The paradigm shift in the automotive industry towards the networked and (partially) autonomous vehicle is in full swing. New technologies with significantly increasing networking possibilities are currently leading to new demands on the regulatory framework. In recent years, legislators and test institutes have already initiated the establishment of corresponding standards. Suppliers of software, sensors and system architectures for the automotive industry must be able to meet these standards already now in order to position themselves successfully in tenders by vehicle manufacturers. In the future, type approval of vehicles will only be possible if a certified Cyber Security Management System (CSMS) is in place.
Which regulations are currently at issue?
The emerging standards on Automotive Cyber Security are new in the automotive industry. The WP.29 working group on the harmonization of vehicle regulations of the UNECE (United Nations Economic Commission for Europe) has drawn up a set of rules that prescribes new requirements for the cyber security of vehicles. The focus of the WP.29 regulations is, firstly, on testing the reliability of autonomous systems and, secondly, on ensuring the cyber security of all components and data connections installed in the vehicle. According to this standard, all manufacturers of vehicles connected to the internet and their suppliers must have implemented a functioning Cyber Security Management System (CSMS). Without such a CSMS the application for the type approval of a vehicle is impossible. At the same time, the ISO (International Organization for Standardization) is developing the two standards ISO/AWI 24089 and ISO/AWI 21434. Both aim to establish a new standard in the automotive industry for all cyber security relevant topics. Hence all companies in the industry are now facing the challenge to prepare themselves and to install a corresponding CSMS as quickly as possible in order to be able to comply with the soon-to-be-released regulations from the outset. This CSMS must also include the administration of suppliers, service providers and other third parties.
What are the technological backgrounds?
Autonomous and smart technologies make vehicles much more vulnerable to cyber attacks. The high number of different data connections as well as the digital and networked components provide gateways for hackers, which in the worst case can be used to influence the vehicle system without authorization. The scenarios that can result are well known. The gateways can be divided into three areas:
- Telematics: via WLAN, mobile radio, GNSS data connections such as GPS and the servers connected in the background
- V2X Communication: Vehicle-to-Infrastructure (traffic management systems), Vehicle-to-Device (smart phones), Vehicle-to-Home (smart home devices), Vehicle-to-Vehicle (communication between vehicles)
- Infotainment: WLAN, music and video streaming, data connections from apps for e.g. weather, restaurant recommendations, games etc.
The listed data connections are potentially vulnerable to hacker attacks. In order to exclude the dangers in advance or at least to mitigate them as far as possible, the establishment and operation of a comprehensive Cyber Security Management System (CSMS) is indispensable and will in future also be required by lawmakers and testing institutes. The UNECE announced to make the operation of a certified CSMS and its application to the vehicle type mandatory from around mid 2022 for all new types of vehicles the time of type approval. From July 2024 it will then apply to all new vehicles. This means that companies will have about 2 years to take the necessary measures and integrate a corresponding CSMS into their business.
Important: Introduction of a Cyber Security Management System
In order to successfully manage the complexity of all risks in the area of cyber security for vehicles, every company must have a CSMS in the future. A company’s cyber security approach must be implemented holistically over the entire product life cycle. This includes both the organizational and technical areas of a company or product. This includes the product development process, production and all service, maintenance and repair work after the commissioning of a component or software. The entire automotive ecosystem must be carefully coordinated in order to comply with the upcoming cyber security requirements. It is therefore important to create the right framework conditions in both the organizational and process structure of the company and to initiate appropriate measures. Certifications according to WP.29 or according to the above-mentioned ISO standards will form the regulatory basis for the future cooperation between vehicle manufacturers and service providers in the automotive industry.
How is a CSMS structured?
The purpose of a CSMS is to preventively identify and eliminate critical weaknesses in the product. Cyber security must be ensured and maintained throughout the entire product life cycle. This includes developing the design of the products under cyber security specifications. The number of hacker intrusion points must be kept as low as possible from the very beginning. This is the only way to reduce the areas of attack and thus the risk of falling victim to a cyber attack. Every company must therefore orient itself to the best practices for effective cyber security. These best practices primarily concern principles to be followed in product development, production, the organization of the company and the assignment of responsibilities.
Possible guide to relevant best practices
The principles in the approach are:
Security by Design, Privacy by Design and the introduction of a risk and threat management. This means the regular execution of analyses of possible threat situations throughout the entire development.
The principles for the organization are as follows:
Inclusion of all suppliers and service providers in the aspects of cyber security. An awareness of cyber security in the company’s own corporate culture across all interfaces must be created through training and consulting. Guidelines for the efficient handling of cyber-relevant security incidents are to be developed and established in the company.
Principles in the technological implementation:
Constant monitoring security gaps and unauthorized access as well as the greatest possible protection of one’s own networks through encryption and strict access controls (human factor). By using Big-Data and AI methods, irregularities in the data flow can be detected early.
The time to act? Right now!
We at magility accompany our customers from the automotive sector future-oriented and therefore have developed a CSMS years ago, which is continuously adapted to the newly emerging regulations. We act as a system integrator for CSMS for medium-sized companies in the German and European market and are optimally positioned thanks to our partnerships with technology companies such as Argus Cyber Security, internationally one of the most renowned companies for automotive cyber security, and the independent certification service provider DEKRA. This enables us to provide our customers with comprehensive support in the implementation of a Cyber Security Management System. In recent years, we have established ourselves as experts for all questions and solutions relating to automotive cyber security on the market and have implemented numerous projects with well-known companies from the automotive industry.
How do you see your company currently positioned with regard to cyber security? Please contact us for a professional exchange, we will support you with an initial assessment of your risk situation. We will support your company in the implementation of a CSMS, which takes into account the newly emerging regulations from the beginning.
