6.4: ISO/SAE 21434 Integration
Standard Overview
ISO/SAE 21434:2021
Road Vehicles - Cybersecurity Engineering
ISO/SAE 21434 defines cybersecurity engineering requirements for the automotive industry, covering the entire vehicle lifecycle from concept through decommissioning.
The following diagram shows the structure of ISO/SAE 21434, illustrating how its clauses map to the cybersecurity lifecycle phases from concept through decommissioning.
ASPICE SEC to ISO 21434 Mapping
Process Mapping
Note: ISO/SAE 21434:2021 is referenced throughout this section.
| ASPICE SEC | ISO 21434 Clause | Topic |
|---|---|---|
| SEC.1 BP1 | 9.3 | Cybersecurity goals |
| SEC.1 BP2 | 10.4.1 | Cybersecurity requirements |
| SEC.1 BP3 | 10.4.2 | Requirements allocation |
| SEC.2 BP1 | 8.3 | Threat scenarios |
| SEC.2 BP2 | 8.5 | Attack feasibility |
| SEC.2 BP3 | 8.6 | Risk determination |
| SEC.2 BP4 | 8.7 | Risk treatment |
| SEC.3 BP2 | 11.4 | Cybersecurity verification |
| SEC.3 BP4 | 12.4 | Penetration testing |
| SEC.3 BP5 | 8.8 | Vulnerability management |
Work Product Mapping
| ASPICE WP | ISO 21434 WP | Description |
|---|---|---|
| 17-54 | WP-09-01 | Cybersecurity goals |
| 17-55 | WP-10-01 | Cybersecurity requirements |
| 08-52 | WP-08-01 | TARA report |
| 08-53 | WP-08-03 | Risk treatment report |
| 13-52 | WP-11-01 | Verification report |
| 08-54 | WP-08-04 | Vulnerability analysis |
Cybersecurity Assurance Levels (CAL)
CAL Definition
The diagram below visualizes the four Cybersecurity Assurance Levels (CAL 1-4), showing the increasing rigor of verification, documentation, and independence requirements at each level.
CAL Determination Matrix
CAL Determination Matrix:
| Impact | High Feas. | Medium Feas. | Low Feas. | Very Low Feas. |
|---|---|---|---|---|
| Severe | CAL 4 | CAL 4 | CAL 3 | CAL 3 |
| Major | CAL 4 | CAL 3 | CAL 2 | CAL 2 |
| Moderate | CAL 3 | CAL 2 | CAL 1 | CAL 1 |
| Minor | CAL 2 | CAL 1 | CAL 1 | CAL 1 |
| Negligible | CAL 1 | CAL 1 | CAL 1 | CAL 1 |
Note: Impact considers Safety, Financial, Operational, Privacy
UNECE WP.29 R155/R156 Compliance
Regulation Overview
The following diagram outlines the UNECE WP.29 R155 and R156 regulatory framework, showing the relationship between type approval requirements, CSMS certification, and SUMS obligations for vehicle manufacturers.
R155 Annex 5 Threat Mitigations
# R155 Annex 5 Threat Categories
r155_threats:
category_1_backend_servers:
threats:
- "1. Threats to back-end servers related to vehicles"
mitigations:
- "Access control and authentication"
- "Encryption of communications"
- "Intrusion detection"
category_2_communication_channels:
threats:
- "2. Threats to vehicles regarding their communication channels"
mitigations:
- "Message authentication"
- "Encryption"
- "Rate limiting"
category_3_update_procedures:
threats:
- "3. Threats to vehicles regarding their update procedures"
mitigations:
- "Secure boot"
- "Code signing"
- "Rollback protection"
category_4_human_actions:
threats:
- "4. Threats to vehicles regarding unintended human actions"
mitigations:
- "Access control"
- "User authentication"
- "Secure defaults"
category_5_external_connectivity:
threats:
- "5. Threats to vehicles regarding their external connectivity"
mitigations:
- "Firewall"
- "Network segmentation"
- "Input validation"
category_6_data_code:
threats:
- "6. Threats to vehicle data/code"
mitigations:
- "Encryption at rest"
- "Secure storage"
- "Integrity protection"
category_7_potential_vulnerabilities:
threats:
- "7. Potential vulnerabilities that could be exploited"
mitigations:
- "Secure coding"
- "Vulnerability management"
- "Security testing"
Compliance Evidence Framework
Evidence Mapping
Compliance Evidence Mapping:
| ISO 21434 Requirement | ASPICE Work Product | Evidence |
|---|---|---|
| 5.4.1 Governance | 15-01 QA Plan | CSMS policy |
| 5.4.2 Risk management | 08-53 Risk treatment | Risk register |
| 6.4.1 Responsibilities | MAN.3 project plan | RACI matrix |
| 7.4.1 Monitoring | SUP.9 problem report | Incident log |
| 8.3 Threat scenarios | 08-52 TARA report | Threat catalog |
| 8.5 Attack feasibility | 08-55 Feasibility | Attack trees |
| 9.3 Cybersecurity goals | 17-54 CS goals | Goal specification |
| 10.4.1 CS requirements | 17-55 CS requirements | SRS security |
| 11.4 Verification | 13-52 Test report | Test results |
| 12.4 Penetration testing | 13-54 Pentest report | Pentest findings |
Audit Checklist
Note: Template can be adapted for organization-specific audit procedures.
