Home > Blog > MAPPING ISO 62443 AND ISO 21434 FOR MULTI-DOMAIN DEVELOPMENT

Mapping ISO 62443 and ISO 21434 for multi-domain development

Gopalakrishnan M
05. August 2024 Categories: Technology,

In the scope of cybersecurity standards ISO 62443 and ISO 21434 stand out as pivotal frameworks designed to safeguard industrial and automotive systems respectively. While both aim to enhance security, they cater to different domains with distinct focuses. For software developers navigating these standards, understanding their similarities and differences can significantly impact how they design and implement secure systems. This blog explores how developers can map their knowledge and practices between ISO 62443 and ISO 21434, facilitating a smoother transition and integration of both frameworks.

Understanding ISO 62443 and ISO 21434

ISO 62443:

This standard is tailored for industrial automation and control systems (IACS). It provides a comprehensive framework to address cybersecurity threats specific to industrial environments. The standard is divided into multiple parts, addressing aspects such as policies and procedures, system requirements, and product development.

ISO 21434:

This standard focuses on cybersecurity in the automotive domain, particularly for road vehicles. It covers the entire lifecycle of vehicle systems, from development to decommissioning, emphasizing the need for secure software development and integration to protect against cyber threats.

Core Similarities

Lifecycle Approach:
  • Both standards advocate a lifecycle approach to security. ISO 62443 emphasizes security across the lifecycle of industrial systems, while ISO 21434 extends this principle to the entire lifecycle of automotive systems, including design, production, operation, and end-of-life.
Risk Management:
  • Risk management is central to both standards. ISO 62443 outlines risk management practices for industrial systems, focusing on threat and vulnerability assessments. Similarly, ISO 21434 requires risk assessments throughout the automotive system’s lifecycle, ensuring that potential threats are identified and mitigated.
Security by Design:
  • Security by design is a fundamental principle in both standards. ISO 62443 promotes designing systems with built-in security features, while ISO 21434 emphasizes incorporating security measures during the vehicle development phase to address emerging threats.
Requirements for Secure Communication:
  • Both standards highlight the importance of secure communication. ISO 62443 covers secure communication channels and protocols within industrial networks. ISO 21434 requires secure communication protocols to protect data exchanged between vehicle components.

Key Differences

Each of these phases requires input from multiple team members, all of whom have critical roles in ensuring the automotive cluster is resilient to cyberattacks.

Domain-Specific Requirements:
  • ISO 62443: Primarily focused on industrial environments, addressing unique challenges such as SCADA systems, control networks, and operational technology (OT).
  • ISO 21434: Tailored to automotive systems, addressing challenges such as vehicle-to-everything (V2X) communications, over-the-air (OTA) updates, and automotive-specific threat vectors.
Focus Areas:
  • ISO 62443: Includes detailed requirements for security levels (SL1 to SL4), defining specific security measures based on the system’s security level.
  • ISO 21434: Centers on cybersecurity management processes and lifecycle requirements, with a focus on integrating cybersecurity throughout vehicle development and production.
Regulatory and Compliance Context:
  • ISO 62443: Often adopted in industries with heavy regulatory requirements, such as manufacturing and utilities.
  • ISO 21434: Aligns with automotive industry regulations, such as UNECE WP.29, which mandates compliance with cybersecurity standards for vehicle manufacturers.

Mapping Developer Practices

Risk Assessment and Management:
  • ISO 62443: Developers should integrate risk management practices into industrial system design, focusing on identifying threats and vulnerabilities specific to industrial environments.
  • ISO 21434: Automotive developers need to incorporate risk management throughout the vehicle lifecycle, considering threats related to V2X communication, in-vehicle networks, and OTA updates.
Secure Development Lifecycle:
  • ISO 62443: Emphasizes a secure development lifecycle for industrial products, including secure coding practices, vulnerability management, and regular security testing.
  • ISO 21434: Requires a robust secure development lifecycle, including threat modeling, secure coding standards, and comprehensive testing of automotive software components.
Compliance and Documentation:
  • ISO 62443: Developers must ensure compliance with specific security levels and document security measures implemented in industrial systems.
  • ISO 21434: Requires detailed documentation of cybersecurity measures throughout the vehicle lifecycle, including risk assessments, design decisions, and validation results.
Security Controls and Measures:
  • ISO 62443: Developers should implement security controls such as access controls, network segmentation, and intrusion detection within industrial systems.
  • ISO 21434: Automotive developers need to incorporate security controls such as secure boot, cryptographic measures, and intrusion detection to protect vehicle systems.
Continuous Improvement:
  • ISO 62443: Encourages continuous improvement of security measures based on evolving threats and technological advancements.
  • ISO 21434: Emphasizes continuous monitoring and updating of cybersecurity measures to address new vulnerabilities and threats in automotive systems.

Real-World Example

Consider a scenario where a company develops an industrial control system for a manufacturing plant using ISO 62443. The same company is also developing an automotive system using ISO 21434. By understanding the core principles of both standards, developers can apply similar risk management and secure development practices across both domains. For instance, threat modeling and secure coding practices used in industrial systems can be adapted to address automotive-specific threats, such as vulnerabilities in vehicle communication protocols.

Conclusion

Navigating the complexities of ISO 62443 and ISO 21434 requires a beneficial understanding of each standard’s focus and requirements. By mapping their practices and knowledge between these standards, developers can enhance their ability to design and implement secure systems across both industrial and automotive domains. Embracing the shared principles of lifecycle security, risk management, and secure development, while recognizing domain-specific requirements, will lead to more robust and resilient solutions.

For software developers, the key to success lies in applying a holistic approach to cybersecurity that integrates best practices from both ISO 62443 and ISO 21434. This approach not only strengthens system security but also ensures compliance with evolving industry standards, ultimately contributing to safer and more secure technological advancements.

Related Blogs

MIPI-CSI CAMERA DRIVER DEVELOPMENT FOR NVIDIA JETSON PLATFORMS

In this blog, we will discuss in detail about the camera interface and data flow in Jetson Tegra platforms and typical configuration and setup of a MIPI CSI driver. For specifics, we will consider Jetson Nano and Onsemi OV5693 camera.

Read More

LOW CODE EMBEDDED SYSTEMS DEVELOPMENT WITH FLINT

In this blog, we will explore the scope for No-Code and Low-Code development for embedded systems and how Flint tool can help realize the same for this field.

Read More

OTA ARCHITECTURE FOR SCALABLE DESIGNS

Now a days in 2022 due to technology growth, a product is having multiple features/use cases and it has been upgraded for bug fixes and new features in the interest of customer/end.

Read More

INSTRUMENT CLUSTER DESIGN FOR ELECTRIC VEHICLES WITH RENESAS RL78

In any vehicle, the instrument cluster forms a critical part as it is the face of the vehicle that reflects the current state.

Read More

Subscribe to our Blog