ISO/SAE FDIS 21434
(Main)Road vehicles -- Cybersecurity engineering
Road vehicles -- Cybersecurity engineering
Véhicules routiers -- Ingénierie de la cybersécurité
General Information
Standards Content (sample)
FINAL
INTERNATIONAL ISO/SAE
DRAFT
STANDARD FDIS
21434
ISO/TC 22/SC 32
Road vehicles — Cybersecurity
Secretariat: JISC
engineering
Voting begins on:
20210512
Véhicules routiers — Ingénierie de la cybersécurité
Voting terminates on:
20210707
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO
ISO/SAE FDIS 21434:2021(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. ISO/SAE International 2021
---------------------- Page: 1 ----------------------
ISO/SAE FDIS 21434:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/SAE International 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication
may be reproduced, or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or
posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO or SAE
International at the respective address below or ISO’s member body in the country of the requester.
ISO copyright office SAE InternationalCP 401 • Ch. de Blandonnet 8 400 Commonwealth Dr.
CH1214 Vernier, Geneva Warrendale, PA, USA 15096
Phone: +41 22 749 01 11 Phone: 8776067323 (inside USA and Canada)
Phone: +1 7247764970 (outside USA)
Fax: 724-776-0790
Email: copyright@iso.org Email: CustomerService@sae.org
Website: www.iso.org Website: www.sae.org
Published in Switzerland by ISO, published in the USA by SAE International
ii © ISO/SAE International 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/SAE FDIS 21434:2021(E)
Contents Page
Foreword ......................................................................................................................................................................................................................................vii
Introduction ............................................................................................................................................................................................................................viii
1 Scope .................................................................................................................................................................................................................................1
2 Normative references ......................................................................................................................................................................................1
3 Terms, definitions and abbreviated terms ................................................................................................................................1
3.1 Terms and definitions .......................................................................................................................................................................1
3.2 Abbreviated terms ...............................................................................................................................................................................5
4 General considerations .............................................................................................................................................................................. ....5
5 Organizational cybersecurity management ............................................................................................................................7
5.1General ......................................................................................................................................................................................................................7
5.2Objectives................................................................................................................................................................................................................7
5.3Inputs ........................................................................................................................................................................................................................ 8
5.3.1 Prerequisites .......................................................................................................................................................................8
5.3.2 Further supporting information .........................................................................................................................8
5.4 Requirements and recommendations .................................................................................................................................8
5.4.1 Cybersecurity governance .......................................................................................................................................8
5.4.2 Cybersecurity culture ..................................................................................................................................................9
5.4.3 Information sharing ................................................................................................................................................... 10
5.4.4 Management systems ............................................................................................................................................... 10
5.4.5 Tool management ......................................................................................................................................................... 11
5.4.6 Information security management ............................................................................................................... 11
5.4.7 Organizational cybersecurity audit .............................................................................................................. 11
5.5 Work products ...................................................................................................................................................................................... 12
6 Project dependent cybersecurity management ................................................................................................................12
6.1 General ........................................................................................................................................................................................................ 12
6.2 Objectives.................................................................................................................................................................................................. 13
Inputs ........................................................................................................................................................................................................... 14
6.36.3.1 Prerequisites .................................................................................................................................................................... 14
6.3.2 Further supporting information ...................................................................................................................... 14
6.4 Requirements and recommendations .............................................................................................................................. 14
6.4.1 Cybersecurity responsibilities .......................................................................................................................... 14
6.4.2 Cybersecurity planning ........................................................................................................................................... 14
6.4.3 Tailoring ............................................................................................................................................................................... 15
6.4.4 Reuse ....................................................................................................................................................................................... 15
6.4.5 Component out-of-context ................................................................................................................................... 17
6.4.6 Offtheshelf component ........................................................................................................................................ 17
6.4.7 Cybersecurity case ...................................................................................................................................................... 17
6.4.8 Cybersecurity assessment .................................................................................................................................... 17
6.4.9 Release for postdevelopment........................................................................................................................... 19
6.5 Work products ...................................................................................................................................................................................... 19
7 Distributed cybersecurity activities ..............................................................................................................................................20
7.1 General ........................................................................................................................................................................................................ 20
7.2 Objectives.................................................................................................................................................................................................. 20
7.3 Inputs ........................................................................................................................................................................................................... 20
7.4 Requirements and recommendations .............................................................................................................................. 20
7.4.1 Supplier capability ...................................................................................................................................................... 20
7.4.2 Request for quotation ............................................................................................................................................... 21
7.4.3 Alignment of responsibilities ............................................................................................................................. 21
7.5 Work products ...................................................................................................................................................................................... 22
8 Continual cybersecurity activities ..................................................................................................................................................22
8.1 General ........................................................................................................................................................................................................ 22
© ISO/SAE International 2021 – All rights reserved iii---------------------- Page: 3 ----------------------
ISO/SAE FDIS 21434:2021(E)
8.2 Objectives.................................................................................................................................................................................................. 22
8.3 Cybersecurity monitoring .......................................................................................................................................................... 22
8.3.1 Inputs ...................................................................................................................................................................................... 22
8.3.2 Requirements and recommendations ........................................................................................................ 23
8.3.3 Work products ................................................................................................................................................................ 23
8.4 Cybersecurity event evaluation ............................................................................................................................................. 24
8.4.1 Inputs ...................................................................................................................................................................................... 24
8.4.2 Requirements and recommendations ........................................................................................................ 24
8.4.3 Work products ................................................................................................................................................................ 24
8.5 Vulnerability analysis ..................................................................................................................................................................... 24
8.5.1 Inputs ...................................................................................................................................................................................... 24
8.5.2 Requirements and recommendations ........................................................................................................ 25
8.5.3 Work products ................................................................................................................................................................ 25
8.6 Vulnerability management ........................................................................................................................................................ 25
8.6.1 Inputs ...................................................................................................................................................................................... 25
8.6.2 Requirements and recommendations ........................................................................................................ 26
8.6.3 Work products ................................................................................................................................................................ 26
9 Concept ........................................................................................................................................................................................................................26
