Mar 02

Why cybersecurity is at risk of failing in automotive organizations

Cybersecurity Automotive Challenges

“Cybersecurity fails because you haven’t bought solution XYZ yet.” That’s how simple it is in the majority of publications. But in automotive industry practice, it’s a bit more complicated. At this point, we want to use our experience from project work with leading international automotive manufacturers and suppliers and try to analyze in more depth the most important barriers around establishing cybersecurity for vehicles (and their various components and systems).

While with notebooks or smartphones it is more or less true that the end user is finally responsible for ensuring the cybersecurity of their device, in the case of vehicles the responsibility lies primarily on the shoulders of the original equipment manufacturer and its suppliers.

Due to the growing number of interfaces (such as: Mobile Internet, Wi-Fi, Bluetooth, USB, charger, in-car payment options and many more), the resources to be used for ensuring cybersecurity in the modern vehicle are increasing. This not only affects the performance of the product, but leads to a noticeable impact on all other system attributes. And in particular, new domains outside of development are added, such as product monitoring or key management requirements in production.

The importance of cybersecurity around the vehicle is huge. Even more so when you consider that, in addition to information security-related aspects, the vehicle, occupants and their surroundings can also be affected physically. So we’re talking about potentially life-threatening risks.

In our consulting business, we experience the multifaceted business and project relationships between OEMs and Tier N suppliers first-hand. Crucial here is the ongoing tension between cybersecurity requirements (resulting from specific customer requirements as well as demanded by automotive standards and regulations) on the one hand, and the efficiency-driven general conditions of project development on the other, which are accompanied by the fact that automotive cybersecurity is a completely new domain.

Establishing cybersecurity should unquestionably not be optional.

Nevertheless, there seem to be recurring inhibitors that hamper this.

We will try to provide an overview below.

The strategic dimension

Insufficient understanding of systems in product development

The first and initial challenge in establishing cybersecurity has nothing to do with it at all. It lies in an insufficiently given holistic system understanding to capture the growing complexity of a development project. Silo thinking, inflexible structures or perhaps a lack of knowledge about the far-reaching requirements of the automotive industry in terms of homogenization and standardization? All too often, inadequately structured and systematic development approaches to architecture, system design, and related documents face an almost impossible challenge when the incorporation of cybersecurity is compounded.

Lack of clarity about the status within the automotive value chain

What is the actual situation regarding the consideration of cybersecurity (and everything that goes with it) in relation to the given component or system? With the rapid technological advancement of the vehicle and the emerging obligations, set by industry standards and regulations only until now, the question of the effort required for cybersecurity in development projects is widely dominated by a total lack of knowledge. This is understandable, since there is currently a general insufficient understanding about how standards and regulations should be applied at all and which requirements need to be met in concrete terms.

Perception of cybersecurity as an add-on

A common misconception is that cybersecurity is an add-on, a topping so to say, that can simply be added to an existing product or a product under development. Regardless of the fact that this assumption is probably based on a lack of understanding of the scope and principles of cybersecurity, it is the absence of an overall structure, as mentioned above, that is the reason why cybersecurity cannot simply be “added”. A “develop first, protect later” approach is no longer feasible in today’s complex automotive development world. (Learn more about this: How to successfully establish cybersecurity in existing development projects)

The inadequate consideration of the entire product lifecycle

Cybersecurity around the vehicle is an issue that affects the entire product lifecycle. Especially if you are familiar with the long development cycles of the automotive industry or compare the half-life of a vehicle with a smartphone, it quickly becomes clear that there is not only a lot at stake, but also a very long period of time during which cybersecurity must be ensured – with the same hardware. One thing is clear: The later in the development cycle a cybersecurity-relevant vulnerability is discovered or a correction becomes necessary, the more resource-intensive this becomes. Even more so after the start of production or already in use in the field. For example, the establishment of so-called incident response teams (and the associated resource-intensive expenditures required to set this up in a sustainable manner) all too often still seems to be a completely underestimated dimension. You can watch our video course on Cybersecurity Impact in the Vehicle Product lifecycle to more deeply understand what we mean.

Lack of clarity about responsibilities – not only internally!

