logo
stripes

Concept Phase

The Concept Phase of ISO/SAE 21434 is where cybersecurity activities begin in earnest. Its purpose is to identify potential threats, define cybersecurity goals, and establish claims that guide development. This phase sets the foundation for security-by-design across the vehicle lifecycle.

Objectives

  • Perform a Threat Analysis and Risk Assessment (TARA) to identify and evaluate risks.
  • Define cybersecurity goals that mitigate unacceptable risks.
  • Establish cybersecurity claims that communicate high-level protection needs.
  • Allocate responsibilities across systems, subsystems, and stakeholders.

Threat Analysis and Risk Assessment (TARA)

TARA is a structured process that examines assets, potential threats, vulnerabilities, and their impact on safety, operations, and compliance. It evaluates feasibility and likelihood to derive a risk level, which is then used to prioritize treatment.

  • Assets: What must be protected (e.g., ECUs, data, communication channels).
  • Threats & Vulnerabilities: What could be exploited.
  • Impact: Safety, financial, operational, or reputational consequences.
  • Feasibility: How practical an attack is (time, expertise, resources).
  • Risk Rating: Resulting measure used to guide mitigations.

Cybersecurity Goals

From TARA results, high-level goals are defined. These describe what must be achieved to ensure unacceptable risks are reduced to an acceptable level. Goals are abstract and not yet tied to specific implementations.

  • Protect integrity of safety-critical communications.
  • Ensure confidentiality of sensitive data.
  • Maintain availability of essential vehicle functions.
  • Prevent unauthorized access to in-vehicle networks.

Cybersecurity Claims

Cybersecurity claims formalize the intent of goals and provide evidence-based statements that can be validated later in the lifecycle. They serve as a bridge between abstract goals and concrete requirements.

Outputs of the Concept Phase

  • A completed TARA with risk prioritization.
  • A set of cybersecurity goals aligned to risks.
  • Cybersecurity claims that can be traced into requirements.
  • Documented work products providing traceability and evidence.
Disclaimer: This page summarizes the Concept Phase of ISO/SAE 21434. For detailed process steps, definitions, and normative requirements, please consult the official ISO/SAE 21434:2021 standard.