With regard to the rapid pace of technological progress in the automotive industry, times are currently dynamic and challenging in terms of cybersecurity aspects.
In particular, UN Regulation No. 155, which sets the course for an overarching regulatory framework around cybersecurity, is creating new tasks for ensuring cybersecurity. It not only affects existing processes. It is also necessary to establish completely new processes that were previously unknown – along the entire product lifecycle. For example, Continual cybersecurity activities are likely to require far-reaching new organizational structures, processes, and workflows for many players and large parts of the automotive value chain. How can this succeed?
- I. What documents provide information on Continual cybersecurity activities?
- II. Continual cybersecurity acitivities according to ISO/SAE 21434
- III. What challenges do organizations face with their Continual cybersecurity activities?
- IV. Continual cybersecurity activities vs. interdependencies within the supply chain
- V. The problem of missing best practices
- VI. Sum up + four take-away impulses
In the automotive context, Continual cybersecurity activities describe the entirety of strategies and measures to be implemented along the product lifecycle in order to identify, assess and, if possible, eliminate emerging threats, or to ensure that they have no negative impact on the cybersecurity of the specific vehicle or its components and beyond. It is important to note that this also includes the work carried out during development.
No special expert knowledge is required to recognize the fundamental importance of Continual cybersecurity activities: Depending on the vulnerability and, in the worst case scenario, the lack of seamless processes, almost all kinds of consequences are theoretically possible – and must be dealt with accordingly.
It is therefore about the sustainable (new) set-up of continuous monitoring, analysis, and incident response activities.
What documents provide information on Continual cybersecurity activities?
The required scope of the (re)organization becomes particularly clear with a view on Continual cybersecurity activities (CCSA), as described in UN Regulation No. 155 in section 220.127.116.11 (g). Even if the used phrase “The vehicle manufacturer shall …” and the significance of UN R155 for the type approval process on the part of the OEMs could create a perception that these CSMS-related processes are a job only for manufacturers – it is clear that UN Regulation No. 155 also means that requirements are cascaded down and arise on the side of the suppliers of components and systems. How OEMs pass on requirements to their suppliers and which CSMS principles have to be fulfilled on the suppliers’ side was recently discussed in our webcast UN Regulation No. 155 is in force: Requirements affecting the supply chain [Full Recorded Webcast] You can also read about it in our article How to establish a CSMS in accordance with UN R155?
Currently, it is important to note the following: Real guidelines for Continual cybersecurity activities are practically non-existent on the market. Even UN R155 only formulates very general guidelines and offers only a limited level of detail.
The topic of Continual cybersecurity activities is dealt with in more detail in ISO/SAE 2021:21434, more specifically in Clause 8 Continual Cybersecurity Activities.
Clause 8 of the ISO/SAE 21434 standard defines a specific approach to enable effective protection against cybersecurity threats for products throughout the product lifecycle.
In this context, the link to Clause 10 Product Development – e.g., weaknesses already identified during product development (cf. [WP-10-05]) – and Clause 13 Cybersecurity incident response, in which the cybersecurity incident response plan is defined as part of the continual cybersecurity activities, must also be taken into account.
Continual cybersecurity acitivities according to ISO/SAE 21434
The view of the Continual cybersecurity acitivities along all phases of the lifecycle consists of four high-level steps in ISO/SAE 21434:2021:
- Cybersecurity Monitoring
- Cybersecurity event evaluation
- Vulnerability analysis
- and Vulnerability management.
What is Cybersecurity Monitoring?
Cybersecurity monitoring is the basis for all structures, steps, and measures to be established and implemented along the Continual cybersecurity activities. It is about setting up a procedure to ensure the comprehensive collection and evaluation of information on all circumstances related to the cybersecurity of the objects concerned. Special attention must be paid (quantitatively and qualitatively) to the sources that form the basis for this information gathering.
What is the Cybersecurity event evaluation?
Cybersecurity event evaluation is directly related to cybersecurity monitoring. This evaluation, which is performed here, is about systematically determining whether one of the given assets from the portfolio is actually affected.
What is vulnerability analysis?
Vulnerability analysis involves systematically quantifying the extent to which the discovered weakness represents an actual vulnerability and how serious the resulting risk might be. The purpose is to create a working basis for subsequently determining the extent to which the risk can be accepted or remedial measures need to be identified.
What is vulnerability management?
