Addressing the latest and greatest in automotive product security: Arm’s journey toward ISO/SAE 21434

Arm's Automotive Enhanced (AE) products are specifically designed for use in vehicles and to address the unique computing challenges that face the automotive industry. This extends to the important topic of cybersecurity.

Technology advances underpinned by Software-Defined Vehicles (SDVs) provide the ability to continuously upgrade a car with new features throughout its lifetime. These advances include an integrated computing system of hardware and software, which facilitates the communication between components inside the vehicle and the external world.

Vehicles are becoming more complex that a new set of attack surfaces is creating new opportunities for attackers. For example, in 2022 alone, 151 new automotive-related vulnerabilities were reported to the MITRE Common Vulnerabilities and Exposures (CVE) database. This number is 4 times greater than what was reported in 2020¹.

Automotive security regulatory and standardization

The automotive industry and regulatory bodies have taken important steps to overcome the ever-increasing security challenges in automotive cybersecurity. In 2021, European regulators responded with the United Nations Economic Commission (UNECE) WP.29 R155 regulation, in an attempt to raise the cybersecurity bar across the industry.

UNECE WP.29 R155 requires all OEMs operating in UNECE member states to provide evidence of a cybersecurity management system in place. These systems should comprise organizational processes, responsibilities, and governance to address the risks associated with cyber threats.

In response, the automotive industry has joined forces and responded with the ISO/SAE 21434 standard. This standard marks the beginning of a new era in automotive cybersecurity by defining a strong process framework to meet the new regulatory requirements. The ISO/SAE 21434 contributes toward an enhanced and more uniform security posture from all players in the automotive supply chain. This is achieved through introducing a common language for assessing the security of vehicles and their components.

Product security at Arm

Arm’s role as the foundation for the tech industry means our work impacts a variety of computing domains. Billions of deployed devices are built on Arm technology, covering a diverse set of use cases. As a result, we understand that having a strong security position positively impacts the entire tech industry.

For years, Arm has been shipping various architectural security features, which partners can leverage to enhance security in their products. In addition, Arm follows state-of-the-art product security practices to ensure that security risks are managed during the idealization, development, and post-development of all products.

ISO/SAE 21434 support for Arm products

Arm products have long applied product security practices, which have commonalities among many areas described in the ISO/SAE 21434 standard. With multiple existing Arm products being deployed in the computing systems of future vehicles, we understand that supporting our partners in meeting their security compliance needs is paramount for their success.

That is why Arm provides a set of supporting security materials to simplify the integration of our off-the-shelf components into ISO/SAE 21434-compliant designs. These supporting materials are available upon request for select products within the Arm AE IP portfolio.

Arm understands that the automotive market must be able to meet emerging standards, such as the ISO/SAE 21434. Leveraging and adapting our existing product security foundation is crucial in maintaining a solid security position that addresses the standardization needs of the automotive market. That’s why Arm is on a continuous path of innovation to deliver the best ISO/SAE 21434 support in the industry for existing and future products.

Please speak to your assigned Arm sales representative or fill out the Automotive Inquiries Form to find out more about the available supporting materials.

Footnotes

¹ Source: Upstream Security 2023 Global Automotive Cybersecurity Report.