logo
stripes

Operations & Post-Development

The Operations and Post-Development Phase of ISO/SAE 21434 ensures that cybersecurity is actively managed after vehicles leave production. This phase covers production, field operations, updates, incident response, and decommissioning.

Objectives

  • Ensure secure production and manufacturing processes.
  • Maintain cybersecurity during vehicle operation and service life.
  • Provide secure software updates and configuration management.
  • Detect and respond to incidents and vulnerabilities.
  • Handle end-of-life and decommissioning securely.

Production & Manufacturing

Cybersecurity measures must be embedded into manufacturing and assembly processes:

  • Secure provisioning of cryptographic keys and certificates.
  • Controlled access to production tooling and environments.
  • Verification of software integrity before deployment to ECUs.

Operations & Maintenance

Once in the field, vehicles require ongoing monitoring and management:

  • Vulnerability monitoring and risk assessment updates.
  • Collection and analysis of operational cybersecurity data.
  • Integration with incident reporting and response processes.
  • Communication of relevant information to stakeholders and suppliers.

Software Updates

Vehicles rely on regular updates to maintain security and functionality. ISO/SAE 21434 requires update processes that ensure:

  • Authenticity and integrity of update packages (e.g., secure OTA updates).
  • Protection against rollback or unauthorized modification.
  • Traceability of update deployment and audit evidence.

These requirements align closely with UNECE Regulation R156, which governs software updates for type approval.

Incident Response

Organizations must be prepared to detect, analyze, and respond to incidents:

  • Incident detection and triage.
  • Root cause analysis and containment.
  • Deployment of corrective updates or patches.
  • Communication with customers, regulators, and suppliers.

Decommissioning

When a vehicle or component reaches end-of-life, processes must ensure that cybersecurity risks are not introduced:

  • Secure deletion of sensitive data (e.g., keys, credentials, personal data).
  • Deactivation of backend accounts or services.
  • Safe disposal or recycling of hardware containing cryptographic material.

Outputs of Operations & Post-Development

  • Secure production and provisioning records.
  • Monitoring reports and vulnerability assessments.
  • Incident response plans and evidence of execution.
  • Update management records (aligned with UNECE R156).
  • Decommissioning procedures and evidence of secure disposal.
Disclaimer: This page summarizes the Operations & Post-Development phase of ISO/SAE 21434. For detailed requirements, consult the official ISO/SAE 21434:2021 standard and UNECE Regulations R155/R156.