Berkner Tech

ISO/SAE 21434 for Automotive Cybersecurity

ISO/SAE 21434 defines how a vehicle gets engineered for security across its life. Here is what it asks of an embedded team, in plain terms.

ISO/SAE 21434 for Automotive Cybersecurity

A modern vehicle is a rolling network of a hundred or more ECUs, and a single insecure one can become a bridge to the CAN bus and everything on it. ISO/SAE 21434 exists because the industry needed a shared engineering discipline for that reality — not a checklist bolted on at the end, but a way of building security into a vehicle from concept through decommissioning. If you write firmware for anything that ends up in a car, this standard is the framework your customer is measuring you against.

What the standard actually is

ISO/SAE 21434, “Road vehicles — Cybersecurity engineering,” is a process standard. It does not tell you to use AES-256 or to disable a particular debug port. Instead it defines the activities, work products, and responsibilities that a cybersecurity engineering process must contain, so that security is managed with the same rigour as functional safety under ISO 26262. Its scope runs the full lifecycle: organisational management, project-level planning, concept and risk assessment, product development, production, operations, and end of support.

The document matters commercially because it is the technical backbone behind UN Regulation No. 155. An OEM that must demonstrate a certified cybersecurity management system to regulators leans on 21434 to do it, and that expectation flows down the supply chain to every Tier 1 and Tier 2 that ships a component.

TARA: the analysis at the heart of it

The central analytical method in 21434 is TARA — Threat Analysis and Risk Assessment. You identify the assets in your item and their cybersecurity properties, enumerate threat scenarios that would violate those properties, rate the impact of each along safety, financial, operational, and privacy dimensions, and estimate attack feasibility. Combining impact and feasibility yields a risk value, which drives your risk treatment decision: reduce it with a control, share it, retain it, or avoid it by design.

TARA is not a one-time exercise. It is revisited as the design evolves and as new threats emerge in the field. A finding that a diagnostic service is reachable without authentication, for instance, is exactly the kind of threat scenario a TARA is meant to surface early — the specifics of the UDS diagnostics attack surface are a recurring input to automotive risk assessments because diagnostic access so often bypasses the protections engineers assume are in place.

Cybersecurity across the lifecycle

The standard organises work into phases, and each phase has defined work products. Understanding the shape of it helps an embedded team see where their deliverables plug in.

Phase Focus Representative work product
Organisational management Policies, culture, competence Cybersecurity management system
Concept Item definition, TARA, goals Cybersecurity goals and claims
Product development Requirements, design, verification Verification and test reports
Production Provisioning of keys and config Production control plan
Operations and maintenance Monitoring, incident response, updates Vulnerability management records

What it asks of the embedded team

Concretely, the standard pushes several habits into firmware development. Cybersecurity requirements become traceable, linked to the threat scenarios that motivated them and to the tests that verify them. Design decisions that affect security — secure boot, key storage, message authentication on the bus — are documented with rationale. Verification includes security testing appropriate to the risk, from requirements-based tests up to penetration testing for higher-risk items. And the work does not stop at start of production: you owe a monitoring and vulnerability management capability so that a flaw discovered in the field can be triaged, and, where warranted, fixed through a secure update.

The most common gap is treating cybersecurity as documentation rather than engineering. A binder full of TARA spreadsheets that never changed the design, or a “penetration test” that was a vulnerability scan, will not survive an assessment. The evidence has to show that the analysis drove decisions and that testing actually exercised the attack surface.

Where a security partner fits

Two 21434 activities benefit most from outside expertise: the TARA, where an independent perspective catches threat scenarios the design team has normalised, and the security testing, where a genuine penetration test against your ECU produces the evidence an assessor expects to see. A well-run test also feeds the next TARA iteration, closing the loop the standard is built around. If your team is standing up a 21434-aligned process or needs a rigorous test of an automotive component, a threat model or penetration test scoped to your item is where we can help — start the conversation on our contact page.


References and Further Reading

Share:

More Posts