The automotive industry is in the middle of a paradigm shift from the classic single vehicle to the connective and (partially) autonomous vehicle fleet. The use of new technologies and the connectivity of vehicles, infrastructure and backends have created numerous new targets for cyber crime in recent years. The constant increase in hacker attacks shows the high risk of inadequately protected vehicles for especially drivers, vehicle owners, manufacturers, insurance companies and road users. Headlines about spectacular hacker attacks adorned many front pages of newspapers and magazines worldwide and many voices raised calling for regulatory frameworks for more security over the entire life cycle of a vehicle.
Driven by this escalating danger the UNECE is setting new standards in the automotive industry and has just recently published the UN regulations on cyber security and for Cyber Security Management Systems (CSMS).
The EU is planning to demand compliance with the new standards for new types of vehicles in the passenger car and commercial vehicle sector as early as mid 2022 and subsequently extends them to the existing fleet. Our CEO, Dr. Michael Müller, with over 20 years of experience in the automotive industry, talks about the UNECE WP.29 in the expert interview CSMS. He answers urgent questions regarding Cyber Security Management Systems.
Q: Dr. Müller, the information security of vehicles is now becoming relevant for type approval. Is that correct?
A: “Yes, that’s right. In the future, type approval of vehicles will only be bindingly possib0le if the manufacturer can prove a certified CSMS and actively protects its vehicle fleet against cyber threats.”
Q: What does this mean for the automotive industry in general?
A: “These new UNECE WP.29 regulations are the first internationally binding standards that stipulate how cyber-risks are to be countered across the entire automotive value chain. Now it is no longer just a voluntary commitment to address cyber-risks but a legal requirement with clear testing and performance rules . The automotive industry is facing great challenges in this respect. All processes within the organization of an OEM and along its entire supply chain must be verifiably adapted to the valid standards on cyber security published by WP.29. For example this includes secure supplier management, secure procurement processes, the procurement of cyber-secure software, comprehensive “end-to-end” risk management, the safeguarding of all development and production processes to secure after sales processes and the cyber-secure maintenance of vehicles over their entire life cycle, which includes the provision of secure “over-the-air” updates.
All players involved in the automotive industry, in the supply chain or in the aftermarket of a vehicle are now faced with the task of adapting all processes in their company to the cyber security requirements. The UNECE recommends that companies integrate a CSMS and orient themselves towards ISO/SAE 21434 (Road vehicles – Cybersecurity engineering) and ISO/AWI 24089 (Road vehicles – Software update engineering), which are currently still in the draft stage but are expected to be finalized in 2020. Other existing cyber security standards must also be observed.
The entire vehicle ecosystem with every potential gateway must now be secured. An integrated CSMS enables standardized monitoring and the verification whether the necessary requirements are fulfilled. If the CSMS does not meet the requirements of the UNECE, it will not be certified, and then there will be no more type approval for the OEM. This could be a disaster similar to the WLTP.”
Q: How can the OEMs prepare themselves now properly?
A: “Due to the development times in the automotive sector, OEMs and suppliers must deal intensively with the cyber security requirements of their products now at the latest, so that they can meet the requirements for type approval by 2024. Companies should take a risk-based end-to-end approach to determine, achieve and maintain an appropriate level of protection. And this, by the way, not only for the vehicle type but also for its external interfaces and subsystems. Both the manufacturers and the suppliers now have the task of upgrading themselves to the point where they can react immediately to cyber attacks and cyber security vulnerabilities, even if they occur after the vehicles have been manufactured and delivered.
For this purpose, the establishment of an Automotive Cyber Security Operation Center (ASOC) is necessary to monitor the entire vehicle fleet 24/7 worldwide. The process-related and organizational part of Automotive Cyber Security is therefore increasingly coming into focus. What helps companies now are cyber security experts and consultants, who are able to introduce a holistic CSMS that fits to the company and the product portfolio. We at magility support our customers in the development of a holistic cyber security strategy and the corresponding CSMS action planning. Of course, we also assist in the realization and implementation of these measures.”
Q: Apart from vehicle manufacturers, which companies are affected by the new regulations?
A: “It affects not only OEMs but also software companies and e.g. suppliers of hardware, sensors and system architectures. Every actor who is involved in the life cycle of a vehicle in any way is affected and must act now and adapt its processes and organization.”
Q: What other measures are required by the new regulations? Can you tell us the most urgent ones?
A: “Explaining the exact plan of action would exceed our time. All measures are urgent and important – when it comes to cyber security there is no compromise. If one measure is left out and as a consequence an entrance gate is not secured, it can have fatal consequences. Everyone knows the horror scenarios that can result from this. The action plans can be viewed on the UNECE website and are available to everyone. You can also find further information on our website magility.com.”
Q: We have learned that the integration of a holistic CSMS is a decisive factor for the type approval of a vehicle in the future. How is such a CSMS structured?
A: “Cyber Security Management System (CSMS)” describes a systematic risk-based approach to define the organizational processes, responsibilities and controls to manage risks which come along with cyber threats to vehicles and to protect against cyber attacks. A CSMS also includes the secure integration of service providers, suppliers and other third parties.”
Q: Do you see a chance for a positive macroeconomic stimulus through the legally required innovations, or in other words: Could the negative effects of Corona be at least partially compensated by new employment opportunities created by UNECE WP.29?
A: “Especially from the IT sector, induced by the new UN requirements on cyber security and CSMS, technical innovations can be expected. Niche companies and startups could also play an important role. In addition, new economic opportunities are emerging among suppliers.
The need to establish automotive cyber security will lead to significant investments in the coming years. I think this will be in the billion euro range. The answer to the question is therefore YES!”
Q: You are the managing director of magility GmbH, a consulting company that has been dealing with automotive cyber security issues for many years. You have a large network in the industry. How do you see the role of magility in this far-reaching innovation process?
A: “We see ourselves as system integrator of CSMS for the German and European market. Thanks to our partnerships with the independent certification service provider DEKRA, with technology companies such as Argus Cyber Security and with high-tech startups and, above all, thanks to our experience in the automotive industry, we feel that we are in an excellent position to advise our customers on strategy and action planning, to accompany the implementation process of CSMS in companies and to provide support during the implementation of the measures.”
Q: Thank you very much Dr. Müller for the detailed answers. Can you give us now at the end of our interview a personal estimation? Where is the automotive industry now heading under these new circumstances?
A: “The automotive industry, which was previously very much focused on the development, production, sales and maintenance of individual vehicles, is changing into a vehicle fleet operator with a strong focus on software development. The automotive industry is becoming part of the IoT industry through the networked vehicle fleet and is thus in competition with Google, Amazon, Baidu and other Internet giants, which does not make things easier. Compared to these new competitors, the automotive industry has a massive need to catch up, also in the area of cyber security. The automotive industry will become part of the mobility industry (TaaS and MaaS) and must take care not to be reduced to a B2B vehicle supplier. Cross-industry business models will become particularly important in the future.”
In a few weeks we will have another interview. For this we will collect your urgent questions from practice on the topic CSMS. Please feel free to send your questions directly to Nada Lea Welker (CMO magility) nada.welker@magility.com.
