第1页 / 共110页
第2页 / 共110页
第3页 / 共110页
第4页 / 共110页
第5页 / 共110页
第6页 / 共110页
第7页 / 共110页
第8页 / 共110页
ISO_SAE_DIS_21434(en).pdf
Licensed to Desay SV Automotive Singapore Pte. Ltd. / Tze Wan Foo (tzewan.foo@desay-svautomotive.com)
ISO Store Order: OP-426024 / Downloaded: 2020-02-20
Single user licence only, copying and networking prohibited.
DRAFT INTERNATIONAL STANDARD
ISO/TC 22/SC 32
Voting begins on:
Secretariat: JISC
Voting terminates on:
ISO/SAE DIS 21434
2020-02-12
2020-05-06
Road vehicles — Cybersecurity engineering
ICS: 43.040.15
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL.
IT
IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE
INDUSTRIAL,
FOR
TECHNOLOGICAL,
COMMERCIAL
AND
USER PURPOSES, DRAFT
INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE
IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
This document is circulated as received from the committee secretariat.
Reference number
ISO/SAE DIS 21434:2020(E)
© ISO/SAE International 2020
Licensed to Desay SV Automotive Singapore Pte. Ltd. / Tze Wan Foo (tzewan.foo@desay-svautomotive.com)
ISO Store Order: OP-426024 / Downloaded: 2020-02-20
Single user licence only, copying and networking prohibited.
ISO/SAE DIS 21434:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/SAE International 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication
may be reproduced, or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or
posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO or SAE
International at the respective address below or ISO’s member body in the country of the requester.
ISO copyright office
SAE International
CP 401 • Ch. de Blandonnet 8
400 Commonwealth Dr.
Warrendale, PA, USA 15096
CH-1214 Vernier, Geneva
Phone: 877-606-7323 (inside USA and Canada)
Phone: +41 22 749 01 11
Phone: +1 724-776-4970 (outside USA)
Fax: +41 22 749 09 47
Email: copyright@iso.org
Fax: 724-776-0790
Website: www.iso.org
Email: CustomerService@sae.org
Website: www.sae.org
Published in Switzerland by ISO, published in the USA by SAE International
ii
© ISO/SAE International 2020 – All rights reserved
Licensed to Desay SV Automotive Singapore Pte. Ltd. / Tze Wan Foo (tzewan.foo@desay-svautomotive.com)
ISO Store Order: OP-426024 / Downloaded: 2020-02-20
Single user licence only, copying and networking prohibited.
Licensed to Desay SV Automotive Singapore Pte. Ltd. / Tze Wan Foo (tzewan.foo@desay-svautomotive.com)
Page 2 of 108
ISO/SAE INTERNATIONAL
CONTENTS
ISO Store Order: OP-426024 / Downloaded: 2020-02-20
Single user licence only, copying and networking prohibited.
ISO/SAE 21434 DRAFT
SCOPE .................................................................................................................................................. 10
NORMATIVE REFERENCES ............................................................................................................... 10
TERMS AND ABBREVIATIONS ........................................................................................................... 10
Terms and Definitions ........................................................................................................................... 10
Abbreviated Terms ................................................................................................................................ 14
GENERAL CONSIDERATIONS ........................................................................................................... 14
OVERALL CYBERSECURITY MANAGEMENT ................................................................................... 16
General.................................................................................................................................................. 16
Objectives ............................................................................................................................................. 16
Inputs..................................................................................................................................................... 17
Prerequisites ......................................................................................................................................... 17
Further Supporting Information ............................................................................................................. 17
Requirements and Recommendations .................................................................................................. 17
Cybersecurity Governance ................................................................................................................... 17
Cybersecurity Culture ............................................................................................................................ 18
Cybersecurity Risk Management .......................................................................................................... 19
Organizational Cybersecurity Audit ....................................................................................................... 19
Information Sharing ............................................................................................................................... 20
Management Systems .......................................................................................................................... 20
Tool Management ................................................................................................................................. 21
Information Security Management ........................................................................................................ 21
Work Products ....................................................................................................................................... 21
PROJECT DEPENDENT CYBERSECURITY MANAGEMENT ........................................................... 22
General.................................................................................................................................................. 22
Objectives ............................................................................................................................................. 22
Inputs..................................................................................................................................................... 23
Prerequisites ......................................................................................................................................... 23
Further Supporting Information ............................................................................................................. 23
Requirements and Recommendations .................................................................................................. 23
Cybersecurity Responsibilities and Their Assignment .......................................................................... 23
Cybersecurity Planning ......................................................................................................................... 23
Tailoring of the Cybersecurity Activities ................................................................................................ 24
Reuse .................................................................................................................................................... 25
Component Out of Context ................................................................................................................... 26
Off-the-Shelf Component ...................................................................................................................... 26
Cybersecurity Case ............................................................................................................................... 26
Cybersecurity Assessment.................................................................................................................... 26
Release for Post-Development ............................................................................................................. 28
Work Products ....................................................................................................................................... 29
CONTINUOUS CYBERSECURITY ACTIVITIES ................................................................................. 29
General.................................................................................................................................................. 29
Objectives ............................................................................................................................................. 29
Cybersecurity Monitoring ...................................................................................................................... 29
Inputs..................................................................................................................................................... 29
Requirements and Recommendations .................................................................................................. 30
Work Products ....................................................................................................................................... 30
Cybersecurity Event Assessment ......................................................................................................... 30
Inputs..................................................................................................................................................... 30
Requirements and Recommendations .................................................................................................. 31
Work Products ....................................................................................................................................... 31
1.
