Design and Validation of an ISO 21434–Compliant Cybersecurity Framework for Automotive Inverter CAN Communication

As modern vehicles evolve into “computers on wheels,” their technological complexity has increased exponentially over the past decade. This growing complexity has significantly expanded the cybersecurity attack surface, creating new opportunities for adversaries. In response to these challenges, the ISO/SAE 21434 standard was introduced in 2021 to emphasize the importance of cybersecurity throughout the automotive lifecycle. However, the standard provides a largely generic framework without prescribing a concrete implementation methodology, making its practical adoption a considerable challenge for the automotive industry and OEMs. In this thesis, conducted in collaboration with BlueWind, a cybersecurity framework has been established through penetration testing of the CAN (Controller Area Network) communication protocol in an automotive inverter. The penetration tests were categorized according to the CIA (Confidentiality, Integrity, and Availability) triad and aligned with the UNECE WP.29 R155 regulation. The results were further assessed using the Threat Analysis and Risk Assessment (TARA) methodology defined in ISO/SAE 21434. Additionally, the study evaluates the impact of implementing SecOC (Secure Onboard Communication) as specified by AUTOSAR on the CAN bus, demonstrating its effectiveness in enhancing protocol security. Finally, the research highlights the challenges posed by the closed nature of the automotive cybersecurity ecosystem and the limited availability of open-source tools and resources for researchers working toward compliance with ISO/SAE 21434.