Merging Security and Safety in Vehicles: ISO 26262 and ISO/SAE 21434

The auto industry’s growing dependence on software has turned cybersecurity into an extension of safety, not only security. The vast amount of code in modern vehicles creates new attack avenues for malicious actors bringing the need for Automotive Safety Integrity Levels (ASILs). This necessitates incorporating both cybersecurity and functional safety standards into automotive products and devices.

ISO 26262, the international standard for functional safety (FuSa), addresses potential hazards caused by malfunctions in electronic and electrical vehicle systems. The newer ISO/SAE 21434 standard builds on ISO 26262, and provides a framework similar to it for the entire security life cycle of vehicles.

While the two standards share many similarities in process, there are also key differences that functional safety and product security professionals must address to ensure their products and vehicles are compliant and marketable.
That’s why we created this summary of the similarities and differences between ISO 26262 and ISO/SAE 21434, and why they matter.

ISO 26262, titled “Road vehicles – Functional safety”, is an international standard for functional safety (FuSa) of electrical and/or electronic systems in mass-produced road vehicles, as defined by the International Organization for Standardization (ISO).

The standard addresses potential hazards caused by malfunctions in electronic and electrical vehicle systems. FuSa features are an essential part of every phase of automotive product development, from specification to design, implementation, integration, verification, validation, and production release.

To mitigate the many risks that innovative technologies introduce to today’s vehicles, ISO 26262 provides a set of detailed guidelines and requirements for their functional safety, including:

• An automotive safety lifecycle that encompasses management, development, production, operation, service, and decommissioning. In addition, the standard supports tailoring the necessary activities during these lifecycle phases.
• Functional safety aspects of the entire development process, including activities like requirements specification, design, implementation, integration, verification, validation, and configuration.
• Automotive Safety Integrity Levels (ASILs): An automotive-specific risk-based approach for determining risk classes.
• ASILs are used to specify items’ necessary safety requirements for achieving an acceptable residual risk.
• Requirements for validation and confirmation measures ensure that a sufficient and acceptable level of safety is being achieved.

As vehicles became increasingly software-driven and cyber attack surfaces grew rapidly, the automotive industry recognized cybersecurity as a critical aspect of safety.

When the automotive professional community began discussing the growing need for security standards, there were different ideas on how to address the rising cybersecurity risks. Some suggested updating ISO 26262 with cybersecurity amendments, while others advocated for a new, cybersecurity-focused standard. This is how ISO/SAE 21434 came about.

The goal of ISO/SAE 21434 is to build upon the functional safety standard ISO 26262 and provide a similar framework for the entire security life cycle of road vehicles. The major components of this new standard include security management, continuous cybersecurity activities, associated risk assessment methods, and cybersecurity within the concept product development and post-development stages of road vehicles.

Vulnerability management is a crucial process for ensuring automotive cybersecurity, mandated by both UNECE WP.29 regulations and ISO/SAE 21434 standards. It involves a continuous cycle of activities throughout a vehicle’s lifecycle.

Traceability and documentation

• Track ownership and status: Each identified vulnerability is assigned an owner, along with its current status (e.g., identified, under investigation, mitigated).
• Justification for mitigation plans: Technical and business rationales are documented to support chosen mitigation strategies.
• Future reference and monitoring: This detailed record serves as a vital resource for audits, ongoing monitoring, and reassessing risks as circumstances change.

Continuous vulnerability management

• Ongoing identification and assessment: Proactive efforts are made to discover new vulnerabilities and assess changes in existing ones (e.g., the emergence of new exploits).
• Manual and automated processes: A combination of manual (e.g., threat intelligence analysis) and automated (e.g., vulnerability scanning) techniques are employed for comprehensive coverage.

Incident response and root cause analysis

• Product Security Incident Response Team (PSIRT): When vulnerabilities are exploited on the road, the PSIRT takes charge.
• Root cause analysis: This analysis aims to understand how the vulnerability reached production and its potential impact on vehicle components.
• Close-loop prevention: Learnings from the incident are used to identify preventive measures in design, development, and testing processes to prevent similar vulnerabilities in the future.

