 21434
- Apply secure-by-design principles from the outset
- Document risks using the TARA methodology
- Define cybersecurity controls (e.g. encryption, authentication, monitoring)
- Periodically reassess on software updates (OTA)
- Maintain an incident response plan for vulnerability reports
🧩 Linkage with other standards
| Standard | Relation |
|---|---|
| ISO 26262 | Functional safety; focuses on unintended faults |
| UNECE R155 | Regulation on cybersecurity in vehicles; ISO 21434 is required |
| ISO 21448 (SOTIF) | Safety of the Intended Functionality – addresses non-fault-related risks |
| IEC 62443 | Industrial cybersecurity – partially comparable in approach |
📌 In summary
ISO 21434 is the Cybersecurity standard for modern vehicles, focused on systematically identifying and managing digital threats. The standard sets requirements for design, management, maintenance and response to vulnerabilities.