ISO/SAE 21434：2021汽车网络安全国际标准概览

21434

5星 · 超过95%的资源需积分: 46 49 浏览量更新于2024-07-09 1 收藏 2.17MB PDF 举报

身份认证购VIP最低享 7 折!

领优惠券(最高得80元）

ISO/SAE 21434-2021是一项国际标准，专门针对道路交通车辆的信息安全工程（Roadvehicles—Cybersecurity engineering）。该标准由ISO/SAE国际组织发布，旨在确保汽车行业的网络安全设计、制造和运行过程中的安全性。作为一份技术规格，它涵盖了车辆系统和通信架构的保护措施，以防止黑客攻击、数据泄露和其他潜在的 cybersecurity威胁。 ISO/SAE 214434的制定旨在应对日益复杂的汽车电子系统与网络连接所带来的挑战，随着自动驾驶、车联网等先进技术的发展，车辆对网络安全的需求变得至关重要。这份标准邀请所有利益相关者，包括制造商、供应商、消费者和技术开发者，参与到草案的评审过程中，提交他们可能拥有的相关专利权声明，并提供支持文档，以便于评估其在工业、技术、商业和用户用途上的适用性。此外，ISO/SAE 21434并非孤立存在，它可能会影响国家层面的法规制定。在投票阶段，该草案将在2021年5月12日至7月7日期间进行审议，这期间标准化组织将收集各方意见，最终决定是否将其转化为正式的国际标准，以便作为各国家在制定相关网络安全法规时的重要参考依据。该标准的核心内容可能包括但不限于以下方面： 1. **网络安全要求**：定义了对于车辆电子和通信系统的最低安全要求，涵盖软件安全、硬件防护、数据加密和完整性检查等方面。 2. **风险管理**：强调了对潜在威胁的识别、评估和应对策略，确保系统能够抵御各类攻击手段。 3. **生命周期管理**：规定了从设计、生产到退役的全生命周期内网络安全管理的最佳实践。 4. **漏洞管理**：如何发现、报告和修复系统漏洞，以及如何建立有效的补丁管理和更新机制。 5. **合规性和审计**：确保车辆符合国际网络安全标准，同时也为监管机构提供了审计框架。 6. **用户教育和意识**：强调了驾驶员、车主和维护人员关于网络安全的基本知识和培训需求。 7. **合作伙伴协作**：鼓励产业内的跨部门和跨国合作，共享网络安全知识和技术，以提升整个行业的整体防护能力。 ISO/SAE 21434的实施将对汽车行业带来深远影响，不仅要求车辆制造商升级他们的产品设计，还可能推动整个供应链的安全改进，以适应这个数字化和互联的时代。随着标准的最终发布，它将成为确保道路车辆网络安全的关键指南。

资源详情

资源推荐

ISO/SAE FDIS 21434:2021(E)

3.1.38

vulnerability

weakness (3.1.40attack path (3.1.4)



5





3.1.39

vulnerability analysis

vulnerabilities (3.1.38)

3.1.40

weakness

defect or characteristic that can lead to undesirable behaviour

 

 

EXAMPLE 3 Implementation weakness, including hardware and software defect, incorrect implementation of

a security protocol.

 

EXAMPLE 5 Use of an outdated or deprecated function, including cryptographic algorithms.

3.2 Abbreviated terms

CAL cybersecurity assurance level

CVSS common vulnerability scoring system

E/E electrical and electronic

ECU electronic control unit

OBD

on-board diagnostic

OEM 

PM permission

RC recommendation

RQ 

RASIC responsible, accountable, supporting, informed, consulted

TARA threat analysis and risk assessment

WP work product

4 General considerations

               



interacts with its operational environment.

The application of this document is limited to cybersecurity-relevant items and components of a series



--`,`,,,,,,,``,,,``,,``,,,,````,-`-`,,`,,`,`,,`---

ISO/SAE FDIS 21434:2021(E)

to the vehicle (e.g. back-end servers) can be considered for cybersecurity purposes but are not in the

scope of this document.

This document describes cybersecurity engineering from the perspective of a single item. The suitable

                

this document. For the vehicle as a whole, the vehicle E/E architecture or the set of the cybersecurity

cases of its cybersecurity-relevant items and components can be considered. If cybersecurity activities

described in this document are performed on items and components, then unreasonable vehicle

cybersecurity risk is addressed.

The overall cybersecurity risk management of an organization described in this document applies

throughout all lifecycle phases as illustrated in

Figure 2.

Figure 2 — Overall cybersecurity risk management

Cybersecurity risk management is applied throughout the supply chain to support cybersecurity

 

             

Clause 6). Development partners for a



performed (see Clause 7).

Figure 3 shows the relationship between an item, function, component and related terms.

--`,`,,,,,,,``,,,``,,``,,,,````,-`-`,,`,,`,`,,`---

ISO/SAE FDIS 21434:2021(E)

Figure 3 — Relationship between item, function, component and related terms

Clause 15 describes modular methods for assessment of cybersecurity risk that are invoked in

cybersecurity activities described in other clauses.

  

performed by abstract adversarial actors with malicious intent and the damage that can arise from

the compromise of cybersecurity of the vehicle E/E systems. Coordination between cybersecurity

            

of some threat scenarios (cf. ISO/TR 4804

6

). Cybersecurity monitoring, remediation and incident

response activities complement concept and product development activities as a reactive approach

acknowledging the changing conditions in the environment (e.g. new attack technologies) and the

ongoing need to identify and manage weaknesses and vulnerabilities in road vehicle E/E systems.