To mitigate the many risks that new technologies introduce to today’s vehicles, ISO 26262 provides a detailed set of guidelines and requirements for their functional safety, including:

• An automotive safety lifecycle that encompasses management, development, production, operation, service, and decommissioning. The standard also supports tailoring the necessary activities during these lifecycle phases.
• Functional safety aspects of the entire development process, including activities like requirements specification, design, implementation, integration, verification, validation, and configuration.
• Automotive Safety Integrity Levels (ASILs): An automotive-specific risk-based approach for determining risk classes.
• ASILs are used to specify items’ necessary safety requirements for achieving an acceptable residual risk.
• Requirements for validation and confirmation measures may ensure that a sufficient and acceptable level of safety is being achieved.

Functional safety and cybersecurity often overlap. The ISO 21434 standard was created based on ISO 26262, which explains the many similarities in terms of processes. In fact, several members of the ISO 26262 committee also participated in the development of the ISO/SAE 21434 standard.

Both standards provide a set of guidelines: FuSa is all about achieving safety goals during automotive solution development, while ISO/SAE 21434 is focused on protection against cyber threats. In both cases, the process begins with identifying the items to work on, then moves on to detecting risks and threats, and concludes with finding ways to mitigate them.

There are also some similarities in how both standards define their scopes: the management phase, concept phase, product development phase, and post-development phase.

• Part 6 – Project-dependent cybersecurity management: Since the requirements and application of cybersecurity might differ across automotive solutions, part 6 has been added to the standard.
• Part 7 – Continuous cybersecurity activities: Cybersecurity threats are constantly evolving, making cybersecurity an ongoing process. New threats must be analyzed, and the automotive software must be updated to address them
• Part 8 — Risk assessment methods: ISO 21434 explicitly specifies
  This is a stark contrast to the functional safety standard, where hazards and associated risks are analyzed, and safety mechanisms are implemented from the outset.

As the automotive industry becomes increasingly reliant on software components, it’s become glaringly clear that vehicles need to be as cyber-secure as they are safe. In fact, in many cases, the functional safety of the vehicle is dependent on security. That’s why it’s critical that cybersecurity and functional safety work in tandem – the similarities between the two standards show that we need to ensure they work together.

Regardless of the approach taken to meet these compliance requirements, teams are going to need to go beyond understanding what software is in their embedded devices but will also need to demand document-based insight into the full software supply chain.

Turning this awareness into mature product security processes means being able to manage and distribute SBOMs while also using that information to automate vulnerability management and complete the compliance process.

Cybellum enables automotive OEMs and their suppliers to develop and maintain safe and secure products, helping them navigate compliance with regulation and standards. The product security platform is the foundation for a CSMS covering everything from risk assessment and ongoing monitoring to documentation and readiness for auditing.

Cybellum is highly active in the area of standards, regulations and best practices, chairing the Israeli representation for the ISO/SAE 21434 standard committee, leading the taskforce responsible for the standard’ Use-case Annex and involved in other standardization efforts such as the upcoming ISO/WD PAS 5112 guidelines for auditing cybersecurity engineering, IAMTS study-group on cybersecurity and more.

To understand how The Product Security Platform helps teams come together and manage product security efficiently, book a demo.

Adoption of ISO/SAE 21434 varies by region and manufacturer, but it’s increasingly recognized as a key standard for automotive cybersecurity.

ISO 21434: This is an international standard titled “Road vehicles — Cybersecurity engineering.” It provides a comprehensive framework for ensuring cybersecurity in the development and production of automotive systems. ISO 21434 is broad in its scope, covering various aspects of cybersecurity management, including risk assessment, incident response, and the continuous management of cybersecurity throughout the vehicle lifecycle.

