ISO 21434 Certification | Automotive Cybersecurity Training

ISO 21434 Certification | Automotive Cybersecurity Training

ISO 21434 “Road vehicles — cybersecurity engineering” specifies engineering requirements for cybersecurity risk management regarding concept, product development, production, operation, maintenance and decommissioning of electrical and electronic (E/E) systems in road vehicles, including their components and interfaces.

The ISO 21434 automotive standard is important because it covers all stages of a vehicle’s lifecycle — from design through decommissioning, by the application of cybersecurity engineering.

ISO 21434 applies to all electronic systems, components, and software in the vehicle, plus any external connectivity.

What’s more, the standard provides developers with a comprehensive approach to implementing security safeguards that span the entire supplier chain.

ISO 21434 is needed because with the increase in connectivity in vehicles — such as Wi-Fi, Bluetooth, NFC, Cellular (3G, 4G, 5G and 6G) — and the development of autonomous cars, the risks of cyber-attack and subsequent damage also increase.

Most experts in this field believe that there have been insufficient safety-critical standards to cover this type of risk and therefore new guidelines and standards were needed to be established.

The intent behind the standard is to provide a structured process to ensure that cybersecurity considerations are incorporated into automotive products throughout their lifetime.

The standard requires automotive manufacturers and suppliers to demonstrate due diligence in the implementation of cybersecurity engineering and that cybersecurity management is applied throughout the supply chain to support it.

It intends that organizations will encourage a cybersecurity culture so that everything is designed with security considerations from the start.

The White House has long been a proponent of ISO 21434 contending that cybersecurity should be at the forefront of all automotive design decisions including the selection of the programming language to be used for software development.

Manufacturers, developers, suppliers and organizations need to consider several points in a security risk assessment, such as:

• Identification of assets and potential damage resulting from a breach of security features
• Identification and analysis of possible threats, attacks and vulnerabilities
• Determination of risk levels based on damage scenarios and the probability of successful attacks
• Take countermeasures until the remaining risk is acceptable
• Documentation of the important steps and results of the risk assessment process, such as asset lists, damage scenarios, attack reports or risk reports

The new ISO/SAE 21434 safeguards the entire development process and lifecycle of a road vehicle and promotes “security by design.”

ISO 21434 Certification | Automotive Cybersecurity Training by Tonex

ISO 21434 Certification, Automotive Cybersecurity Training is a 5-day training and consulting course that provides guidance developed by Tonex to help the automotive industry is in the process of implementing cybersecurity in their vehicles, systems, subsystems and parts.

This SO/SAE 21434 certification training provides the technical details and best practices of cybersecurity engineering based on ISO/SAE 21434. How shall we identify security objectives and How do we assess the security procedures and methods like TARA (Threat and Risk Analysis)?  Learn about what typical threats are by applying cybersecurity to life-cycle, products, process, and security engineering procedures.

Learning Objectives

Upon completion of ISO 21434 Certification, Automotive Cybersecurity Training Course,  attendees are able to:

• Learn about ISO/SAE 21434 Cybersecurity Framework
• Describe cybersecurity foundations for automotive applications
• Start and Complete an ISO/SAE 21434 cybersecurity certification
• List learn about risk assessment methods and procedures
• Enhance product development best cybersecurity practices
• Relate cybersecurity to production, operations, and maintenance
• Learn about risk assessment methodologies including Threat analysis and risk assessments (TARA)
• Practice concept of security by design
• Perform Security lifecycle tasks and processes: verification, validation and management
• Describe cybersecurity testing and evaluation: pen-testing and fuzz-testing
• Learn about Incident response

Program Agenda

Day 1: Overview of ISO/SAE 21434 Framework

• Overview of ISO/SAE 21434
• Goals and Objectives
• Compliance With ISO/SAE 21434
• Managing Cybersecurity Risks Using ISO/SAE 21434
• Overview of ISO/SAE 21434 Certification & Assessments
• IEC 62443-4-1 Secure Product Development Lifecycle
• Work products introduced in ISO/SAE 21434
• Tools introduced in ISO/SAE 21434
• Requirements and Recommendations

Day 2-3

ISO/SAE 21434 Framework Cybersecurity Management

• Cybersecurity Governance
• Cybersecurity Risk Management
• Organizational Cybersecurity Audit
• Information Sharing
• Management Systems
• Tool Management
• Information Security Management
• Work Products

Cybersecurity Foundations for Automotive Semiconductor Applications

• Cybersecurity Responsibilities
• Cybersecurity management and culture
• Risk Assessment Methodology and TARA
• Systematic Security Engineering
• Security by Design
• Secure Boot and SecOC
• Automotive Cybersecurity Test and Evaluation
• Verification, Validation and Life-cycle Management
• Cybersecurity Testing: pen-testing and fuzz-testing

ISO/SAE 21434 Framework Cybersecurity Implementation

• Cybersecurity Responsibilities and Their Assignment
• Cybersecurity Planning
• Tailoring of the Cybersecurity Activities
• Reuse
• Component Out of Context
• Off-the-Shelf Component
• Cybersecurity Case
• Cybersecurity Assessment
• Release for Post-Development
• Work Products

Overview of Cybersecurity Activities

• Malicious Cyber attacks
• Cybersecurity and Functional Safety
• Robust Protection from Malicious Cyber attacks
• Cybersecurity Monitoring
• Requirements and Recommendations
• Cybersecurity Event Assessment
• Requirements and Recommendations

Day 4-5

Product Development Cybersecurity

• Assessment and Certification Process
• Cybersecurity Management System Assessment
• ISO/SAE 21434 Assessment
• Cybersecurity Risk Analysis
• IEC 62443 Certification
• Managing Cybersecurity Risks Using ISO/SAE 21434 PD532013

Advanced Technologies Risk Assessments

• How to identify security objectives?
• How do we assess the security on the basis of basic methods like TARA (Threat and Risk Analysis)
• How can a security objective be deduced?
• Overview of Typical Threats

Detailed Analysis of ISO 21434

• Threat Modelling
• CAL
• Item definition
• End to end process
• Creation of templates and documents

Overview of UNECE WP R155 & R156

• UNECE Vehicle Regulations: UN R155 & UN R156 Frameworks
• UN R155 and general requirements for Vehicle Cybersecurity
• UN R156 deals and specific requirements for heavy vehicles
• Uniform provisions concerning the approval of vehicles with regards to cyber security and cyber security management system
• Certificate of Compliance for Cyber Security Management System
• What are the main points of UN R155 and UN R156?
• Similarities and differences with ISO 21434 and ISO 26262
• Cybersecurity Management Systems (CSMS)
• Protection strategies
• Connectivity analysis: Bluetooth, WiFi signals, and cellular modem/LTE/5G and others

Analysis of Attack Surfaces

• Attack Surfaces
• OBD II
• In-vehicle Network (IVN)
• Telematics
• Keyless Entry (RKE)
• Mobile App reverse Engineering
• Anti-Theft
• TPMS
• Autonomous Driving
• Development of Software, Firmware and Hardware
• Supply Chain

Vulnerability and Penetration Assessment

• CAN Bus
• LIN Bus
• ASRB Bus
• FlexRay Bus
• Ethernet
• MOST
• K-Line – ISO 9141
• SAE J1850

Hands-on Workshops and Case Studies

• Tools: HackRF One, CAN Bus Shields, Linux Kali