Gap Analysis of ISO/SAE 21434 – Improving the Automotive Cybersecurity Engineering Life Cycle Article Swipe

View

Related Concepts

Automotive industry Computer science Computer security Engineering Aeronautics Aerospace engineering

Daniel Grimm , Aljoscha Lautenbach , Magnus Almgren , Tomas Olovsson , Eric Sax ·

YOU? · · 2023 · Open Access · · DOI: https://doi.org/10.1109/itsc57777.2023.10422100 · OA: W4391769375

Due to the ongoing legislative shift towards mandatedcybersecurity for road vehicles, the automotive cybersecurityengineering standard ISO/SAE 21434 is seeing fastadoption throughout the industry. Early efforts are focusing onthreat analysis and risk assessment (TARA) in the concept anddevelopment phases, exposing the challenge of managing TARAresults coherently throughout the supply chain and life cycle.While the industry focuses on TARA, other aspects such asvulnerability or incident handling are receiving less attention.However, the increasing threat landscape makes these processesincreasingly important, posing another industry challenge.In order to better address these two challenges, we analyzethe cybersecurity engineering framework of ISO/SAE 21434for gaps or deficiencies regarding TARA management andvulnerability and incident handling, as well as similar processesfor incident handling in IT security. The result is a proposalfor modifications and augmentations of the ISO/SAE 21434cybersecurity engineering framework. In particular, we proposea TARA management process to facilitate the coordination andinformation exchange between different systems and life cyclephases, and we propose improvements to the vulnerability andincident handling processes in ISO/SAE 21434 so that they aremore aligned with established standards. This amounts to 13new terminology definitions, 4 new process steps, 2 modifiedprocess steps and 1 entirely new process.