Security governance: It’s all a matter of organization
Protecting against cyberattacks is a key success factor for the highly digitalized mobility of the future. This has significantly heightened the importance of cybersecurity governance in the automotive industry. For many automotive manufacturers and suppliers, the information security of their products has become a top-management issue. Three key trends are increasingly defining how companies in this sector think and act: specialization in the automotive industry, establishing a security organization and processes, and statutory and regulatory requirements.
Growing importance of automotive security
In recent years, cybersecurity in the automotive sector has increasingly become an independent and important topic. One crucial reason for this is the trend toward automated and connected driving. A growing number of bodies, standards, rules, and best-practice guidelines are now dedicated to secure vehicles. Here are a few examples:
- The UNECE WP.29 Task Force on Cyber Security and Over-the-Air software updates (TF-CS/OTA), as part of the Working Party on Autonomous/Automated and Connected Vehicles (GRVA) .
- The US National Highway Traffic Safety Administration (NHTSA) and British Standards Institutes’ (PAS 1885:2018) guidelines for automated vehicles and cybersecurity [2, 3].
- 16 standardization projects on cybersecurity for smart connected vehicles in China, which are awaiting or have already received approval.
- The Automotive Information Sharing and Analysis Center founded by the US automotive industry, with seven best-practice guidelines published by May 2019 .
Security-specific organizational structures and processes
The automotive industry has realized that an appropriate level of product protection cannot be achieved solely through technological measures in development. A holistic, risk-based approach is needed in order to create suitable organizational measures and processes. Accordingly, organizational aspects of automotive cybersecurity are increasingly coming to the fore. What is needed are processes that span the entire vehicle life cycle and extend throughout the supply chain, from the smallest suppliers to vehicle manufacturers to end customers and authorized repair shops. Manufacturers and their suppliers need to be in a position to respond to cybersecurity attacks and vulnerabilities that come to light after the vehicle has been manufactured and delivered. To this end, clear processes and interfaces between the individuals responsible for cybersecurity must be defined within the supply chain.
That’s why the UNECE Task Force TF-CS/OTA stipulates, for instance, that automotive manufacturers must maintain a certified cybersecurity management system (CSMS) and renew the certification every three years. Large segments of the automotive industry currently assume that ISO/SAE 21434, which is expected to be published in late 2020, will form a key basis of such an automotive CSMS .
Growing numbers of statutory and regulatory requirements
The trend toward automated driving is also making vehicle cybersecurity the focus of statutory and regulatory initiatives. Owing particularly to the issue’s safety relevance, efforts are being made to ensure that vehicle type approval will soon be dependent on meeting statutory requirements for automotive security.
One of the most important activities in this context is the TF-CS/OTA mentioned above and its draft UN regulation . Furthermore, starting this year, the European Union’s recently enacted Delegated Regulation on the deployment and operational use of cooperative intelligent transport systems (C-ITS) regulates how connected vehicles should communicate with each other in a way that is secure . There are also national initiatives: in the US Congress, for example, the SELF DRIVE Act [8 or the AV START Act  expired without being approved, but it is expected that similar bills will be introduced and enacted very soon. At the state level, however, the California senate passed the Security of Connected Devices bill (SB-327) in August 2018 . Automotive manufacturers and suppliers that operate in numerous markets worldwide simultaneously will thus have to deal not just with globally coordinated legislation, but also with local legal requirements.
Summary: Security governance is essential
Automated and connected driving poses a number of cybersecurity challenges and the supply chain companies involved are already taking numerous steps aimed at further improving vehicle protection. The UNECE TF-CS/OTA and the forthcoming ISO/SAE 21434 require particular attention. Their contents will soon be compulsory for type approvals, and establish guide rails for approval requirements in terms of automotive cybersecurity. At the same time, automotive manufacturers and suppliers must constantly maintain a current and comprehensive overview of any national and regional rules and legal requirements. A newly established security governance role is helping companies ensure that they are well prepared for the developments ahead.