The implementation of ISO 21434, a standard for cyber security in the automotive sector, brings with it a variety of challenges. These challenges range from various aspects of the process, security culture, training, documentation and traceability, role definitions, security concepts, assessments and the organizational structure of the cyber security team. The implementation of this standard requires a thorough examination of numerous aspects in order to ensure cyber security in the automotive industry. This article highlights the most important challenges in these different areas.
Organizational Cyber Security Team Structure
The organizational structure of a cyber security team plays a crucial role in the successful implementation of cyber security measures in companies, especially in the automotive industry. The choice between a centralized or decentralized structure depends on company policies and individual requirements. Both approaches have advantages and disadvantages that need to be carefully weighed up.
Decentralized structure
A decentralized cyber security team structure offers a certain degree of flexibility, as resources are available locally. However, there are challenges associated with this approach. The organization and coordination of resources can be complex, which can lead to delays in escalating and responding to emergencies. In addition, there is no way to temporarily reserve resources for urgent tasks, which can make it difficult to prioritize and execute tasks. As each employee may have different knowledge and experience of the cyber security process, the quality and effectiveness of the tasks performed may vary. There is also an increased risk of ‘silo thinking’, where teams work in isolation rather than collaborating and sharing knowledge.
Centralized structure
In contrast, a central structure for the cyber security team provides a clear hierarchy and organization. Escalations can be handled more efficiently, which enables a faster response to problems. The planning and coordination of tasks is simplified as all team members are on the same page and work according to standardized processes. This helps to keep the quality of the tasks performed consistent. A centralized structure also enables the development of specialists who can focus on specific aspects of cyber security. In addition, it facilitates coordination with external cyber security resources, as these are no longer assigned to individual projects but are managed centrally.
The choice between a centralized and decentralized structure requires careful consideration of a company’s individual needs and circumstances. Ultimately, the selected structure should support the effective implementation of cyber security measures and contribute to the security of vehicles and systems.
Role Definitions within the organization
ISO 21434 specifies the performance of comprehensive assessments as an integral part of its requirements. However, it is crucial to recognize that existing process assessment models, such as the Automotive SPICE Security Process Assessment Model (SEC-PAM), are not specifically aligned with ISO/SAE 21434. This discrepancy between the requirements of ISO 21434 and existing assessments presents a notable challenge.
Another aspect that complicates assessments is the fact that assessors may have different expectations and approaches. This can lead to fragmentation and divergence in assessment criteria and methods. As a result, there is a risk that the process becomes unnecessarily bloated due to the diversity of interpretations and requirements. The resulting ambiguities in the assessment criteria can significantly impair implementation and conformity with ISO 21434.
To meet these challenges, careful alignment of assessments with the specific requirements of ISO 21434 is essential. Clear guidance and harmonization of assessors’ expectations is needed to ensure that the evaluation process is efficient and effective. These efforts are crucial to ensure the successful implementation of ISO 21434 in the automotive industry and to create a uniform basis for assessment.
Cyber Security Process
ISO 21434 places high demands on the implementation of cyber security in automotive systems. A key point is that this process must be in harmony with other business processes. This requires seamless integration into existing processes and can be a complex task.
It should also be noted that ISO 21434 has vague wording in some areas, which opens up considerable scope for interpretation. This can be both positive and negative, as interpretations can lead in the wrong direction and thus impair the effectiveness of the safety process.
It is worth noting that the concept of ISO 21434 is strongly based on ISO 26262, which focuses on functional safety. As a result, the standard tends to focus more on security aspects than on the specific requirements of cyber security.
Security Culture
The challenges in the area of security culture are also of great importance. There is still a lack of awareness of cyber security in many companies. This means that few employees have the necessary knowledge and skills in the area of security.
Furthermore, the implementation of ISO 21434 is made more difficult by time constraints and resource bottlenecks. Employees already have an abundance of tasks and little time to deal with another process, which can lead to suboptimal implementation.
Another aspect is the fact that some employees do not recognize the importance of security in embedded systems. This can lead to a negative attitude towards the requirements of ISO 21434 and hinder the implementation of the process.
Overcoming these challenges requires a targeted effort to increase awareness of security and efficiently utilize resources for the implementation of ISO 21434. Targeted training and communication are crucial to strengthen the security culture and integrate the processes smoothly into the company’s day-to-day operations.
Training programs for ISO/SAE 21434
The training offered in the context of ISO 21434 and cyber security in the automotive industry is an essential pillar to develop the necessary skills and ensure that the requirements of this demanding standard are met. Nevertheless, there are some challenges that require careful consideration and adaptation.
In many cases, companies lack the necessary resources to carry out comprehensive internal training. This can make the task of bringing all employees working with the ISO 21434 process up to the same level of knowledge much more difficult. This leads to a significant gap in the safety education and competence of the workforce.
Another problem lies in the fact that existing training courses are usually limited to basic knowledge that explains the standard itself. These basic training courses are undoubtedly valuable, especially for new cyber security managers to develop a solid understanding of the standard. However, they often prove insufficient for specialists such as cyber security architects. These experts need in-depth knowledge and insight into the technical concepts and challenges involved in implementing ISO 21434. Existing training courses often do not take these specific requirements into account.
Overcoming these challenges requires a targeted adaptation of the training offer. Companies should be able to develop customized training courses that are tailored to the specific requirements and roles of their employees. This requires careful needs analysis and the provision of training content that provides technical expertise and practical implementation.
Additionally, it is important to not view training as a one-time event, but as an ongoing process. The ever-evolving landscape of cyber security requires regular training and updates to ensure that the workforce is familiar with the latest trends and best practices in the industry. This ensures that the implementation of ISO 21434 is based on a solid foundation of knowledge, thus ensuring cyber security in the automotive industry.
Documentation and Traceability
In the world of cyber security, documentation and traceability are crucial, and this is especially true for the implementation of ISO 21434 in the automotive industry. Comprehensive and accurate documentation is essential, similar to all other processes that are assessed according to the Automotive SPICE (ASPICE) standard. This documentation not only serves as a guide for assessors, but also as a source of knowledge for new project members. It plays an important role in maintaining the current level of knowledge in the respective project.
In addition, complete traceability is a crucial aspect of ensuring cyber security. From the definition of an item to its validation, complete traceability must be ensured. This means that it must be possible to identify the origin of an asset, to know the required security measures for this asset and to trace the specific steps for the verification and validation of these measures. Only through such complete traceability can it be determined whether the defined security could actually be guaranteed.
It is important to emphasize that, even if the possibility of complete security remains an illusion, documentation and traceability ensure that all visible threats and risks are adequately addressed. This makes it possible to raise the level of security to a controllable level and maintain the integrity and confidentiality of systems and data. In the complex world of cyber security, documentation and traceability thus serve as indispensable cornerstones for meeting the constantly growing challenges.
Cyber Security Concept
In reality, there are specific security concepts that can only be implemented by original equipment manufacturers (OEMs) in the automotive industry. An outstanding example of this is the Secure Onboard Communication Protocol. The authority to decide on the security of messages at vehicle level lies solely with the OEM. It is up to the OEM to determine which communication messages should be protected via this protocol.
Although suppliers make a valuable contribution to cybersecurity by providing risk analysis and suggestions, the final decision on securing communication messages remains with the OEM. This leads to interesting situations where OEMs may become aware through their risk analysis of messages previously considered harmless that now need to be classified as security-critical and secured accordingly. This highlights the complex dynamics and responsibilities in automotive cybersecurity and the critical role that OEMs play in this process.