# ISO 21434 Compliance Audit Checklist (template)
audit_checklist:
project: (Project Name)
standard: ISO/SAE 21434:2021
audit_date: (audit date)
auditor: (Auditor Name)
clause_5_organizational:
- id: 5.4.1
requirement: "Cybersecurity governance established"
evidence: "CSMS policy document v1.0"
status: compliant
- id: 5.4.2
requirement: "Organizational risk management"
evidence: "Risk management procedure RM-001"
status: compliant
- id: 5.4.3
requirement: "Cybersecurity audit"
evidence: "Annual audit schedule, audit reports"
status: compliant
clause_6_project:
- id: 6.4.1
requirement: "Cybersecurity responsibilities assigned"
evidence: "Project plan section 5, RACI matrix"
status: compliant
- id: 6.4.2
requirement: "Cybersecurity plan"
evidence: "Cybersecurity plan CSP-BCM-001"
status: compliant
- id: 6.4.3
requirement: "Tailoring"
evidence: "Tailoring record with justification"
status: compliant
clause_8_risk_assessment:
- id: 8.3
requirement: "Threat scenarios identified"
evidence: "TARA report section 3"
status: compliant
- id: 8.5
requirement: "Attack feasibility rated"
evidence: "Attack tree analysis, feasibility scores"
status: compliant
- id: 8.6
requirement: "Risk determined"
evidence: "Risk matrix, CAL assignments"
status: compliant
- id: 8.7
requirement: "Risk treatment decisions"
evidence: "Risk treatment records"
status: compliant
clause_9_concept:
- id: 9.3
requirement: "Cybersecurity goals defined"
evidence: "Cybersecurity goals specification"
status: compliant
- id: 9.4
requirement: "Cybersecurity concept"
evidence: "Security architecture document"
status: compliant
clause_10_development:
- id: 10.4.1
requirement: "Cybersecurity requirements specified"
evidence: "SRS section 6 (security requirements)"
status: compliant
- id: 10.4.2
requirement: "Requirements allocated"
evidence: "Requirements traceability matrix"
status: compliant
clause_11_verification:
- id: 11.4.1
requirement: "Verification against requirements"
evidence: "Security test reports"
status: compliant
- id: 11.4.2
requirement: "Vulnerability analysis"
evidence: "Vulnerability assessment report"
status: compliant
clause_12_validation:
- id: 12.4
requirement: "Penetration testing (CAL 3+)"
evidence: "Penetration test report PT-BCM-001"
status: compliant
overall_assessment:
compliant_items: 18
non_compliant_items: 0
observations: 2
recommendation: "CERTIFIED - Compliant with ISO/SAE 21434"
AI Tool Qualification for Security
Tool Confidence Levels
AI Tool Qualification for SEC Processes:
| Tool Category | TCL | Qualification Need | Use in SEC |
|---|---|---|---|
| SAST (SonarQube) | TCL 2 | Validation needed | SEC.3 BP2 |
| SAST (Semgrep) | TCL 2 | Validation needed | SEC.3 BP2 |
| SCA (Trivy) | TCL 2 | Validation needed | SEC.3 BP2 |
| DAST (ZAP) | TCL 3 | Minimal | SEC.3 BP3 |
| Fuzzer (AFL++) | TCL 3 | Minimal | SEC.3 BP3 |
| AI Threat Analysis | TCL 1 | Full qualification | SEC.2 BP1 |
| AI CVSS Scoring | TCL 2 | Validation needed | SEC.2 BP2 |
| AI Code Review | TCL 1 | Full qualification | SEC.3 BP2 |
TCL = Tool Confidence Level (ISO 26262)
- TCL 1 = Low confidence (high qualification effort)
- TCL 2 = Medium confidence (validation required)
- TCL 3 = High confidence (tool is well-established)
AI Tool Considerations for ISO 21434:
- AI-generated threat models require expert review
- AI CVSS scores are advisory, not authoritative
- AI vulnerability detection needs human validation
- AI-assisted penetration testing supplements manual testing
- Full audit trail of AI tool outputs required
Cybersecurity Case
Structure
Note: Approval requirements vary by organization; adapt signature requirements to organizational procedures.
