SAE and ISO Publish Joint Automotive Cybersecurity Standard

The new standard that will help ensure that cybersecurity is entwined throughout the entire product lifecycle.

ISO and SAE have jointly published the new 21434 Cybersecurity standard. (Hans J. Brehm/WikiCommons)

SAE International, in collaboration with the International Organization of Standardization (ISO), recently published a new standard that will help ensure that cybersecurity is entwined throughout the entire product lifecycle. First published as a draft in February 2020, ISO/SAE 21434 Road Vehicles - Cybersecurity Engineering is the final, superceding version. It is available for purchase at 21434/ .

This seminal standard provides industry cybersecurity professionals and product developers with a pragmatic approach to establishing a solid foundation for integrating cybersecurity within the product development lifecycle – from project initiation through to decommissioning. The ISO/SAE 21434 standard is the culmination of years of effort among international experts from the engineering, product development and cybersecurity disciplines.

The joint development group included over 100 experts from 14 nations culled from the vast expertise of both international standards organizations. ISO/SAE 21434 builds on the tenets of SAE J3061 Cyber Security Guidebook for Cyber-Physical Vehicle Systems, the world’s first automotive cybersecurity standard. SAE’s partnership with ISO allowed the expansion of the J3016 standard and ensuring international harmonization that is needed to truly progress cybersecurity into a mature discipline in the mobility industry.

“We are pleased to see the fruits of this unique collaborative partnership between SAE and ISO," said Jack Pokrzywa, director of global ground vehicle standards, SAE International. “We see this standard as a critical tool in the arsenal of cybersecurity professionals and product developers around the globe. SAE is committed to helping industry achieve the highest levels of security in all vehicles”.

The new standard walks readers through the fundamentals of cybersecurity including requirements, process and goals in business disciplines including product development, production, operations and maintenance. Two major elements of the standard are Threat Analysis and Risk Assessment (TARA), and Product Development. The TARA describes methods to determine the extent to which a road user can be impacted by a threat scenario. The methods can be called systematically, and from any point in the lifecycle of an item or component.

Product Development describes the specification of the cybersecurity requirements and architectural design into the product development and weaves it into the “Systems Engineering V Model” approach used extensively throughout industry. The Standard describes that cybersecurity activities are woven into the full breath of the product development lifecycle. These cybersecurity activities are performed iteratively until no further refinements of cybersecurity controls are needed.

In addition, SAE is now offering Cybersecurity Training based on ISO/SAE21434. This 2-day professional development course is taught by two of the 21434 developers. Successful trainees earn an SAE professional cybersecurity certification. This training is at .

SAE is committed to aiding industry to develop the highest levels of vehicle security – and the organization is not resting on its laurels. The expert team is already beginning efforts on a new joint standard to deepen the TARA methodology to add needed metrics to further mature the processes that are so vital to ensuring vehicle security.