In vulnerability management, the objective is to identify these remedies in concrete terms. This is also where the incident response plan is set up, for example, in order to communicate the pre-identified risk (in Germany, for example, these must be reported by the OEM to the responsible authority) and how to mitigate it.
So, what does this procedure require from the organizations behind it? What are the main challenges that need to be addressed?
What challenges do organizations face with their Continual cybersecurity activities?
First of all, the integration of Continual cybersecurity activities into the existing infrastructure has to be thought out in a strategically meaningful way. Are we talking about a separate organizational unit that becomes responsible here? Are projects considered by themselves? What about responsibilities, especially in view of the long runtimes?
Once the general framework (structures, responsibilities, processes, procedures) for ensuring continual cybersecurity activities has been defined on an organization-specific scale, the greatest challenge becomes apparent: Organizations must provide (new, or additional) resources in order to bring the conceived processes to life in a sustainable manner.
Considering that resources in the automotive industry are becoming scarcer for on-going reasons of cost efficiency and providing expert knowledge, especially around ensuring cybersecurity of vehicles, is generally not easily available. Most enterprises face the first major obstacle already in the preparation phase of their Continual cybersecurity activities.
Continual cybersecurity activities vs. interdependencies within the supply chain
Another aspect to consider are the dependencies and their resulting responsibilities within the supply chain, which need to be clarified and defined comprehensively at an early stage.
However, this is made more challenging by the fact that OEMs often do not have the in-depth technical knowledge they need about the built-in systems. This is not even because the OEMs do not have this ambition, but often also because intellectual property issues make transparency more difficult. Also in this area, monitoring activities, for example, are often only passed on to the respective suppliers, so that they have to be carried out completely independently (and not infrequently over decades!) on the side of the supplier.
From the suppliers’ perspective, this means that they will have to build up tremendous resources to provide this committed continual cybersecurity support for their products, components, and systems.
Even today, contracts are signed that promise that any cybersecurity breach discovered will be fixed within a few days, even within a period of 15 years. This can create the illusion that future cybersecurity challenges are simply being neglected. (Not to mention theoretically possible scenarios such as the much-feared “Q-Day”, the day when quantum computing technologies will be able to overcome traditional encryption).
How can this be approached in a meaningful and, above all, feasible way?
The problem of missing best practices
There’s no denying, addressing issues of Continual cybersecurity acitivites are newer to the automotive industry than to their IT counterparts. There are no best practices for enterprises to follow.
Conference and trade show organizers – who are again ramping up their efforts to foster automotive cybersecurity knowledge sharing in the industry after the pandemic – are realizing that the content they would like to present on their stages (and audiences would very much like to hear as well) simply doesn’t exist yet.
In the absence of well-defined and established ways of working, it is currently becoming indispensable to have countless discussions and coordination across the supply chain to realize a stable cohesiveness here.
On the other hand, it is not only the market, but above all the approval authorities, technical services, and other institutions relevant to the automotive market that are currently entering new technical territory with regard to Continual cybersecurity activities.
This intensifies the current situation: Existing ambiguities within the industry are more likely to be exacerbated than eliminated by unclear expectations on the side of the approval authorities and technical services when it comes to interpreting and implementing the regulation.
Sum up + four take-away impulses
Given the circumstances described above, the question arises as to how the affected organizations should deal with this enormous challenge?
First and foremost, organizations have a responsibility to develop an understanding of the challenge, the given scale and the interdependencies. When setting up solutions, it is important to keep an eye not only on the short-term implementation, but also on the strategically sensible and long-term perspective.
Based on the work we are currently doing for our automotive clients to build up Continual Cybersecurity Activity capabilities step by step and to increase maturity in dealing with Continual cybersecurity activities, we would like to conclude with four impulses that are becoming indispensable.
It is necessary
- to build up a high level of awareness and understanding of the enormous range of Continual Cybersecurity activities for one’s own item, system, or components,
- to initiate the establishment and development of infrastructures and processes for the efficient collection of information (in addition to the internal infrastructure, or information generated by the vehicle, also including external sources) at an early stage,
- to tackle the establishment of a central repository of collected information for immediate or future analyses,
- and to initiate the organization-specific establishment of a Security Operation Center. This acts as a central instance for analyzing events, assessing risks and initiating risk reduction measures.
Philipp Veronesi is founder and managing director of CYRES Consulting, one of the leading automotive cybersecurity consultancies. He has many years of practical experience not only in engineering but also in the management of technically challenging development projects for leading players in the automotive industry, including BMW, Audi, Rolls Royce, and others.