Balancing Cybersecurity & Functional Safety: ISO 26262 – ISO/SAE 21434

Balancing Cybersecurity & Functional Safety: ISO 26262 – ISO/SAE 21434

As the automotive industry becomes increasingly software-based, cybersecurity has become an evolution of safety, rather than a separate practice. The huge amount of code that vehicles have come to rely on presents malicious players with new attack windows that demand combining both cybersecurity and functional safety standards to automotive products and devices.

ISO 26262, the international standard for functional safety – FuSa, addresses potential hazards caused by malfunctions in electronic and electrical systems in vehicles. The more recent ISO/SAE 21434 builds on ISO 26262, and provides a framework similar to it for the entire security life cycle of vehicles.

While there are many similarities between the two standards when it comes to processes, there are also some significant differences that both functional safety and product security pros must address in order to ensure their products and vehicles are compliant and market-ready.

That’s why we put together this rundown of the similarities and differences between ISO 26262 and ISO/SAE 21434, and why they matter.

What is ISO 26262?

ISO 26262, titled “Road vehicles – Functional safety”, is an international standard for functional safety (also known as “FuSa”) of electrical and/or electronic systems that are installed in serial production road vehicles, defined by the International Organization for Standardization (ISO).

The standard addresses potential hazards caused by the malfunctioning behavior of electronic and electrical systems in vehicles. FuSa features are an integral part of each automotive product development phase, ranging from the specification, to design, implementation, integration, verification, validation, and production release.

How Does ISO 26262 Cover Functional Safety?

In order to mitigate the many risks that innovative technologies introduce to today’s vehicles, ISO 26262 provides a set of detailed guidelines and requirements for their functional safety, including:

  • An automotive safety lifecycle that encompasses management, development, production, operation, service, and decommissioning. In addition,the standard supports tailoring the necessary activities during these lifecycle phases.
  • Functional safety aspects of the entire development process, including activities like requirements specification, design, implementation, integration, verification, validation, and configuration.
  • Automotive Safety Integrity Levels (ASILs): An automotive-specific risk-based approach for determining risk classes.
  • ASILs are used to specify items’ necessary safety requirements for achieving an acceptable residual risk.
  • Requirements for validation and confirmation measures that ensure that a sufficient and acceptable level of safety is being achieved.

Answering the Rising Need for Security: ISO/SAE 21434

As vehicles became increasingly software-driven, and cyber attack surfaces expanded rapidly, the automotive industry realized that cybersecurity has become a critical part of safety.

When the automotive professional community began discussing the growing need for security standards, there were different ideas on how to address the rising cybersecurity risks. Some said that ISO 26262 should be updated with amendments covering cybersecurity, while others suggested that a new standard focused on cybersecurity should be created – and that’s how we got to ISO/SAE 21434.

The goal of ISO/SAE 21434 is to build upon the functional safety standard ISO 26262 and provide a framework similar to it for the entire security life cycle of road vehicles. The major components of this new standard include security management, continuous cybersecurity activities, associated risk assessment methods, and cyber security within the concept product development and post development stages of road vehicles.

ISO 26262 vs. ISO 21434: Similarities and Differences

Functional safety and cybersecurity often overlap. The ISO 21434 standard was created along the lines of ISO 26262, which is why there are a lot of similarities in terms of processes. As a matter of fact, several members of the ISO 26262 committee also worked on the ISO 21434 standard.

Co-engineering of automotive Safety (ISO 26262) and Security (ISO/SAE 21434).

Co-engineering of automotive Safety (ISO 26262) and Security (ISO/SAE 21434). Source: 

Both standards provide a set of guidelines: FuSa is all about achieving the safety goals while developing an automotive solution, while ISO/SAE 21434 is aimed at protection against cyberthreats. In both cases, the process starts with identifying the items to work on, moves on to detecting the risks and threats, and ends with finding a way to mitigate them.

There are also some similarities in the way both standards explain their scopes: the management phase, concept phase, product development phase, and post development phase.

However, cybersecurity includes a few new phases:

  • Part 6 – Project dependent cybersecurity management: Since the requirements and application of cybersecurity might differ across automotive solutions, part 6 has been added to the standard.
  • Part 7– Continuous cybersecurity activities: Cybersecurity threats are ever-evolving which makes cybersecurity a continuous activity. New threats must be analyzed, and the automotive software must be updated to deal with them.

This is in sharp contrast with the functional safety standard, where hazards and associated risks are analyzed, and safety mechanisms are put in place from the onset.

  • Part 8 — Risk assessment methods: ISO 21434 explicitly specifies the methods for risk assessment – which include processes like asset identification, attack path analysis, and more.

Fusing Security into FuSa

As the automotive industry becomes increasingly reliant on software components, it’s become glaringly clear that vehicles need to be as cyber secure as they are safe. In fact, in many cases, the functional safety of the vehicle is dependent on security. That’s why it’s critical that cybersecurity and functional safety work in tandem – the similarities between the two standards show that we need to ensure they work together.

Automating Compliance Management with Cybellum

Cybellum enables automotive OEMs and their suppliers to develop and maintain safe and secure products, helping them navigate compliance with regulation and standards. The product security platform is the foundation for a CSMS covering everything from risk assessment and ongoing monitoring to documentation and readiness for auditing.

Cybellum is highly active in the area of standards, regulations and best practices, chairing the Israeli representation for the ISO/SAE 21434 standard committee, leading the taskforce responsible for the standard’ Use-case Annex and involved in other standardization efforts such as the upcoming ISO/WD PAS 5112 guidelines for auditing cybersecurity engineering, IAMTS study-group on cybersecurity and more.

Want to learn more? Schedule a free consultation with one of our experts.