All Parties involved in automotive development projects are aware of the fact that cybersecurity must be adequately implemented holistically throughout the entire development project. However, the question is: How does this succeed in practice? In this blog, we try to give an overview and provide six tangible tips for implementation in practice.
“Okay Google, how to build a cybersecure product for automotive”
We have an asset or a product for the automotive market over here and it has to meet the requirements and regulations of the automotive market. Well, that’s the entry point to the whole topic.
In addition to various requirements that need to be followed and implemented (such as Functional Safety or ASPICE), the ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering gets into focus when it comes to cybersecurity.
The ISO/SAE 21434 is the new major reference point for cybersecurity in the automotive industry.
The objective of ISO/SAE 21434 is – in general terms – to create a consensus on the cybersecurity requirements to be applied to the entire automotive value chain. In other words: ISO/SAE 21434 applies not only to OEMs, but to every supplier of E/E systems, components, software, interfaces, and external devices.
Those who, while familiarizing themselves with the subject, not only focus on the product, but also on the organization, will sooner or later stumble upon UNECE WP.29, the UNECE World Forum for Harmonizations of Vehicle Regulations. This is where regulations for the international automotive industry are developed (for already 70 years now).
With regard to cybersecurity, UN Regulation No. 155 – Uniform provisions concerning the approval of vehicles with regard to cyber security and cyber security management system comes into play here.
If you only start to delve deeper into these two documents, you will soon realize that quite a few requirements have to be met when it comes to “cybersecure automotive products”. Some of the requirements even sound relatively simple at first glance, but at their core they are very complex. What exactly is to be done now?
Well, maybe what we have is sufficient?
Of course, establishing cybersecurity (and what is widely understood by it) is not entirely new territory in most companies. The awareness of cybersecurity as a field of action has recently increased simply due to the level of digital progress.
Accordingly, mechanisms, methods and processes can already be found here and there (mostly in isolated contexts) which are intended to increase cybersecurity around the development of the product.
But still: In development projects, the focus is primarily on the product, which is of course obvious. And always first and foremost the associated time-to-market timeline and the persistent cost pressure.
And there’s no shame in the fact that, of course, there are scenarios where cybersecurity experience and needs simply existed to a different degree before.
This can even change abruptly in some cases, such as with a new market entry into the automotive sector.
Consequently: there is a need for alignment.
Bringing both levels together, with a pilot
“Yes, we are encrypting our communication. Somewhere is a documentation on this.” Ehm yes, okay. That tends to be good, but it is still vague in concrete terms.
Such an example illustrates what is often the actual challenge.
From the idea point of view the right things are done, but process-wise and on the level of documentation there are some serious deficits.
Mapping with what standards and regulations require
Staying with the example, ISO/SAE 21434, for example, will not provide any concrete solutions for cybersecurity methods nor technologies (the standard is purposely formulated in an abstract way). Nevertheless, along the entire product lifecycle and beyond, there are defined procedures, methods, mandatory documentations and processes (et al) that need to be taken into account.
Without wanting to blow this out of proportion, we can say from our consulting experience that even extremely well-prepared organizations are surprised again and again at how incredibly far-reaching it is what the standards/regulations demand.
It often turns out that it is too much of a strain for the organization to want to “turn the big wheels” at the beginning; it is advisable, especially if you are coming purely from the product perspective, to approach it with a sense of proportion.
Cybersecurity strategy for the development project or: Why a quick action plan is often more than enough
Long story short: In order to set the course for a “cybersecure product” as efficiently as possible, you need an action plan that can be implemented as quickly as possible.
Here, the goal is to evaluate the product or development project as meaningfully as possible so that it can then be transferred to the organizational level.
For this purpose, it is advisable to identify a specific project as a pilot project.
Particularly if you are new to the automotive market or if you have not yet worked with cybersecurity requirements in this depth, the isolated analysis of a single development project allows a good assessment of the status quo.
From this, lessons learned can be extracted in order to be able to establish them at the level of the organization in a next step.
