What's technically inside the ISO/SAE 21434 ?

As the DIS of the ISO21434 is finally available. This is a collection of the insights and discussions we had while reading it. Read now inside the ISO/SAE 21434.

What's this about?

If you are unsure about what ISO21434 is and which role it plays for you, we’ve written an overview so that you can get onboard:

Work Products

The DIS of ISO21434 distinguishes the three kinds of product phases concept phase, development phase, and operation phase. The general endeavor of performing a TARA is described in chapter 8. The concept phase, as described in chapter 9, consists of defining the item (9.3 Item Definition), finding Cybersecurity Goals (section 9.4) and bundling them into a whole Cybersecurity Concept (section 9.5). The major part of identifying Cybersecurity Goals is to invoke the TARA that is described in chapter 8.

The main steps when performing an ISO21434-conform TARA are (in order of an idealized linear execution):

  • Item Definition (section 9.3)
  • Asset Identification (section 8.3)
  • Threat Scenario Identification (section 8.4)
  • Impact Rating (section 8.5)
  • Attack Path Analysis (section 8.6)
  • Attack Feasibility Rating (section 8.7)
  • Risk Determination (section 8.8)
  • Risk Treatment Decision (section 8.9)
  • Cybersecurity Goals [RQ-09-07]
  • Cybersecurity Claims [RQ-09-08]
  • Cybersecurity Concept (section 9.5)
Dependencies of TARA according to ISO21434 are visible

Insights

As this place is a living document, we are continuously adding the questions and discussions that arise. Here you go with some of them.

How could such process look like?

We’ve been giving a couple of presentations on how we interpret the ISO/SAE 21434 to be practically carried out.

Here is an 8min video on the itemis SECURE (we might be biased, as we’re developing it).

Here is a more detailed walk through the ISO/SAE 21434 Annex G example, first as in the ISO, then with tool support (1h44min):

Here is a presentation on how the openXSAM.io initiative aims to establish an open exchange format for cybersecurity risk assessments to transfer data across tools, teams and organizations to implement ISO/SAE 21434. (1h 36min)

As part of the research project SecForCARs, we looked at how to bring security and safety teams into mutually supporting each other without entangling their processes. This talk was presented at the RESS’21 workshop on the ISSRE’21 scientific conference (15min).