exida - ISO/SAE 21434 Automotive Cyber Certification

Automotive Cyber Certification

Automotive systems are quickly becoming a serious target for cyber attacks. ISO/SAE 21434 helps keep them secure.

  1. exida
  2. Certification
  3. Cybersecurity
  4. ISO/SAE 21434 Cyber Certification

ISO/SAE 21434 Certification

Innovation in the automotive industry has become a prevalent topic within the last decade. Modern vehicles are fitted with computers and embedded electronics, and some are even equipped with Wi-Fi or cellular connectivity. While this inter-connectivity has increased the quality of life for today’s drivers, it widens the cyber attack surface.

The ISO/SAE 21434 standard defines a framework for implementing secure electrical and electronic systems in road vehicles. These strategies and techniques apply to all parts of the engineering process including concept, product development, production, operation, maintenance, and decommissioning of E/E systems in road vehicles.

exida has a comprehensive understanding of ISO/SAE 21434 and has developed a robust certification scheme to provide cybersecurity certification for E/E systems in road vehicles. The ISO/SAE 21434 standard itself is a framework and not technically prescriptive. Therefore, exida uses its cybersecurity expertise from other domains such as the IEC 62443 series, NIST, and UNECE Nr. 155 to complement the ISO/SAE 21434 process and project judgment with profound cybersecurity expertise.

View a List of Cyber Certified Products   

exida Cybersecurity Certification Programs

exida offers IEC 62443 and ISO/SAE 21434 cybersecurity certification programs tailored for four categories: engineering processes, devices/ applications, systems, and personnel. The requirements for each category vary as different standards in the IEC-62443 + ISO/SAE 21434 series are applied. Each program is described by a document includes all requirements from the referenced standards in addition to specific needs expressed by the exida Advisory Board.

Category 1: Cybersecurity Engineering Process Certifications

exida has established cybersecurity certification programs for both:

  • engineering processes used to design and develop components such as  embedded devices, automotive subsystems, network devices, host devices, and software
  • engineering processes used to design systems of devices

The exida Security Development Process program is based upon IEC 62443-4-1 and covers manufacturer design and development, especially software design and coding. This program is well suited to Original Equipment Manufacturer (OEM) product maintenance and development where full variability computer languages (C, C++, etc.) are being used.

The exida System Integrator Process program is based upon IEC 62443-2-4 and covers the cybersecurity aspects of system integration, testing, and installation. The certification covers the process itself not any specific device or system designed using that process. This program allows a system integrator to show cybersecurity competence to potential customers and results in more secure systems.

The exida Security Development Process program for automotive is based upon ISO/SAE 21434 and covers manufacturer design and development.

Category 2: Cybersecurity Device and Application Certifications

A device (an embedded control product, a platform device, or a software application) can get a cybersecurity certification from exida. Each device must be designed and tested following a cybersecurity engineering process per IEC 62443-4-1 and the device must include a set of cybersecurity defense techniques as specified in IEC 62443-4-2. There are four security levels specified in that standard with sets of requirements that increase with higher numbered levels as shown in the Figure below. 

Any device meeting the requirements of this program will be given a certificate stating the achieved security level which demonstrates to potential customers the cybersecurity strength built into the device.

For devices that are to be used in an automotive context, exida offers an ISO 21434 device certification, but this standard currently does not include security levels.

Category 3: Cybersecurity System Certifications

Two cybersecurity certification schemes are available from exida:

  • Original Equipment Manufacturer (OEM) System Certification and
  • Integrated System Certification.

The exida System Security Certification for OEMs is based upon IEC 62443-4-1 and IEC 62443-4-2.  This scheme has similar requirements to a device cybersecurity certification except it is applied a system level where many devices are networked into a system.  With this certification a system supplier can show accredited third party cybersecurity certification for all devices in the system when configured and maintained according to the security manual. 

The exida Integrated System Certification is based upon IEC 62443-2-4 and IEC 62443-3-3.  This certification scheme applies to a networked system designed by an integration company per an engineering process for integrators and provides cybersecurity features as required by IEC 62443-3-3.  Four security levels are specified with additional cybersecurity defense mechanisms needed for each higher level.  

View Completed Cybersecurity Certifications

Category 4: Cybersecurity Personnel Certifications

As a pioneer in IACS personnel competency certification, exida introduced the CFSE/CFSP program in 2000.

Two cybersecurity personnel certification programs based on the same fundamental principles are available from exida – the CACE and the CACS programs. 

Summary of exida Cybersecurity Certification Programs

Based On Classification Program Name Applicable to
IEC 62443-4-1 Product or System Development Process Certification

exida Security Development Process

ISASecure® SDLA Certification

 OEM Product Development for Industrial Automation
ISO/SAE 21434 Product or System Development Process Certification

ISO/SAE 21434 Organizational Management Process Certification

 Automotive component and item product development
IEC 62443-2-4 System Integration and Maintenance Process Certification exida System Integrator Process System Integrator
       
IEC 62443-4-1, IEC 62443-4-2 Component Certification exida Security Device Certification OEM Product
ISO/SAE 21434 Component Certification ISO/SAE 21434 Product Certification

 

 Automotive Components and Items
       
IEC 62443-4-1, -3-3 OEM System Certification

exida System Security Certification

ISASecure® SDLA Certification

 OEM Components (Embedded Device, Network Device, Software Application or Host Device)
IEC 62443-2-4, IEC 62443-3-3 Integrated System Certification

exida Integrated System Certification

ISASecure® SDLA Certification

 Integrated System
       
IEC 62443-4-1, -4-2 Personnel Certification CACE / CACS Software OEM Developers
IEC 62443-2-4, IEC 62443-3-3 Personnel Certification CACE / CACS Design System Designer
IEC 62443-2-4, IEC 62443-3-3 Personnel Certification CACE / CACS Integrator System Integrator
ISO/SAE 21434 Personnel Certification CACE / CACS Automotive Automotive System Design/Developer
       

Why Choose exida for Automotive Cyber?

The team at exida has comprehensive knowledge of the ISO/SAE 21434 standards based upon:

Active Participation

Active participation on the cybersecurity standards committees – an understanding of not only the requirements but the reasons for the requirements

Experience

Several years of experience in practical real world automation cybersecurity.

Publications

exida has published many technical papers and books on cybersecurity.

Training

offering and teaching several in-depth training courses on cybersecurity

Understanding

a deep understanding of software engineering and quality engineering processes.

A Formula for Success

When this depth of knowledge and understanding for risk analysis and engineering processes is combined with exida's reputation for service, no better choice can be found.

The exida schemes go beyond and require:

  • a product manufacturer must perform network testing during development for a product or system. It is not sufficient for a test lab to perform testing after a product is ready for production release. exida will witness a sample set of tests before production release.
  • the software development process used to create the product meet requirements of the cybersecurity maturity level.
  • surveillance audits be performed by the CB at regular intervals to ensure testing is being performed and security monitoring in the field / security response systems are working well.
  • security defense mechanisms required by the referenced standards have been implemented as required.
  • equipment failure modes are evaluated per their impact on cybersecurity features.
  • practical system level cybersecurity requirements needed for the product are published in a user document. The information required by exida goes beyond existing standards per the advice of our end user Advisory Board. 

Any manufacturer, system integrator, or security practitioner interested in getting an exida cybersecurity certification is most welcome to contact us for more details.

Request a Proposal       Security Certification Scheme