R155: R155 is a regulation under the WP.29 framework, established by the United Nations Economic Commission for Europe (UNECE). It specifically addresses cybersecurity and cyber security management systems for road vehicles. R155 is more regulatory in nature and is legally binding for countries that adopt it. It requires manufacturers to establish a certified Cybersecurity Management System (CSMS), conduct risk assessments, define security measures, and ensure continuous monitoring and reporting.

Key Differences:

Scope: ISO 21434 is a global standard offering guidelines for automotive cybersecurity, while R155 is a regulatory requirement under the UNECE, enforceable in member countries.

Compliance: Compliance with ISO 21434 is voluntary and part of best practice, whereas R155 compliance is legally required for vehicle type approval in countries that have adopted this regulation.

Focus: ISO 21434 covers a broad range of cybersecurity aspects in automotive engineering, while R155 is more focused on the establishment and maintenance of a CSMS.

ISO 21434 is a comprehensive international standard for cybersecurity in automotive systems, offering guidelines across the entire lifecycle of the vehicle and its components.

According to the SAE website, “”J3061 is a recommended practice provides guidance on vehicle Cybersecurity and was created based off of, and expanded on from, existing practices which are being implemented or reported in industry, government and conference papers. The best practices are intended to be flexible, pragmatic, and adaptable in their further application to the vehicle industry as well as to other cyber-physical vehicle systems (e.g., commercial and military vehicles, trucks, busses). “”

Key Differences:

Formality and Scope: ISO 21434 is a formal international standard, while J3061 is a recommended practice with guidelines.

International Recognition: ISO 21434 has broader international recognition and is often considered as the benchmark for automotive cybersecurity, whereas J3061 serves as an influential guidebook and foundational document in the field.”

Adoption of ISO/SAE 21434 varies by region and manufacturer, but it’s increasingly recognized as a key standard for automotive cybersecurity.

ISO 21434: This is an international standard titled “Road vehicles — Cybersecurity engineering.” It provides a comprehensive framework for ensuring cybersecurity in the development and production of automotive systems. ISO 21434 is broad in its scope, covering various aspects of cybersecurity management, including risk assessment, incident response, and the continuous management of cybersecurity throughout the vehicle lifecycle.

R155: R155 is a regulation under the WP.29 framework, established by the United Nations Economic Commission for Europe (UNECE). It specifically addresses cybersecurity and cyber security management systems for road vehicles. R155 is more regulatory in nature and is legally binding for countries that adopt it. It requires manufacturers to establish a certified Cybersecurity Management System (CSMS), conduct risk assessments, define security measures, and ensure continuous monitoring and reporting.

Key Differences:

Scope: ISO 21434 is a global standard offering guidelines for automotive cybersecurity, while R155 is a regulatory requirement under the UNECE, enforceable in member countries.

Compliance: Compliance with ISO 21434 is voluntary and part of best practice, whereas R155 compliance is legally required for vehicle type approval in countries that have adopted this regulation.

Focus: ISO 21434 covers a broad range of cybersecurity aspects in automotive engineering, while R155 is more focused on the establishment and maintenance of a CSMS.

ISO 21434 is a comprehensive international standard for cybersecurity in automotive systems, offering guidelines across the entire lifecycle of the vehicle and its components.

According to the SAE website, “”J3061 is a recommended practice provides guidance on vehicle Cybersecurity and was created based off of, and expanded on from, existing practices which are being implemented or reported in industry, government and conference papers. The best practices are intended to be flexible, pragmatic, and adaptable in their further application to the vehicle industry as well as to other cyber-physical vehicle systems (e.g., commercial and military vehicles, trucks, busses). “”

Key Differences:

Formality and Scope: ISO 21434 is a formal international standard, while J3061 is a recommended practice with guidelines.

International Recognition: ISO 21434 has broader international recognition and is often considered as the benchmark for automotive cybersecurity, whereas J3061 serves as an influential guidebook and foundational document in the field.”