2.
3.
3.1
3.2
4.
5.
5.1
5.2
5.3
5.3.1
5.3.2
5.4
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.5
6.
6.1
6.2
6.3
6.3.1
6.3.2
6.4
6.4.1
6.4.2
6.4.3
6.4.4
6.4.5
6.4.6
6.4.7
6.4.8
6.4.9
6.5
7.
7.1
7.2
7.3
7.3.1
7.3.2
7.3.3
7.4
7.4.1
7.4.2
7.4.3
ISO/SAE DIS 21434:2020(E)© ISO/SAE International 2020 – All rights reserved
Licensed to Desay SV Automotive Singapore Pte. Ltd. / Tze Wan Foo (tzewan.foo@desay-svautomotive.com)
ISO Store Order: OP-426024 / Downloaded: 2020-02-20
Single user licence only, copying and networking prohibited.
ISO/SAE 21434 DRAFT
Page 3 of 108
ISO/SAE INTERNATIONAL
7.5
7.5.1
7.5.2
7.5.3
7.6
7.6.1
7.6.2
7.6.3
8.
8.1
8.2
8.3
8.3.1
8.3.2
8.3.3
8.4
8.4.1
8.4.2
8.4.3
8.5
8.5.1
8.5.2
8.5.3
8.6
8.6.1
8.6.2
8.6.3
8.7
8.7.1
8.7.2
8.7.3
8.8
8.8.1
8.8.2
8.8.3
8.9
8.9.1
8.9.2
8.9.3
9.
9.1
9.2
9.3
9.3.1
9.3.2
9.3.3
9.4
9.4.1
9.4.2
9.4.3
9.5
9.5.1
9.5.2
9.5.3
10.
10.1
10.2
10.3
10.3.1
10.3.2
Vulnerability Analysis ............................................................................................................................ 31
Inputs..................................................................................................................................................... 31
Requirements and Recommendations .................................................................................................. 31
Work Products ....................................................................................................................................... 32
Vulnerability Management .................................................................................................................... 32
Inputs..................................................................................................................................................... 32
Requirements and Recommendations .................................................................................................. 32
Work Products ....................................................................................................................................... 33
RISK ASSESSMENT METHODS ......................................................................................................... 33
General.................................................................................................................................................. 33
Objectives ............................................................................................................................................. 34
Asset Identification ................................................................................................................................ 34
Inputs..................................................................................................................................................... 34
Requirements and Recommendations .................................................................................................. 34
Work Products ....................................................................................................................................... 35
Threat Scenario Identification ............................................................................................................... 35
Inputs..................................................................................................................................................... 35
Requirements and Recommendations .................................................................................................. 35
Work Products ....................................................................................................................................... 36
Impact Rating ........................................................................................................................................ 36
Inputs..................................................................................................................................................... 36
Requirements and Recommendations .................................................................................................. 36
Work Products ....................................................................................................................................... 37
Attack Path Analysis ............................................................................................................................. 37
Inputs..................................................................................................................................................... 37
Requirements and Recommendations .................................................................................................. 37
Work Products ....................................................................................................................................... 38
Attack Feasibility Rating ........................................................................................................................ 39
Inputs..................................................................................................................................................... 39
Requirements and Recommendations .................................................................................................. 39
Work Products ....................................................................................................................................... 40
Risk Determination ................................................................................................................................ 40
Inputs..................................................................................................................................................... 40
Requirements and Recommendations .................................................................................................. 40
Work Products ....................................................................................................................................... 40
Risk Treatment Decision ....................................................................................................................... 40
Inputs..................................................................................................................................................... 40
Requirements and Recommendations .................................................................................................. 41
Work Products ....................................................................................................................................... 41
CONCEPT PHASE ............................................................................................................................... 41
General.................................................................................................................................................. 41
Objectives ............................................................................................................................................. 42
Item Definition ....................................................................................................................................... 42
Inputs..................................................................................................................................................... 42
Requirements and Recommendations .................................................................................................. 42
Work Products ....................................................................................................................................... 43
Cybersecurity Goals .............................................................................................................................. 43
Inputs..................................................................................................................................................... 43
Requirements and Recommendations .................................................................................................. 44
Work Products ....................................................................................................................................... 45
Cybersecurity Concept .......................................................................................................................... 45
Inputs..................................................................................................................................................... 45
Requirements and Recommendations .................................................................................................. 46
Work Products ....................................................................................................................................... 46
PRODUCT DEVELOPMENT ................................................................................................................ 46
General.................................................................................................................................................. 46
Objectives ............................................................................................................................................. 49
Inputs..................................................................................................................................................... 49
Prerequisites ......................................................................................................................................... 49
Further Supporting Information ............................................................................................................. 50
ISO/SAE DIS 21434:2020(E)© ISO/SAE International 2020 – All rights reserved
Licensed to Desay SV Automotive Singapore Pte. Ltd. / Tze Wan Foo (tzewan.foo@desay-svautomotive.com)
ISO Store Order: OP-426024 / Downloaded: 2020-02-20
Single user licence only, copying and networking prohibited.