# Cybersecurity Case Template (per ISO 21434)
cybersecurity_case:
project: (Project Name)
version: 1.0
date: (date)
part_1_overview:
item_description: |
Body Control Module responsible for door lock/unlock
functions via CAN bus communication.
cybersecurity_scope:
- Door lock/unlock control
- Remote keyless entry interface
- Diagnostic interface
excluded_scope:
- Backend connectivity (separate item)
- Smartphone app (separate item)
part_2_risk_assessment:
methodology: "ISO/SAE 21434 TARA"
threat_scenarios: 14
risk_levels:
R5_critical: 0
R4_high: 3
R3_medium: 5
R2_low: 4
R1_very_low: 2
cal_determination: CAL 3
evidence:
- TARA_Report_BCM_v1.0.pdf
- Attack_Tree_Analysis_v1.0.pdf
part_3_cybersecurity_goals:
goals:
- id: CSG-001
description: "Ensure authenticity of door control commands"
addressed_threats: [THR-001, THR-002]
- id: CSG-002
description: "Ensure integrity of door control messages"
addressed_threats: [THR-003, THR-004]
- id: CSG-003
description: "Ensure availability of door lock function"
addressed_threats: [THR-005, THR-006]
evidence:
- Cybersecurity_Goals_BCM_v1.0.pdf
part_4_cybersecurity_concept:
architecture_decisions:
- "SecOC for CAN message authentication"
- "HSM for key storage"
- "Rate limiting on diagnostic interface"
evidence:
- Security_Architecture_BCM_v1.0.pdf
part_5_implementation:
cybersecurity_requirements: 8
allocated_to_components:
- BCM_Security_Module: 6
- BCM_Diagnostics: 2
evidence:
- SRS_Security_Section_v1.2.pdf
- Traceability_Matrix_v1.0.xlsx
part_6_verification:
activities:
- SAST: completed
- SCA: completed
- DAST: completed
- Fuzz_testing: completed
- Penetration_testing: completed
findings_summary:
total: 21
resolved: 16
accepted: 5
open: 0
evidence:
- Security_Test_Report_v1.0.pdf
- Penetration_Test_Report_v1.0.pdf
part_7_residual_risk:
residual_risks:
- id: RR-001
description: "Side-channel attack on HSM"
residual_level: R2
acceptance_rationale: |
Requires expert knowledge and specialized equipment.
Attack surface limited to physical access scenarios.
accepted_by: "Security Architect"
acceptance_date: 2025-02-10
part_8_conclusion:
cybersecurity_goal_achievement: "All goals achieved"
cal_compliance: "CAL 3 requirements satisfied"
residual_risk_acceptable: true
recommendation: "APPROVED for production"
approvals:
- role: "Cybersecurity Manager"
name: "[Signature]"
date: 2025-02-15
- role: "Project Manager"
name: "[Signature]"
date: 2025-02-15
Integration with Safety (ISO 26262)
Safety-Security Interaction
The diagram below illustrates the interaction points between safety (ISO 26262) and security (ISO/SAE 21434), showing where joint analysis is required and how conflicts between safety and security measures are resolved.
Conflict Resolution:
- Safety takes precedence over security in conflict
- Security measures SHALL NOT compromise safety
- Joint safety-security review for critical functions
- Document conflict analysis and resolution
Example Conflict:
- Security: "Disable function if authentication fails"
- Safety: "Maintain safe state (door locked) regardless"
- Resolution: "Maintain safe state, log security event"
Work Products
| WP ID | Work Product | ISO 21434 Reference |
|---|---|---|
| 17-54 | Cybersecurity goals | Clause 9.3 |
| 17-55 | Cybersecurity requirements | Clause 10.4.1 |
| 08-52 | TARA report | Clause 8 |
| 08-53 | Risk treatment plan | Clause 8.7 |
| 13-52 | Security test report | Clause 11.4 |
| 08-57 | Cybersecurity case | Clause 6.4.6 |
Summary
ISO/SAE 21434 Integration:
- Full Alignment: ASPICE SEC processes map to ISO 21434
- CAL Framework: Risk-based assurance levels
- UNECE R155/R156: Type approval requirements
- Safety Integration: ISO 26262 coordination
- Evidence-Based: Comprehensive audit trail