The focus on cybersecurity in the automotive industry is growing as vehicles increase the connected features they offer. The risk of cyber attacks in vehicles poses unique threats – those of highest concern relate to safety and human life. Because of these, the industry needs to adopt a strict, low-risk tolerance.
There is a strong effort in various regions to impose binding regulations for the quality of cybersecurity elements in automotive products. In addition to regulations affecting automotive cybersecurity, shown in Figure 2, there are two important standards to focus on:
- UNECE WP.29 – UN Regulation on uniform provisions concerning the approval of vehicles with regards to cybersecurity and cybersecurity management system
- ISO/SAE 21434 – Road Vehicles Cybersecurity Engineering
All these regulations share similar requirements: a stronger focus on the automotive industry when addressing cybersecurity; requirements to uphold security on vehicles after sale; the need for a security-responsible team and security processes to be in place; robust security testing; and authority approval before vehicles may be sold. The WP.29 UN Regulation has been accepted and will be required to sell vehicles by July 2022.
Compliance with regulations will be required to do business. In order to sell new vehicles in the countries shown in blue in Figure 4, vehicles will have to be compliant with UNECE WP.29 UN Regulation Cybersecurity by July 2022. WP.29 makes many references to ISO 21434, so compliance with both will be necessary. A similar expectation for sales in North America may be decided soon.
Cybersecurity must be treated as a transformation project in three dimensions: people, process and technology. Automotive manufacturers will need to implement a cybersecurity management system (CSMS). This requires cybersecurity staff, an audited cybersecurity process and vehicle type approval from an authorized third-party entity for individual projects. Both organizational- and project-specific challenges must be met. Across the automotive supply chain, there needs to be a drive to manage cyber risk with a focus on continuous improvement as stakeholder’s progress toward their cyber maturity target and beyond. Management of cybersecurity risk does not stop after the sale of the vehicle. OEMs will also have to manage security for in-field products. Suppliers are not exempt from these regulation requirements, so OEMs and suppliers must work together to align their processes and language to meet the standards. Automotive embedded cybersecurity has significantly increased in the recent decade as publication of high-profile attacks have become major headlines. Classic IT security has been a major player in the security industry longer than embedded security. These two sub-fields within security have different goals. IT back offices focus on the protection of informational assets, while automotive embedded security is concerned with protecting vehicles on the road and keeping people safe. These two domains need to mix to achieve safe roads in the future. IT management needs to adopt the objectives of automotive security to protect vehicles and people.
ESCRYPT and KPMG have formed a partnership and developed PROOF (Product Security Organization Framework), a unified, traceable, cybersecurity maturity framework, to support clients in the automotive cybersecurity journey from start to finish. ESCRYPT, a leader in automotive cybersecurity, embedded security technologies, engineering operations and implementation, is actively involved in industry work groups and standardization efforts. ESCRYPT has over 10 years of experience working with North American suppliers and OEMs. We also leverage our experts around the world with 19 locations doing business with major OEMs and suppliers across the globe. KPMG has another set of strengths, including information security in back-office applications and architectures, compliance, change management, auditing and legal counseling. New challenges in automotive regulation and standardization require cooperation of different stakeholders with a wide view of objectives and perspectives. The partnership between ESCRYPT and KPMG allows a greater understanding and diverse viewpoints of all the stakeholders involved, such as automotive engineering teams, vehicle cybersecurity, research and development, safety, quality, after sales, information security, back office infrastructure, legal and governance.
PROOF is not a one-size-fits-all approach. Each client has a tailored approach taking into consideration their current capability and processes that can be adapted to meet regulations and their target security level. PROOF can begin with on-site interviews of stakeholders to audit customer’s current cyber maturity, their targets and to set a scope that meets the needs of various groups of stakeholders. Depending on this evaluation, PROOF may continue to prepare customers with services that suit their needs. ESCRYPT and KPMG can help gather the information already within your organization, learn what you need to know and organize this into documentation for auditing, obtaining CSMS certification and vehicle-type approvals. We can train your staff with on-site or web-based training made specifically for your group or organization. We have a fit/gap analysis report of current processes across the organization and how to build and adapt these to meet regulations, or we can work with you to build a new cybersecurity process from the ground up. In addition, we provide a readiness assessment report with a specific focus on economic considerations in order to balance compliance, security and financial viability. Is your organization ready for the new automotive regulations? Prove that your CSMS and vehicle products are ready with PROOF!
If you’d like to learn more, follow the links below or contact us!