ISO/SAE 21434 DRAFT
Page 4 of 108
Requirements and Recommendations .................................................................................................. 50
Refinement of Cybersecurity Requirements and Architectural Design ................................................. 50
Integration and Verification ................................................................................................................... 53
Specific Requirements for Software Development ............................................................................... 56
Work Products ....................................................................................................................................... 57
CYBERSECURITY VALIDATION ......................................................................................................... 57
General.................................................................................................................................................. 57
Objectives ............................................................................................................................................. 57
Inputs..................................................................................................................................................... 57
Prerequisites ......................................................................................................................................... 57
Further Supporting Information ............................................................................................................. 58
Requirements and Recommendations .................................................................................................. 58
Work Products ....................................................................................................................................... 58
PRODUCTION ...................................................................................................................................... 58
General.................................................................................................................................................. 58
Objectives ............................................................................................................................................. 58
Inputs..................................................................................................................................................... 59
Prerequisites ......................................................................................................................................... 59
Further Supporting Information ............................................................................................................. 59
Requirements and Recommendations .................................................................................................. 59
Work Products ....................................................................................................................................... 60
ISO/SAE INTERNATIONAL
10.4
10.4.1
10.4.2
10.4.3
10.5
11.
11.1
11.2
11.3
11.3.1
11.3.2
11.4
11.5
12.
12.1
12.2
12.3
12.3.1
12.3.2
12.4
12.5
13.
13.1
13.2
13.3
13.3.1
13.3.2
13.3.3
13.4
13.4.1
13.4.2
13.4.3
14.
14.1
14.2
14.3
14.3.1
14.3.2
14.4
14.5
15.
15.1
15.2
15.3
15.3.1
15.3.2
15.4
15.4.1
15.4.2
15.4.3
15.5
OPERATIONS AND MAINTENANCE ................................................................................................... 60
General.................................................................................................................................................. 60
Objectives ............................................................................................................................................. 60
Cybersecurity Incident Response ......................................................................................................... 60
Inputs..................................................................................................................................................... 60
Requirements and Recommendations .................................................................................................. 60
Work Products ....................................................................................................................................... 61
Updates ................................................................................................................................................. 61
Inputs..................................................................................................................................................... 61
Requirements and Recommendations .................................................................................................. 62
Work Products ....................................................................................................................................... 62
DECOMMISSIONING ........................................................................................................................... 62
General.................................................................................................................................................. 62
Objectives ............................................................................................................................................. 62
Inputs..................................................................................................................................................... 62
Prerequisites ......................................................................................................................................... 62
Further Supporting Information ............................................................................................................. 62
Requirements and Recommendations .................................................................................................. 63
Work Products ....................................................................................................................................... 63
DISTRIBUTED CYBERSECURITY ACTIVITIES .................................................................................. 63
General.................................................................................................................................................. 63
Objectives ............................................................................................................................................. 63
Inputs..................................................................................................................................................... 63
Prerequisites ......................................................................................................................................... 63
Further Supporting Information ............................................................................................................. 63
Requirements and Recommendations .................................................................................................. 63
Demonstration and Evaluation of Supplier Capability ........................................................................... 63
Request for Quotation ........................................................................................................................... 64
Alignment of Responsibilities ................................................................................................................ 64
Work Products ....................................................................................................................................... 65
ISO/SAE DIS 21434:2020(E)© ISO/SAE International 2020 – All rights reserved
Licensed to Desay SV Automotive Singapore Pte. Ltd. / Tze Wan Foo (tzewan.foo@desay-svautomotive.com)
ISO/SAE 21434 DRAFT
Page 5 of 108
ISO Store Order: OP-426024 / Downloaded: 2020-02-20
Single user licence only, copying and networking prohibited.
ISO/SAE INTERNATIONAL
ANNEX A (INFORMATIVE) SUMMARY OF CYBERSECURITY ACTIVITIES AND WORK PRODUCTS ................ 66
ANNEX B (INFORMATIVE) EXAMPLES OF CYBERSECURITY CULTURE ............................................................ 68
ANNEX C (INFORMATIVE) CYBERSECURITY INTERFACE AGREEMENT TEMPLATE EXAMPLE ..................... 69
ANNEX D (INFORMATIVE) CYBERSECURITY RELEVANCE: EXAMPLE METHOD AND CRITERIA ................... 71
ANNEX E (INFORMATIVE) CYBERSECURITY ASSURANCE LEVELS .................................................................. 72
ANNEX F (INFORMATIVE) VERIFICATION AND VALIDATION ............................................................................... 77
ANNEX G (INFORMATIVE) EXAMPLE USE CASE AND WORK PRODUCTS: HEADLAMP SYSTEM ................... 80
ANNEX H (INFORMATIVE) IMPACT RATING FOR SAFETY, FINANCIAL, OPERATIONAL AND
PRIVACY DAMAGE ....................................................................................................... 97
ANNEX I (INFORMATIVE) GUIDELINES FOR DETERMINING ATTACK FEASIBILITY RATING .......................... 99
ANNEX J (INFORMATIVE) MATRICES FOR RISK DETERMINATION .................................................................. 105
ISO/SAE DIS 21434:2020(E)© ISO/SAE International 2020 – All rights reserved
Licensed to Desay SV Automotive Singapore Pte. Ltd. / Tze Wan Foo (tzewan.foo@desay-svautomotive.com)
Page 6 of 108
ISO/SAE INTERNATIONAL
ISO Store Order: OP-426024 / Downloaded: 2020-02-20
Single user licence only, copying and networking prohibited.
ISO/SAE 21434 DRAFT
FOREWORD
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO
member bodies). The work of preparing International Standards is normally carried out through ISO technical
committees. Each member body interested in a subject for which a technical committee has been established has the
right to be represented on that committee. International organizations, governmental and non-governmental, in liaison
with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC)
on all matters of electrotechnical standardization.
SAE International is a global association of more than 128,000 engineers and related technical experts in the aerospace,
automotive and commercial-vehicle industries. Standards from SAE International are used to advance mobility
engineering throughout the world. The SAE Technical Standards Development Program is among the organization's
primary provisions to those mobility industries it serves aerospace, automotive, and commercial vehicle. These works
are authorized, revised, and maintained by the volunteer efforts of more than 9,000 engineers, and other qualified
professionals from around the world. SAE subject matter experts act as individuals in the standards process, not as
representatives of their organizations. Thus, SAE standards represent optimal technical content developed in a
transparent, open, and collaborative process.
The procedures used to develop this document and those intended for its further maintenance are described in the
ISO/IEC Directives, Part 1 and the SAE Technical Standards Board Policy. In particular, the different approval criteria
needed for the different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO
and SAE International shall not be held responsible for identifying any or all such patent rights. Details of any patent
rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent
declarations received (see www.iso.org/patents).
SAE Technical Standards Board Rules provide that: “This document is published to advance the state of technical and
engineering sciences. The use of this document is entirely voluntary, and its applicability and suitability for any particular
use, including any patent infringement arising therefrom, is the sole responsibility of the user.”
Any trade name used in this document is information given for the convenience of users and does not constitute an
endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions related to
conformity assessment, as well as information about ISO's adherence to the World Trade Organization (WTO) principles
in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was jointly prepared by Technical Committee ISO/TC 22, Road vehicles, Subcommittee SC 32, Electrical
and electronic components and general system aspects, and SAE Vehicle Cybersecurity Systems Engineering
Committee.
This first edition of ISO/SAE 21434 cancels and supersedes SAE J3061_201601.
Any feedback or questions on this document should be directed to the user’s national standards body. A complete listing
of these bodies can be found at www.iso.org/members.html. Alternatively, to provide feedback on this document, please
visit http://standards.sae.org/PRODCODE.
ISO/SAE DIS 21434:2020(E)© ISO/SAE International 2020 – All rights reserved
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
