The focus on cybersecurity in the automotive industry is growing as vehicles increase the connected features they offer. The risk of cyber attacks in vehicles poses unique threats – those of highest concern relate to safety and human life. Because of these, there is a strong effort in various regions to impose binding regulations for the quality of cybersecurity elements in automotive products. In addition to regulations affecting automotive cybersecurity (see Figure 1), there are two important standards to focus on:
- UNECE WP.29 UN R 155 – UN Regulation on uniform provisions concerning the approval of vehicles with regards to cybersecurity and cybersecurity management system. This will be required to sell vehicles in some countries such as Europe and Japan by July 2022.
- ISO/SAE 21434 Standard – Specifies requirements for cybersecurity risk management regarding engineering for concept, development, production, operation, maintenance, post production and decommissioning for road vehicle electrical and electronic systems, including their components and interfaces.
WP.29 makes many references to ISO/SAE 21434, so compliance with both is recommended. A similar expectation for vehicles in North America is likely to follow and NHTSA is in the process of release a cybersecurity best practices for further guidance.
All the upcoming regulations have similar requirements:
- A stronger focus on the automotive industry when addressing cybersecurity
- Requirements to uphold security on vehicles after sale
- The need for a security-responsible team and security processes to be in place
- Robust security testing
- Authority approval before vehicles may be sold
We have PROOF!
ESCRYPT and KPMG have partnered and developed PROOF (Product Security Organization Framework), a unified, traceable, cybersecurity maturity framework, to support companies in their automotive cybersecurity journey from start to finish. PROOF is not a one-size-fits-all approach. We take a tailored approach for each customer, taking into consideration their current capabilities and processes that can be adapted to meet regulations as well as their target security level. The engagements may involve interviews of stakeholders (on-site or virtual) to audit the customer’s current cyber maturity, their targets and to set a scope that meets the target security maturity for vehicle products. Based on the results of this evaluation, ESCRYPT and KPMG can help gather information within your organization, identify key areas of focus and organize this into documentation for auditing, and obtaining CSMS certification and vehicle-type approvals from technical authorities. We then provide a fit/gap analysis report of current processes across the organization and steps to build and adapt them to meet regulations, or we can work with you to build a new cybersecurity process from the ground up. In addition, we provide a readiness assessment report with a specific focus on economic considerations designed to balance compliance, security and financial viability. To round it all out, we can train your staff with on-site or web-based training made specifically for your company. ESCRYPT and KPMG also offer a software license tool for organizing PROOF knowledge on your own, which can offer questionnaires that will bench mark supplier and stakeholder security maturity, making the organization of security easier and measuring the security capabilities of those partnering with you in your supply chain.
Find out more
If you’d like to learn more on the impending regulations or on ESCRYPT’s PROOF approach, follow these links or contact us!