18 Jan 2022

Cybersecurity management system requirements

From appliances and HVAC, to home security systems and lightbulbs, connected products permeate our everyday lives in ways we probably never could have imagined, even just 10 years ago. As the smart home concept has become more accessible, so too has the concept of a smart or connected car, with the market projected to increase 40% to more than 400 million smart cars in use by 2025*. While connected cars offer a number of benefits and conveniences, like accessing navigation systems or communicating crucial safety information, being connected to the Internet of Things increases exposure to cybersecurity risks.

To advance automobile cybersecurity, two specifications are currently available for production road vehicles: ISO/SAE 21434:2021 – Road vehicles – Cybersecurity engineering (21434) and UN Regulation No. 155 – Cyber security and cyber security management system (R155). While these two specifications are similar and complementary, there are some key differentiators. In the first part of this blog series, ISO/SAE 21434 is broken down. We'll look at R155 in part two.

ISO/SAE 21434:2021 – Road vehicles – Cybersecurity engineering (21434)

ISO/SAE 21434:2021 – Road vehicles – Cybersecurity engineering (21434) outlines the requirements for the processes surrounding the Cyber Security Management System (CSMS) and requires verification and validation as part of this, without specifying specific threats or mitigations that must be considered. It also brings with it two new terms that are worth a specific look: Cybersecurity Assurance Level (CAL) and Threat Analysis and Risk Assessment (TARA).

The use of CAL is not required by the standard but is a concept that is introduced in the informative Annex E of the standard. It is a classification scheme that can be used to specify and communicate a set of assurance requirements, in terms of levels of rigour, to provide confidence that protection of the assets of an item or component is adequately developed. In addition to not being a required part of the standard, the definition of levels is only given as an example, allowing each implementer to customize CAL to their product. While customization is possible, it is expected that use of CAL will closely follow the example given in Annex E of the standard.

As CAL is not a requirement and there isn't a definitive specification for CAL, the body of the standard only makes reference to CAL in notes. The use of CAL in the standard is suggested as being determined for cybersecurity goals and used to scale the depth and rigour of product development activities (e.g., penetration testing).

On the other hand, the TARA is a requirement of the standard with its methods defined in section 15. The security community has used the term Threat Risk Assessment (TRA) as a very similar concept. The automotive industry (and ISO) is familiar with the term Hazard Analysis and Risk Assessment (HARA) from the safety standard ISO 26262. The TARA takes from both of these to create a cybersecurity concept specifically for the automotive industry.

The standard defines requirements for asset identification, threat scenario identification, impact rating, attack path analysis, attack feasibility rating, risk value determination, and risk treatment decision. The main required use of the TARA is part of cybersecurity goal setting in the concept phase. Additionally, the TARA needs to be included in the activities in the cybersecurity plan, including any updates or modifications to the plan. Parts of the TARA need to be performed on weaknesses to identify vulnerabilities, and the identified risks need to be assessed and treated in accordance with section 15.9 risk treatment decision of the standard.

The TARA can be used as rationale for omitting certain activities. For example, threat scenarios of risk value 1 from the TARA can be omitted from the activities outlined in 9.5 cybersecurity concept, 10 product development, and 11 cybersecurity evaluation.  The decision of whether to perform a cybersecurity assessment for an item can be based on the results of a TARA.  The risk treatment decision from a TARA determines whether a cybersecurity incident response needs to be applied.

Stay tuned for tips on how to address both 21434 and R155 in part two of this blog.


Ben Cuthbert,
High Assurance Lab Manager


Ben Cuthbert has been in the cybersecurity assessment field for more than 15 years in a variety of areas including payment devices, cryptographic modules, telecommunications, and connected devices such as IoT. 

You may be interested in...