When it comes to cybersecurity in the automotive industry, we have to face the fact that there is a rising need for it. This is not only because the car is becoming autonomous, connected, electric or shared – it is about the accelerating pace of technological innovations in all parts of the lifecycle, including the whole ecosystem and the ongoing serious shifts for the whole industry.
Despite stronger competition, ongoing cost pressure, technological inventions and growing customer demands, the development cycles nowadays becomes shorter and shorter.
Everything has to speed up.
And then there’s cybersecurity and the mishmash of applicable new laws, standards and regulations. (Learn more: Here is your general overview of ISO 21434 and UNECE Regulation No. 155 (WP.29)) that also want to find their implementation in practice.
In theory it is absolutely clear, that cybersecurity has to be established at highest level. But let’s be honest for a moment: no one starts from scratch. There is no ideal scenario in which the dimension of cybersecurity can be smoothly integrated into the existing pillars that have grown over the years (at the level of organization, project, process, functions and roles).
With keeping this in mind, it is not advisable to view cybersecurity as an additional add-on or a new layer that somehow has to be squeezed in the existing structure.
Let’s rethink on how to integrate cybersecurity into the development of products, solutions and systems. So, in general, we all agree that cybersecurity has to be taken in account while developing products, solutions and systems from day one. But the question is, how to achieve this?
Cybersecurity next to the development project
When we talk about cybersecurity existing next to the development project, we think of two functions working somehow independent from each other in two parallel worlds. On the one hand there are the development projects, on the other hand is cybersecurity (as department, function or roles …).
This is not an unusual scenario in the real world. Because at the end of the day, cybersecurity is about the functions and the people you have, to achieve it.
As outlined, this can also be the case if the development project is already “up and running”. If – for whatever organizational reasons – a project might be launched from a particular perspective, independent of the holistic involvement of cybersecurity.
Cybersecurity next to the development, but it is connected
The second possibility is that cybersecurity coexsists with project development with a link between both functions. Of course, this entire model stands or falls with the quality of this link in practice.
Depending on the communication, the workflows, the cross-linking processes (and many more) it is decided how successful is the information exchange between cybersecurity and the development is.
Not to mention that the very first thing that suffers is cross-team communication as the automotive organizations are too often in the firefighting mode these days.
Here, there is the exaggerated metaphorical image of product development, which builds a paper house. Shortly before the project completion, project starts to involve cybersecurity asking for the best possible lock that must be placed on the paper door.
Fully integrated cybersecurity
The third possibility: Cybersecurity is end-to-end part of the product development projects.
It is fully integrated into the development lifecycle in all its project phases and process steps. From initial project kick off to the full development process on to the different phases until finishing the development.
With this, cybersecurity-specific responsibilities and objectives need to be adapted and included in the various phases of the development lifecycle.
Just as cybersecurity is an integral part of the finished outcome of any development, cybersecurity must naturally be considered during the projects that develop the products.
Why this matters?
By looking at how cybersecurity can be part of product development, we are not in the realm of security, rather we are looking at a topic that is absolutely relevant to business.
The automotive industry is urged to integrate cybersecurity into the entire product lifecycle (not least ISO/SAE 21434 requires this, also the related evidence is required, more on this here: Hello ISO/SAE 21434).
Thus, we have cybersecurity as a new dimension of quality.
In simple words, no cybersecurity in the development project, no business. Hello, cybersecurity, the news business enabler.
How does a modern organization in the automotive industry work when it comes to the efficient realization of developments?
There are quite a few development projects, and of course, this is not starting with zero.
There is a need for a framework.
An existing setup that defines the general parameters for development projects.
And, of course, this framework can only do what it is supposed to do when cybersecurity is fully integrated into development projects: cost efficiency, reducing reluctance, avoiding redundant work, establishing consistent policies and ensure cybersecure products.
Manuel Sandler is Associate Partner at CYRES Consulting. He has many years of experience in global project and process management in various parts of the value chain, including OEMs and Tier-1. He is ASPICE Provisional Assessor and an expert in Engineering Process Development, ISO 26262, ISO/IEC 15288 and ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering.