ISO/SAE 21434 — Automotive Cybersecurity Engineering
How ISO/SAE 21434 cybersecurity engineering concepts and TARA artefacts relate to NexoGraph.
ISO/SAE 21434:2021 (Road vehicles — Cybersecurity engineering) is the joint ISO/SAE standard that defines cybersecurity engineering activities for road vehicles across the full product lifecycle — from concept through decommissioning. It is structurally parallel to ISO 26262: where 26262 manages safety risk from random hardware failures, 21434 manages cybersecurity risk from intentional adversarial attacks.
ISO/SAE 21434 also underpins UNECE WP.29 Regulation 155, which mandates a Cybersecurity Management System (CSMS) for type approval of new vehicle categories in Europe, Japan, and South Korea.
Cybersecurity Lifecycle
The lifecycle mirrors ISO 26262 but adds a continuous monitoring obligation during production and operations — because cybersecurity threats evolve after product launch.
TARA — Threat Analysis and Risk Assessment
TARA is the 21434 equivalent of HARA in ISO 26262. It identifies attack scenarios and derives Cybersecurity Goals.
TARA Steps
Attack Feasibility
Attack feasibility is scored across five factors (Annex E):
| Factor | Description |
|---|---|
| Elapsed time | Time required to execute the attack |
| Specialist expertise | Level of knowledge needed (layman → expert) |
| Knowledge of item | Familiarity with the specific implementation required |
| Window of opportunity | Physical/logical access window available |
| Equipment | Cost and availability of required tools |
Cybersecurity Assurance Level (CAL)
CAL 1–4 is derived from the TARA risk determination, analogous to ASIL A–D:
| CAL | Risk level | Required rigor |
|---|---|---|
| CAL 1 | Low | Minimum documented evidence |
| CAL 2 | Medium | Moderate testing and verification |
| CAL 3 | High | Thorough analysis, fuzz testing |
| CAL 4 | Critical | Most rigorous — formal methods, penetration testing |
Key Artefacts
| Artefact | Definition | NexoGraph entity |
|---|---|---|
| Cybersecurity Goal (CG) | Top-level security requirement derived from TARA | Requirement (reqCat: SECURITY, reqType: STAKEHOLDER) |
| Cybersecurity Claim | Derived requirement that supports a CG | Requirement (reqType: SYSTEM) |
| Cybersecurity Requirement (CR) | Implementation-level security requirement | Requirement (reqType: SOFTWARE/HARDWARE) |
| Asset | Data or function with security value | Gap — no Asset entity type |
| Threat scenario | Description of a potential attack | Gap — no Threat entity type |
| Damage scenario | Consequence of a successful attack | Gap — no Damage entity type |
| Attack path | Attack steps and feasibility scoring | Gap — no Attack entity type |
NexoGraph Alignment
| ISO/SAE 21434 concept | NexoGraph implementation |
|---|---|
| Stakeholder (vehicle owner, operator, regulator) | Stakeholder — category: CUSTOMER/REGULATORY |
| Cybersecurity Goal | Requirement (reqCat: SECURITY, reqType: STAKEHOLDER) |
| Derived cybersecurity requirements | Requirement hierarchy via Package decomposition |
| Requirement priority | priority field (CRITICAL/HIGH/MEDIUM/LOW) |
| Requirement rationale | rationale field |
| Requirement source | source field |
| Lifecycle governance | Lifecycle service — draft → review → approved; change approval process |
| Bidirectional traceability | REFINES_INTO and SATISFIED_BY relations cover the upstream need → requirement → capability chain |
| Supply chain cybersecurity interface | Stakeholder (category: SUPPLIER) + requirement allocation |
Gap Analysis
| Gap | ISO/SAE 21434 clause | Status |
|---|---|---|
| CAL attribute on Requirement | §9.5 | Planned — analogous to ASIL on safety requirements |
| Asset inventory entity | §15.3 | Not modelled — dedicated entity type required |
| Threat scenario entity | §15.4 | Not modelled — TARA artefacts have no first-class representation |
| Damage scenario entity | §15.5 | Not modelled |
| Attack path analysis | §15.6–15.7 | Not modelled |
| Cybersecurity interface agreement | §7.4.3 | Not modelled — supply chain artifact |
| Incident response tracking | §13 | Not modelled |
| CSMS policy artefacts | §5 | Not modelled — organizational level, not project level |
Relationship to ISO 26262 and IEC 62443
For connected or automated vehicles, all three standards may apply simultaneously:
| Standard | Threat model | Domain |
|---|---|---|
| ISO 26262 | Random hardware faults | Automotive functional safety |
| ISO/SAE 21434 | Intentional adversarial attacks | Automotive cybersecurity |
| IEC 62443 | Attacks on industrial control systems | Vehicle manufacturing / infrastructure |
Cybersecurity threats can create safety risks — a compromised brake controller is both a 21434 and a 26262 issue. NexoGraph's shared requirement model and traceability layer allows safety goals and cybersecurity goals to be cross-referenced, surfacing these intersections explicitly.
ISO 21448 — SOTIF (Safety of the Intended Functionality)
How SOTIF concepts for performance-limitation-driven hazards relate to NexoGraph requirements and scenario management.
IEC 62443 — Industrial Automation and Control Systems Security
How IEC 62443 zones, conduits, security levels, and foundational requirements relate to NexoGraph.