With over-the-air updates, infotainment and the integration of mobile devices and cloud-based
services, the connected vehicle offers the ultimate experience with state-of-the-art safety,
autonomy and driver comfort. Robust cybersecurity measures must be engineered into all aspects of
the vehicle's construction to protect critical features and back-end networks that serve them from
cyberattacks. Underscoring NXP’s proactive approach and commitment to automotive security, NXP,
including its policies and processes, has been
certified
to comply with the new ISO/SAE 21434 automotive security standard.
It is paramount that cybersecurity measures are central to all aspects of the vehicle's design. A
standard defines necessary criteria for the numerous automotive suppliers involved in producing
today's vehicles. Explicit policies and procedures must permeate the entire supply chain to
identify and plug any vulnerabilities that may exist.
Collaboration Leads to Standardization
Efforts to create an automotive cybersecurity standard started in 2016 when the Society of
Automotive Engineering (SAE) and the International Organization for Standardization (ISO) embarked
on a joint initiative to create an industry standard for vehicle cybersecurity. Both organizations
had separately worked on automotive safety and security-related standards; ISO 26262 is the renown
automotive functional safety standard, and SAE leveraged the framework of ISO 26262 when creating
J3061, the "Cybersecurity Guidebook for Cyber-Physical Systems". The two organizations ultimately
joined forces and collaborated with automakers, component and system suppliers and cybersecurity
vendors – involving over 100 experts from more than 82 companies in 16 countries. The new ISO/SAE
21434 standard is the result of this collaboration. It defines precise procedural and
organizational requirements for achieving robust vehicle cybersecurity. Also detailed in the
standard are the steps required for performing threat analysis and risk assessment (TARA) of
potential cyber threats throughout the vehicle's life cycle. Additionally, organizations need to
monitor cybersecurity events and manage incidents when they occur.
Under ISO/SAE 21434, security must be considered for all electronic systems in the connected car,
at every stage, from concept through manufacturing to decommissioning, and systems must be
engineered in such a way that they will offer robust protection from evolving threats. The
requirements defined by the standard must be embedded into a company's DNA and organizations must
implement a Cyber Security Management System (CSMS) including cybersecurity risk management.
Regulations for Cybersecurity
The new automotive regulation UN R155 for cybersecurity is a further step toward enhancing
cybersecurity. The regulation was adopted in 2020 by The United Nations Economic Commission for
Europe (UNECE) WP.29, also known as The World Forum for Harmonisation of Vehicle Regulations.
Under UN R155, vehicle manufacturers can only achieve vehicle type approval and sell new vehicle
types if they have a certified cyber security management system (CSMS) in place. The legislation
is set to roll out across the world from July 2022 onwards.
How NXP Supports the OEMs
OEMs will need support from suppliers such as NXP, as the regulation requires evidence that
supplier-related risks are identified and managed under their certified CSMS. The standard ISO/SAE
21434 supports the implementation of the R155 requirements in organizations across the supply
chain. Building on its long-standing expertise in security, NXP has refined and extended its
existing policies and processes to fully meet the requirements of the new standard ISO/SAE 21434.
An independent third party has recently confirmed this compliance through an audit and
certification. This helps enable OEMs to meet requirements of the R155 regulation.
The Impact to Legacy Components
It's important to stress that the standard does not mean OEMs should tear apart existing systems
and remove legacy components at will. They must analyze automotive systems and determine whether
their components fulfill relevant security criteria. This analysis will prove easier for new,
compliant components. Existing off-the-shelf components will require further assessment as to
their suitability, and to identify -- and address -- any potential security shortfalls.
Considering the plethora of electronic components used in a new car from both Tier 1 and 2
suppliers, the responsibility will be a shared one with the implications encompassing the whole
supply chain.
Future automotive products must comply with the standard, and manufacturers must provide
supporting evidence. NXP and other suppliers must work closely with Tier-1 and OEM customers and
help them conduct their risk assessments and compliance validation.
Moving forward, consumers and automakers will benefit from the implementation of the standards and
adherence to the regulations. Consumers can enjoy consistent, seamless technology that enhances
safety and user experience with robust protection against cyberattacks and evolving threats
Security Leads to New Opportunities
As all aspects of technology in our lives become more interconnected, adequate protection against
cyberthreats becomes paramount. Robust cybersecurity measures are required to prevent attackers
from utilizing the interconnectivity to move through our devices and systems undetected and
unchecked. NXP’s trusted products and mature security organization helps vehicle manufacturers
secure their vehicles against cyberattacks. And thereby, making connectivity and autonomy an
opportunity for business and society, rather than a threat to us all!
For more information please visit
Secure Vehicle Architecture.