9.1 General ........................................................................................................................................................................................................ 26
9.2 Objectives.................................................................................................................................................................................................. 26
9.3 Item definition ...................................................................................................................................................................................... 27
9.3.1 Inputs ...................................................................................................................................................................................... 27
9.3.2 Requirements and recommendations ........................................................................................................ 27
9.3.3 Work products ................................................................................................................................................................ 27
9.4 Cybersecurity goals .......................................................................................................................................................................... 28
9.4.1 Inputs ...................................................................................................................................................................................... 28
9.4.2 Requirements and Recommendations ....................................................................................................... 28
9.4.3 Work products ................................................................................................................................................................ 29
9.5 Cybersecurity concept ................................................................................................................................................................... 29
9.5.1 Inputs ...................................................................................................................................................................................... 29
9.5.2 Requirements and recommendations ........................................................................................................ 29
9.5.3 Work products ................................................................................................................................................................ 30
10 Product development ...................................................................................................................................................................................30
10.1 General ........................................................................................................................................................................................................ 30
10.2 Objectives.................................................................................................................................................................................................. 31
10.3 Inputs ........................................................................................................................................................................................................... 32
10.3.1 Prerequisites .................................................................................................................................................................... 32
10.3.2 Further supporting information ...................................................................................................................... 32
10.4 Requirements and recommendations .............................................................................................................................. 32
10.4.1 Design ..................................................................................................................................................................................... 32
10.4.2 Integration and verification ................................................................................................................................ 34
10.5 Work products ...................................................................................................................................................................................... 35
11 Cybersecurity validation ...........................................................................................................................................................................36
11.1 General ........................................................................................................................................................................................................ 36
11.2 Objectives.................................................................................................................................................................................................. 36
11.3 Inputs ........................................................................................................................................................................................................... 36
11.3.1 Prerequisites .................................................................................................................................................................... 36
11.3.2 Further supporting information ...................................................................................................................... 36
11.4 Requirements and recommendations .............................................................................................................................. 36
11.5 Work products ...................................................................................................................................................................................... 37
12 Production ...............................................................................................................................................................................................................37
12.1 General ........................................................................................................................................................................................................ 37
12.2 Objectives.................................................................................................................................................................................................. 37
12.3 Inputs ........................................................................................................................................................................................................... 37
12.3.1 Prerequisites .................................................................................................................................................................... 37
12.3.2 Further supporting information ...................................................................................................................... 37
iv © ISO/SAE International 2021 – All rights reserved---------------------- Page: 4 ----------------------
ISO/SAE FDIS 21434:2021(E)
12.4 Requirements and recommendations .............................................................................................................................. 37
12.5 Work products ...................................................................................................................................................................................... 38
13 Operations and maintenance ...............................................................................................................................................................38
13.1 General ........................................................................................................................................................................................................ 38
13.2 Objectives.................................................................................................................................................................................................. 38
13.3 Cybersecurity incident response .......................................................................................................................................... 38
13.3.1 Inputs ...................................................................................................................................................................................... 38
13.3.2 Requirements and recommendations ........................................................................................................ 39
13.3.3 Work products ................................................................................................................................................................ 40
13.4 Updates ....................................................................................................................................................................................................... 40
13.4.1 Inputs ...................................................................................................................................................................................... 40
13.4.2 Requirements and recommendations ........................................................................................................ 40
13.4.3 Work products ................................................................................................................................................................ 40
14 End of cybersecurity support and decommissioning ..................................................................................................40
14.1 General ........................................................................................................................................................................................................ 40
14.2 Objectives.................................................................................................................................................................................................. 40
14.3 End of cybersecurity support .................................................................................................................................................. 41
14.3.1 Inputs ...................................................................................................................................................................................... 41
14.3.2 Requirements and recommendations ........................................................................................................ 41
14.3.3 Work products ................................................................................................................................................................ 41
14.4 Decommissioning .............................................................................................................................................................................. 41
14.4.1 Inputs ...................................................................................................................................................................................... 41
14.4.2 Requirements and recommendations ........................................................................................................ 41
14.4.3 Work products ................................................................................................................................................................ 41
15 Threat analysis and risk assessment methods ..................................................................................................................41
15.1 General ........................................................................................................................................................................................................ 41
15.2 Objectives.................................................................................................................................................................................................. 42
15.3 Asset identification ........................................................................................................................................................................... 42
15.3.1 Inputs ...................................................................................................................................................................................... 42
15.3.2 Requirements and recommendations ........................................................................................................ 43
15.3.3 Work products ................................................................................................................................................................ 43
15.4 Threat scenario identification ................................................................................................................................................ 43
15.4.1 Inputs ...................................................................................................................................................................................... 43
15.4.2 Requirements and recommendations ........................................................................................................ 44
15.4.3 Work products ................................................................................................................................................................ 44
15.5 Impact rating ......................................................................................................................................................................................... 44
15.5.1 Inputs ...................................................................................................................................................................................... 44
15.5.2 Requirements and recommendations ........................................................................................................ 44
15.5.3 Work products ................................................................................................................................................................ 45
15.6 Attack path analysis .....................................................................
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.