The need for a cyber security standard like ISO/SAE 21434 was ruthlessly demonstrated to the automotive industry in 2015: All of a sudden, the Jeep Grand Cherokee simply started moving – as if by magic, with no driver at the wheel. Charlie Miller and Chris Valasek prompted waves of uproar that rippled through the automotive world when they hacked the popular SUV in the USA in 2015. The IT experts had gained access to the vehicle and its functions via the Uconnect infotainment system, operated by what was then the FCA Group (now Stellantis), which is constantly connected to the Internet. “That was a shock to carmakers. All of them saw a risk to their digital systems and vehicles,” recalls Fabian Lanze, Head of cyber security at Huf. “To close these loopholes and make it more difficult for hackers to gain access, the United Nations Economic Commission for Europe (UNECE) 2020 defined cyber security requirements for type approvals for the first time. However, exactly what these standards would look like had been defined in August 2021.”
ISO/SAE 21434 – standard for cyber security in automotive
The International Organization for Standardization (ISO) developed the ISO/SAE 21434 standard in collaboration with the Society of Automotive Engineers (SAE). The new regulation does not define the security loopholes in the vehicle and how to fix them, as that would be of little use due to the ever-increasing quality of hacker attacks. ISO/SAE 21434 has a much further-reaching impact on many processes at automotive companies. It begins with the product development process and defines clear concepts and specifications for a threat analysis and risk assessment. ISO/SAE 21434 also covers production, servicing, volume operation, and management as well as the disposal of personal data. Based on these defined frameworks and concepts, Huf communicates with its customers on a level playing field and can identify and block potential weak points in the digital sphere early on.
“However, it’s not only now that we’re able to do that,” says Lanze. “We have had a rough idea of the content of ISO/SAE 21434 for more than a year now. At Huf, we have been working on digital keys for a long time and have gradually tailored our processes and structures to the possible ISO targets, so all we had to do is tie up a few loose ends. Despite that, we’re still continuing to make refinements, which our Phone as a Key demonstrates in particular.”
Next ECU generation by Huf based on ISO/SAE 21434
The global Phone as a Key team at Huf has drawn up a comprehensive analysis and risk assessment, which means that it can already provide its customers with reliable estimates in line with ISO/SAE 21434. Hardware and, in particular, software components such as firmware, which is crucial for reliable communication with a smartphone, do harbor potential risks, but Huf has already recognized them and can explain them to its customers and present solutions that it has implemented. Then there are digital keys, which are shared across various devices but cannot be allowed to fall into the wrong hands. “Most of our customers have already identified smartphones as presenting high-risk loopholes. To ensure that these security vulnerabilities are eliminated soon as well, we at Huf are actively working on the standard that the Car Connectivity Consortium is to produce. In this respect, too, we want to slam the virtual door in the faces of digital intruders and give our customers a high level of cyber security,” explains Lanze regarding maintaining security into the future.