UNECE, the United Nations Economic Commission for Europe, published two regulations concerning vehicle cybersecurity (R155) and software updates (R156). While SAE/ISO 21434 standard is not specifically mandated by these regulations, it offers support for developing a solid Cyber Security Management System (CSMS), resulting in the secure development of automotive products. As secure products in the automotive market are slowly becoming a norm, fulfilling the requirements of this standard in the most efficient way will provide a competitive advantage in UNECE regulated market.
Riscure is recognized security analysis and testing laboratory with experience in the security of individual components (SOC, ECU microcontroller, mobile and server applications, etc.) as well as security-focused technologies (TEE/OS, communication protocols, secure boot, cryptographic functionality, and robustness of countermeasures). Riscure offers a variety of cyber security services that fulfill different security work products as defined in the SAE/ISO 21434 standard.
Riscure offers expert support for security aspects of TARA, supporting the phase of asset identification, threat scenario identification, attack path analysis, attack feasibility rating, and risk value determination/treatment (sections 09 and 15 of SAE/ISO 21434). Riscure offers management of security-related requirements with respect to the correctness and completeness of cyber security objectives, goals, and claims (section 09 of SAE/ISO 21434). Riscure performs design review resulting in verification that security requirements are fulfilled with respect to design level vulnerabilities absence. Riscure evaluates the security of the code using a combination of security tools (fuzzing, variant analysis, static analysis) and manual code review (section 10 of SAE/ISO 21434). Riscure performs penetration-testing (PenTest) for the product’s specific Component Assurance Level (CAL) as described in Annex E of ISO 21434 standard. Testing methods are based on the scope of testing as agreed with the customer, their TARA, security objectives, and claims, and based on the guidance from the standard (section 10, 11, and Annex E of SAE/ISO 21434.
Riscure has performed >50 security evaluation projects for over 25 customers, including
- Source code reviews for Tier 1s and Tier 2s
- Architecture/design reviews for Tier 1s and Tier 2s
- Design reviews and secure boot reviews on chipsets for Top-10 semiconductor powerhouses
- Vulnerability analysis and penetration testing for Tier 1 solutions