What is ISO 21434
ISO/SAE 21434:2021 is the international standard for automotive cybersecurity engineering. Published in August 2021, it was jointly developed by ISO (International Organization for Standardization) and SAE International under the official title "Road vehicles — Cybersecurity engineering." The standard targets electrical and electronic (E/E) systems in vehicles, providing a comprehensive cybersecurity framework that spans the entire vehicle lifecycle — from initial concept through development, production, operation, maintenance, and decommissioning.
The automotive industry has long focused on functional safety through ISO 26262, which addresses risks from accidental system failures. However, it does not cover intentional threats from external attackers. As connected vehicles, OTA (Over-the-Air) updates, and V2X (Vehicle-to-Everything) communication become ubiquitous, vehicles have become permanently networked "computers on wheels." ISO 21434 was created specifically to address this new threat landscape.
The standard pursues three core objectives. First, establishing cybersecurity governance at the organizational level. Second, performing systematic security activities at the project level. Third, continuously monitoring and responding to security threats even after vehicle launch. Together, these three pillars form an integrated cybersecurity system covering the complete vehicle lifecycle.
Why Automotive Cybersecurity Matters
The scale of software in modern vehicles is growing exponentially. Premium vehicles can contain over 100 million lines of code, with more than 100 ECUs (Electronic Control Units). As the SDV (Software-Defined Vehicle) trend accelerates, software has become the primary differentiator in vehicle value.
This increase in complexity directly translates to an expanded attack surface. Connected vehicles have numerous external interfaces — telematics, Wi-Fi, Bluetooth, USB, OBD-II ports — each representing a potential intrusion pathway. OTA updates are convenient but the update channel itself can become a target. V2X communication exchanges data between vehicles and infrastructure, creating entirely new threat vectors.
Automotive cybersecurity incidents have already occurred multiple times. Remote hijacking demonstrations have shown attackers taking control of braking and steering systems. Attacks through charging infrastructure and relay attacks on keyless entry systems have been documented. A single security vulnerability can trigger a massive recall and deal devastating damage to brand credibility.
Major OEMs and global Tier1 suppliers already recognize cybersecurity as a core competitive differentiator. Without cybersecurity capabilities, even the best software cannot gain entry to the automotive supply chain.
Structure and Key Requirements of ISO 21434
ISO 21434 is structured around organizational-level and project-level requirements.
Organizational Cybersecurity Management (Clause 5): Organizations must establish cybersecurity policies, rules, and processes. They must build a cybersecurity culture, clearly define roles and responsibilities, and ensure personnel with adequate competencies are in place. The organization must also implement mechanisms for collecting and sharing cybersecurity-relevant information. Solid organizational-level security management is the foundation that enables consistent security activities across individual projects.
Project-Level Cybersecurity Management (Clause 6): Each project must develop a cybersecurity plan and integrate security activities into the project schedule. A Cybersecurity Case document systematically records the results and rationale of all security activities throughout the project.
Distributed Cybersecurity Activities (Clause 7): The automotive industry consists of complex supply chains involving OEMs, Tier1s, Tier2s, and beyond. ISO 21434 requires clear definition of cybersecurity responsibility distribution and interfaces between organizations. Cybersecurity capabilities must be evaluated during supplier selection, and a Cybersecurity Interface Agreement must be established between parties.
Threat Analysis and Risk Assessment — TARA (Clause 15): TARA (Threat Analysis and Risk Assessment) is the core methodology of ISO 21434. The TARA process follows these steps:
- Asset Identification: Identify assets requiring protection — data, functions, and interfaces.
- Threat Scenario Identification: Derive possible threat scenarios for each asset. Methodologies such as STRIDE can be applied.
- Impact Rating: Assess the safety, financial, operational, and privacy impact if a threat is realized.
- Attack Path Analysis: Analyze the paths through which threats could be executed.
- Attack Feasibility Rating: Evaluate the feasibility of an attack from the attacker's perspective.
- Risk Determination: Combine impact and attack feasibility to determine the overall risk level.
- Risk Treatment Decision: Based on risk level, decide on the appropriate treatment — avoidance, reduction, transfer, or acceptance.
TARA is not a one-time activity. It is performed iteratively throughout development and updated whenever new threat intelligence becomes available. This is a key distinction from functional safety's HARA (Hazard Analysis and Risk Assessment).
Beyond TARA, ISO 21434 defines security requirements for every phase of the vehicle lifecycle: concept phase (Clause 9), product development (Clauses 10-12), verification and validation (Clause 13), production (Clause 14), operations and maintenance (Clause 16), and decommissioning (Clause 16).
Building a CSMS
A CSMS (Cyber Security Management System) is a systematic management framework for organizational automotive cybersecurity. It is the practical realization of ISO 21434's organizational-level requirements and the key element designated for certification under the UN R155 regulation.
Core Elements of a CSMS:
- Policy: Define the organization's cybersecurity policy, objectives, and direction. Executive commitment and support must be reflected.
- Process: Establish concrete procedures for threat analysis, risk assessment, security requirements management, vulnerability management, and incident response.
- Tools: Build a toolchain supporting security activities — TARA tools, vulnerability scanners, SIEM (Security Information and Event Management), intrusion detection systems, and more.
- People: Secure cybersecurity specialists and conduct security awareness training for all employees. Appoint a dedicated Cybersecurity Manager.
