Ask Our Experts (AOE): What Is ISO21434 for Automotive?
Microchip expert Todd Slack explains the ISO 21434 standard for the automotive market, what it means for embedded security devices and how it influences product development and processes.
The following question and answer comes from our Ask Our Experts | About Secure Elements playlist on YouTube.
What is ISO 21434? What does it mean to silicon providers like Microchip Technology?
ISO 21434 is a new standard in cyber security of road vehicles. This is a vehicle-level specification. It is ultimately the responsibility of the Original Equipment Manufacturers (OEMs) to prove compliance to the specification. However, everybody has a role to play in proving compliance to ISO 21434. The OEMs will require the tier ones to prove compliance at the module level. Then the tier ones will require companies like Microchip Technology, the tier twos or silicon providers, to also prove compliance. This is an organizational- or procedural-level specification. This is not a product-level specification, so not a specific piece of silicon will get certified—rather, an organization and their procedures on how they develop products in a secure manner. For example, those who can access the design databases must prove that it is done in a secure manner. You also have to have risk assessments that are performed at the silicon level. What that means is that the industry has identified vulnerabilities in all sorts of security Integrated Circuits (ICs) with associated attacks that you should protect against. We submit these devices to third-party assessments and get Joint Interpretation Library (JIL) evaluations and Federal Information Processing Standards (FIPS) evaluations to prove that we've gone through the risk assessment.
There's also the requirement that you have a bug reporting capability. That can be through PSIRT (Product Security Incident Response Team), which we have in place within Microchip Technology across all of our products. External sources or customers can report bugs via this PSIRT portal. We have a team that can evaluate whether or not it is, in fact, a true bug. We also have the ability to have our own applications teams report those bugs internally. Either way, that team would review whether or not it's a true bug and how we then proactively push that communication out to our customers in the field.
This whole process is governed by the Cyber Security Interface Development Agreement, which would be a part of every project that either an OEM and a tier one are involved with or a tier one and a tier two like Microchip Technology. Every project award would require that document. The ISO 21434 also covers UN Regulation 155, which is the cyber security development process. In order to comply with UN-155, you can go through an audit for ISO 21434 and then you can cover for both. That is where we have all sorts of impact in the automotive world over the next couple of years.
Want More?
To learn more, make sure to check out our CryptoAutomotive™ technology web page. For more information, check out our Ask Our Experts | About Secure Elements playlist on YouTube and our secure elements web page.