Regulations and Standards
Regulation: UN R155
Governance and industry regulations are the driving force behind the initiative to improve the cybersecurity capability of the Automotive Industry. With its effective date beginning in January 2021, Regulation 155: Cyber security and Cyber security management system is the first such regulation to apply. Member countries and regions have committed to different enforcement rollout plans.
United Nations Regulation (UN R155) requires OEMs to have a Cyber Security Management System (CSMS) in place. This is enforced via the vehicle type approval application process.
R155 does not establish an exact methodology that should be used to implement a CSMS, only the types of activities the CSMS process needs to cover, such as threat analysis and risk assessment, cybersecurity testing, vulnerability management, etc. On the other hand, ISO/SAE 21434:2021, officially published in August 2021, is intended to fill some of this gap. From the introductory chapter: “This document can be used to implement a cybersecurity management system including cybersecurity risk management.”
ISO/SAE 21434:2021 “Road vehicles - Cybersecurity engineering” defines a specific set of work products and requirements to prescribe a consistent methodology necessary to standardize a consistent approach to establishing a CSMS. These requirements to generate work products ultimately drive additional work to OEMs and the OEM supply chain of Tier 1 and Tier 2 suppliers.
However, UN R155 also requires the management of threats and risks to supporting systems outside of vehicles that can affect the security of vehicles themselves, such as back-end servers, and this is not covered by ISO/SAE 21434.
We will discuss UN R155 further in later chapters.
Standard: ISO/SAE 21434:2021
ISO and SAE jointly released (ISO/SAE 21434: Road Vehicles — Cybersecurity Engineering) in August 2021. According to the description of this standard on the ISO website: “This document specifies engineering requirements for cybersecurity risk management regarding concept, product development, production, operation, maintenance and decommissioning of electrical and electronic (E/E) systems in road vehicles, including their components and interfaces.”
21434 is about managing and reducing foreseeable cybersecurity risks by adhering to good engineering practices. This set of activities is performed throughout the product (vehicle, E/E system, and component) lifecycle. It is shared between all parties involved in developing, manufacturing, and maintaining the product (i.e., vehicle manufacturers, upfitters, and supply chains).

The following chapter titles provide a general idea about the topics covered in ISO/SAE 21434:
5 - Overall Cybersecurity Management6 - Project dependent Cybersecurity Management7 - Distributed cybersecurity activities8 - Continual cybersecurity activities9 - Concept10 - Product development11 - Cybersecurity Validation12 - Production13 - Operations and Maintenance14 - End of cybersecurity support and decommissioning15 - Threat analysis and risk assessment methods (TARA)
While most seasoned OEMs and ECU suppliers were aware of the development of this standard and proactively started implementing conformance before the final release (using draft copies), many others were behind and scrambled to catch up, especially in terms of hiring and training personnel to perform the required work products. 21434 is the de facto standard people refer to when discussing vehicle cybersecurity.
The reception of this standard has been mixed. Most would agree that ISO/SAE 21434 is a step in the right direction, albeit extremely slow (the standard was proposed and kicked off in 2016). However, as stated in the standard description: “This document does not prescribe specific technology or solutions related to cybersecurity.” This caused many to question the usefulness of this standard as it does not provide a tangible technical solution like the collection of IETF standards for internet security (e.g., TLS1.3, PKCS, etc.). However, as mentioned earlier, it does provide a partial solution to the newly established UN regulation.
Further details on ISO/SAE 21434 are covered in Industry in Depth and Advanced courses.