In addition, this piloting offers the opportunity to set up a broader scope, identify gaps (etc.) and to directly include other relevant standards as well as automotive best practices here.
6 tangible tips for practice
How can theory and practice now be brought together in the best possible way? In the following, you will find the most valuable recommendations.
First of all, it is necessary to do the set-up work. A fundamental prerequisite is to set up clear responsibilities. Central points of contact for all cybersecurity activities and units for overall strategy and control must be established. Then let’s get started:
1. In-house cybersecurity expertise
Although ISO/SAE 21434 has not even been finally published yet, job advertisements are currently piling up looking for automotive cybersecurity specialists. They are overflowing with wishes about the wide-ranging knowledge of standards and regulations that the ideal candidate should already possess today.
At the same time, there are hardly any reliable training programs in this field. An orientation towards proven best practices is not yet even possible.
Solid knowledge (such as the reference book The Essential Guide to ISO/SAE 21434) and application-oriented trainings (see also CYRES Academy Online Learning Platform) play a critical role for companies to build up strong automotive cybersecurity expertise.
2. Start early
The automotive supply chain has its strict timelines, cybersecurity has to fit into these – even if there is a lot to do. It is obvious that this should never be an either/or question.
Accordingly, it is essential to address unresolved cybersecurity and compliance issues as a whole at an early stage.
Because: Practice shows that the later (and more progressive in the development project) the topic of cybersecurity is considered, the more costly, time-consuming and resource-intensive it becomes. (Just imagine if you had to change your final HW or even the product if it is already in the field).
3. Create an overview of applicable standards and regulations
We have already talked about ISO/SAE 21434 and UN Regulation No. 155. And, in most cases, it would be good “to be compliant and certified everywhere”. So much for the theory.
But what is required in practice and how do the other standards and regulations overlap and depend on each other?
Particularly with regard to the respective product and the own organization, it is important to obtain a 360-degree full overview.
In addition to cybersecurity issues, the focus should also be on the required quality and regulations in general automotive engineering processes. In fact, these quality management systems are actually considered as a prerequisite for setting up cybersecurity processes, for example IATF 16949 or ASPICE.
4. A relentless analysis of the Status Quo
By conducting a comprehensive and self-critical review of the current status quo, a reasonable starting point can be created in order to be able to turn the necessary adjusting screws in the first place.
There is no benefit here in whitewashing the situation. The analysis should be carried out neutrally and the level of standards and regulations should be kept consistently correct. Possible deficits must be clearly identified at an early stage and mitigation steps should be derived.
5. Establishment of a cybersecurity culture
At the end of the day, the origin of critical cybersecurity incidents is human error. In practice, this can start with the smallest detail: It is not clear which protocol takes effect or who is responsible? A serious risk can already arise.
Accordingly, building a cybersecurity culture in which cybersecurity becomes an everyday topic for the day-to-day job is worth its weight in gold.
Especially when the required level of cybersecurity professionalism is new to organizations, departments, and teams, communicating the importance of it becomes a critical differentiator.
6. Understanding the scope of cybersecurity as a driver of business
As the integration of cybersecurity into development projects progresses, it becomes more and more clear that effectively addressing cybersecurity has a tangible impact on moving forward in development projects.
For example, investing in the development of proper templates and organization-specific structures, that can be reused as a framework across projects, can result in enormous time and cost savings.
In the end, cybersecurity could be an advantage over the competition.
Getting a cybersecure product off the ground
Getting a cybersecure product off the ground for the automotive industry is no trivial matter. To be precise: The phrase “cybersecure product” already doesn’t quite hit the nail on the head, because far more than just the actual product is involved; the entire organization has to drive cybersecurity.
Philipp Veronesi is founder and managing director of CYRES Consulting, one of the leading automotive cybersecurity consultancies. He has many years of practical experience not only in engineering but also in the management of technically challenging development projects for leading players in the automotive industry, including BMW, Audi, Rolls Royce, and others.