A defence-in-depth approach can be used to mitigate cybersecurity risk. The defence-in-depth approach

utilizes layers of cybersecurity controls to improve the cybersecurity of the vehicle. If an attack is able

to penetrate or bypass one layer, another layer can help contain the attack and maintain protection of

the assets.

5 Organizational cybersecurity management

5.1 General

To enable cybersecurity engineering, the organization institutes and maintains cybersecurity

governance and a cybersecurity culture, including cybersecurity awareness management, competence

         

processes that are independently audited against the objectives of this document.

To support cybersecurity engineering, the organization implements management systems for



5.2 Objectives

The objectives of this clause are to:

 

           



c) support the implementation of cybersecurity, including the provision of resources and the



--`,`,,,,,,,``,,,``,,``,,,,````,-`-`,,`,,`,`,,`---

ISO/SAE FDIS 21434:2021(E)

d) institute and maintain a cybersecurity culture, including competence management, awareness



 

 

 

 

i) provide evidence that the use of tools does not adversely affect cybersecurity.

5.3 Inputs

5.3.1 Prerequisites

None.

5.3.2 Further supporting information

The following information can be considered:

 

EXAMPLE IATF 16949

7

in conjunction with ISO 9001

8

, ISO 10007

9

, Automotive SPICE

, the

ISO/IEC 33001 series

10

, ISO/IEC/IEEE 15288

11

and ISO/IEC/IEEE 12207

12

5.4 Requirements and recommendations

5.4.1 Cybersecurity governance

[RQ-05-01]

 

 

NOTE 1 The cybersecurity policy can include links to the organization’s objectives and other policies.

NOTE 2 The cybersecurity policy can include a statement regarding the risk treatment of generic threat

             



[RQ-05-02] The organization shall establish and maintain rules and processes to:

 

 

 

 

NOTE 4 Rules and processes cover concept, product development, production, operation, maintenance, and

decommissioning, including TARA methods, information sharing, cybersecurity monitoring, cybersecurity

incident response, and triggers.

 



14

1) Automotive SPICE

13



the convenience of users of this document and does not constitute an endorsement by ISO of these products.

--`,`,,,,,,,``,,,``,,``,,,,````,-`-`,,`,,`,`,,`---

ISO/SAE FDIS 21434:2021(E)

NOTE 6 Figure 4





Figure 4 — Cybersecurity governance

[RQ-05-03] The organization shall assign and communicate the responsibilities and corresponding

organizational authority to achieve and maintain cybersecurity.

NOTE 7 This relates to organizational as well as to project-dependent activities.

[RQ-05-04] The organization shall provide the resources to address cybersecurity.

NOTE 8 Resources include the persons responsible for cybersecurity risk management, development, and

incident management.

EXAMPLE 2 Skilled personnel and suitable tools to perform cybersecurity activities.

[RQ-05-05] The organization shall identify disciplines related to, or interacting with, cybersecurity

and establish and maintain communication channels between those disciplines in order to:

 

 

NOTE 9 Disciplines include information technology security, functional safety, and privacy.

 

— threat scenarios and hazard (cf. ISO 26262-1:2018

1



— cybersecurity goals and safety goals (cf. ISO 26262-1:2018

1



  

1:2018

1

, 3.69).

NOTE 10 Coordination can include sharing of processes and using strategies and tools between disciplines.

5.4.2 Cybersecurity culture

[RQ-05-06] The organization shall foster and maintain a strong cybersecurity culture.

NOTE 1 See 

[RQ-05-07] The organization shall ensure that persons to which cybersecurity roles and responsibilities



NOTE 2 A competence, awareness and training program can include:

         



— organizational rules and processes regarding disciplines related to cybersecurity, such as functional safety



--`,`,,,,,,,``,,,``,,``,,,,````,-`-`,,`,,`,`,,`---

剩余91页未读，继续阅读

an334646743

粉丝: 0
资源: 4

ISO/SAE 21434：2021汽车网络安全国际标准概览

ISO SAE 21434-2021 中文版-道路车辆－网络安全工程

ISO SAE 21434-2021 Road vehicles - Cybersecurity engineering英文原版

ISO/SAE_21434-2021_Road vehicles-Cybersecurity engineering

sfr_iso_fdis

patton_copula_toolbox/fdis_cdf.m

基于纯transformer的遥感影像变化检测

transformer基于像素级的变化检测

ISO-21434.pdf

ISO SAE 21434.DIS 2020.02.12.pdf

ISO SAE 21434-2021中文 道路车辆 - 网络安全工程.pdf

ISO SAE 21434-2021 Road vehicles - Cybersecurity engineering.pdf

ISOSAE21434.D1-2020SAE美国汽车标准全文下载.pdf

ISO SAE 21434-2021.pdf

标准ISO7810.pdf

车联网安全标准ISO-21434.pdf

ISO-965-3-2021.pdf

ISO9001：2015 FDIS版本

ISO21434、ISO26262-道路车辆功能安全、网络安全工程（最新中英文版合集）.zip

BS ISO-SAE 21434-2021

ISO FDIS 3691-4.pdf

最新资源

ISO SAE 21434-2021中文道路车辆 - 网络安全工程.pdf