Home » ISO/SAE 21434 Consulting Services

ISO/SAE 21434 Consulting Services

When it comes to the cybersecurity of vehicles, the ultimate stakeholders are the road users.  It is critically important they have confidence in the amazing new innovations and technologies becoming widely available such as electrification, autonomous driving, and 5G connectivity.  It is a must that these technologies are cyber-secure. 

Cyber-secure vehicles require an extension of trust and assurance across the complex automotive supply chain, from semiconductor suppliers to Tier 1s, OEMs, and finally to the consumer.  

BG Networks collaborates with companies throughout the supply chain and helps to extend trust with a complete set of cybersecurity services including:

  • The application of ISO/SAE 21434 processes
  • Software developments that take advantage of secure silicon features
  • Software testing
  • Post-development secure key and software management.

NHTSA has updated their Cybersecurity Best Practices for the Safety of Modern Vehicles.  We have taken close look and can help ensure that your implementation of ISO/SAE 21434 also addresses NHTSA’s general and technical best practices.  For more information on the alignment between NHTSA’s guidance and ISO/SAE 21434, see our article “Does Implementation of ISO/SAE 21434 Bring NHTSA’s Cybersecurity Best Practices Along for the Ride?”

s

Risks – Threats – Vulnerabilities

BG Networks provides services for ISO/SAE 21434 risk assessment methods from asset identification to helping with the risk management and risk treatment decision. 

We can provide a tops down STRIDE based set of threat scenarios or can apply a bottoms-up vulnerability analysis.  In a vulnerability analysis, what we will look for includes:

GENERAL VULNERABILITIES
Buffer overflow
Code injection
Denial of service
Exploitation of of CVEs
Incorrect default permissions
Improper access control
Improper authentication
Improper input validation
Man-in-the-middle attacks
Use of hard coded credentials
Weak cryptographic implementations
Software version roll back
Improper key and software management
Introduction of vulnerabilities from 3rd party devices
SPECIFIC VULNERABILITIES
Unauthenticated code executed after boot
Debug ports not closed ( JTAG, USB, UART )
Processor misconfiguration opening a debug port
Unencrypted code in flash dumped reverse engineered
Unencrypted software update leads to plain text code listing
Hard-coded keys in source code used to decrypt user certificates
Unused and unprotected RAM
Kicking the watch dog
Abuse of diagnostic management features
Fixing vulnerabilities throughout the chain of distribution
Abuse of diagnostic management features
Safety critical messages that are not authenticated
Direct interfaces between wireless and safety critical ECUs
Manipulation sensors signals for autonomous vehicle control

From Cybersecurity Goals to Development to Test

Once the risk assessment is completed, we will help with the setting of cybersecurity goals, defining the cybersecurity concept, and refining the requirements.  At that point we will have the understanding needed to implement cybersecurity controls in software.

We have a focus on the implementation of cybersecurity in resource constrained embedded processors.  The building blocks of cybersecurity include secure boot, secure software updates, secure passwords, authentication, and secure communications which we will implement utilizing secure features built into the microprocessor.  Code written will be compliant to MISRA C guidelines. 

We’ll also provide testing for the code we have written, including static code analysis, coverage testing, interface testing, and resource usage evaluation.  To improve efficiency and coverage, an automated test environment is available. 

Post-Development Secure Key and Software Management

BG Networks offers post-development consulting services for secure key and software management.  In terms of key management, we specialize in helping organizations deploy solutions for cryptographic key generation and distribution, manage private Certificate Authorities (CA), and deploy large scale symmetric and asymmetric key management.  For code signing and software protection we’ll help identify and set up the right controls to keep code secure, to create centrally managed workflows to ensure the correct code is signed/encrypted, and to deploy solutions for code signing with Hardware Security Module (HSM)-based encryption.