CSMS Implementation Stages:
- Stage 1 — Current State Analysis: Assess the organization's current cybersecurity maturity. Identify gaps in existing processes, tools, and personnel.
- Stage 2 — Framework Design: Design a CSMS framework aligned with ISO 21434 requirements. Define policies, processes, and organizational structure.
- Stage 3 — Implementation: Put the designed framework into practice. Document processes, deploy tools, and train personnel.
- Stage 4 — Operation and Improvement: Apply the CSMS to actual projects, monitor outcomes, and continuously improve.
Difference from ISO 27001: ISO 27001 is the general IT information security management system standard. While it may seem similar in purpose to ISO 21434's CSMS, there are critical differences. ISO 27001 focuses on protecting an organization's information assets, whereas ISO 21434's CSMS is specifically tailored to vehicle and component cybersecurity. ISO 27001 lacks the vehicle lifecycle concept and does not include automotive-specific threat analysis methodologies like TARA. That said, organizations already certified under ISO 27001 can leverage that experience and structure when building their CSMS.
Relationship with UN R155/R156
UN R155 and R156 are automotive cybersecurity regulations from the United Nations Economic Commission for Europe (UNECE). If ISO 21434 is a "standard," then UN R155/R156 are "regulations" — understanding this distinction is critical.
UN R155 — Mandatory CSMS Certification: UN R155 mandates that vehicle manufacturers (OEMs) obtain CSMS certification. OEMs must receive certification from a Technical Service, and without it, vehicles cannot receive Type Approval in applicable regions. In the EU, this became mandatory for new vehicle types in July 2022 and for all new vehicles in July 2024.
UN R156 — SUMS (Software Update Management System): R156 regulates software update management systems. It requires management frameworks ensuring that all software updates — including OTA — are performed securely. Together with R155's CSMS requirements, it ensures security across the entire vehicle lifecycle.
ISO 21434 and UN R155: ISO 21434 is not UN R155. Complying with ISO 21434 does not automatically grant R155 certification. However, ISO 21434 serves as the de facto framework for meeting R155's CSMS requirements. Most certification bodies use ISO 21434 compliance as a core criterion for R155 certification. In practice, achieving R155 certification requires an ISO 21434-level cybersecurity framework.
Regional Status:
- EU: The most advanced region. R155/R156 compliance has been mandatory for all new vehicles since July 2024.
- South Korea: As a UNECE 1958 Agreement member, Korea has adopted R155/R156. The Ministry of Land, Infrastructure and Transport has published automotive cybersecurity guidelines, and domestic OEMs and Tier1 suppliers are actively building their CSMS.
- Japan: Also a UNECE 1958 Agreement member adopting R155/R156, with automotive cybersecurity regulations being developed.
- China: Not a UNECE Agreement member, but developing its own cybersecurity standards based on GB/T (e.g., GB/T 40857). China references ISO 21434 while building an independent framework.
Relationship Between ISO 26262 and ISO 21434
ISO 26262 (Functional Safety) and ISO 21434 (Cybersecurity) form the two main pillars of automotive software development standards. Understanding their relationship clearly is essential.
Functional Safety vs. Cybersecurity: ISO 26262 addresses risks from accidental system failures — random failures and systematic failures. For example, a software bug in a brake ECU causing brake failure. ISO 21434 addresses intentional threats from malicious external attackers. For example, a hacker infiltrating the vehicle network and disabling the brakes.
Complementary Relationship: The two standards address different threats but ultimately protect the same systems. A braking system that perfectly meets ISO 26262 functional safety requirements is not truly safe if it can be neutralized by a cyber attack. Conversely, even perfect cybersecurity under ISO 21434 does not help if the system malfunctions due to a software bug. Modern vehicles require both standards.
In practice, activities under both standards cross-reference each other. ISO 26262's HARA (Hazard Analysis) results feed into ISO 21434's TARA, and cybersecurity threats identified in TARA that affect safety are reflected back into HARA.
Integration with ASPICE 4.0: ASPICE 4.0, released in 2023, added cybersecurity processes as a new process area. This signals that ASPICE, ISO 26262, and ISO 21434 are converging into a unified framework. It reflects the industry's recognition that functional safety and cybersecurity are not separate concerns but must be integrated under a single overarching goal of vehicle safety.
PopcornSAR's Cybersecurity Response
PopcornSAR provides tools and services supporting the entire automotive software development process, including practical cybersecurity capabilities.
PARVIS Tools: PARVIS is an AI-powered integrated platform for automotive software development. It connects requirements analysis through code generation, testing, and verification in a single workflow. PARVIS-Coder automatically applies secure coding rules to reduce code-level vulnerabilities. PARVIS-Verify auto-generates test cases for security requirements and ensures verification coverage. The platform can also be leveraged for generating ISO 21434-required artifacts, systematically managing the traceability of security requirements derived from TARA results.
ASPICE 4.0 Consulting: With cybersecurity added as a new process area in ASPICE 4.0, ISO 21434 compliance now impacts ASPICE assessments as well. PopcornSAR's consulting services support integrated process design that addresses ASPICE, ISO 26262, and ISO 21434 simultaneously. By mapping the requirements of all three standards into a single development process, the approach minimizes redundant work while satisfying all compliance obligations.
If you are unsure where to begin with cybersecurity compliance, PopcornSAR can support you step by step — from current state analysis through CSMS construction, TARA execution, and tool adoption. Contact us to discuss a tailored strategy for your organization.