ISO/SAE 21434, the industry standard developed jointly by ISO and SAE (officially published in 2021. Learn more: ISO/SAE 21434 is now officially published), is considered the most important reference point for automotive cybersecurity. However, in addition to the possible discussion of the content, the main questions making the rounds in organizations, projects and teams are these: How can we now certify ourselves accordingly? How can the organization demonstrate application of the standard? Is there an official “ISO/SAE 21434 certified” label? What does ISO/SAE 21434 mean with competence management? How can projects be certified? What is the possibility of personal certification? And who has to do what and how? At the moment, not all questions have been clarified on the institutional side, nor have all relevant guidelines been developed or published. Neither have the responsibilities and resources been allocated internally in the organizations.

The tactical approach and operationalization

Complexity

The given complexity of the vehicle, even more so with regard to what is currently being developed and will not be seen on the roads for many years, often brings with it a recurring ambiguity: Does my system, component or asset have cybersecurity relevance at all? And if so, to what extent? What does it mean? Which requirements come into play? In particular, the holistic and procedurally clean integration of evaluation, assessment and measures in iterative incremental cycles is critical to success. Accordingly, the importance of TARA along ISO/SAE 21434 cannot be overstated. (More about this: What are Cybersecurity goals and Cybersecurity claims?) For this, more and more departments, functions and roles are becoming indispensable and must focus on ensuring cybersecurity throughout the organization and across projects.

Secure Design

Secure design principles already exist. Automotive development does not have to start from scratch in many places. The rapid pace of technological development continues to bring new systems, components and functions to the vehicle. Again and again, especially in the subsequent areas of the supply chain, development teams are surprised by the requirements, measures and methods that should have been taken into account from the very beginning. High-performance systems are developed, but the necessary resources for cybersecurity measures and activities are left out. If you try to develop systems without considering cybersecurity (and only with a view to performance and cost efficiency), you are doomed to fail. The effort for cybersecurity must be included in the calculation right from the start.

Lack of documentation and the importance of traceability.

Have we actually considered this correctly now? And how exactly? Particularly in view of the (in some cases already mandatory!) application of standards and regulations – and the associated assessments, audits and certifications still to come – fully transparent tracking and documentation is becoming the key when it comes to cybersecurity. Have they been created at all, created incompletely, not uniformly, or only created afterwards? Tricky. The complete documentation of measures, analyses, decisions, contexts (among other things) is not only indispensable, but is also what makes the management of vehicle cybersecurity actually possible in the first place. (+ For certain materials, retention periods of 10 years or more after the end of production are mandatory).

Information and data flows

Although the data collection mania is currently also viewed critically, the automotive industry is aware, on both, at large and small scale, that information and data flows not only open up new fields of action, but also require defined interfaces and associated decisions. In practice, two opposing positions are often found. On the one hand, data should only be created and shared as restrictively and carefully as possible. On the other hand, there is the (possibly too naive) approach of allowing data to accumulate and making it available generously or even unprotected. What may seem reasonable from a functional point of view may be a no-go from a cybersecurity perspective. The key here is to keep an eye on the big picture and avoid arbitrary decision-making.

The culture

Cybersecurity, that is the people behind it

While in the nearby discipline of information and IT security, upgrading solutions to protect data and systems has been the main focus for decades, only in recent years has the human factor come into the spotlight.

It is now well established that, when it comes to IT security matters, even the largest organization is only as strong as the individual employee.

While automotive cybersecurity is currently primarily a matter of advanced education and training for specialists, it is clear that the establishment of a cybersecurity culture will become essential for the entire industry.

In concrete terms, this is already required by ISO/SAE 21434 and UN Regulation No. 155.

To sum it up

One thing is clear: as complexity increases, the automotive industry in particular (which is currently known for its somewhat inflexible structures and slow decision-making processes) is faced with the task of addressing cybersecurity issues in a timely manner.

“Cybersecurity on top” – as nice as this idea might sound to many – will not work in practice. It is important to integrate cybersecurity into ongoing processes and developments in the best possible way and from the very beginning, rather than trying to place it at the top as a complementary element.

In summary, it can be stated: The high complexity of cybersecurity becomes manageable through systematic development work.

Or, to put it simply: If you work professionally, you can also work professionally cybersecure.

Sign up for our CYRES Consulting Automotive Cybersecurity Newsletter

Stay informed! Receive regular insights into current topics related to cybersecurity in the automotive industry directly to your inbox.

Sign up here for the newsletter, free of charge and with no obligations.

NEW! Fundamental Principles for Automotive Cybersecurity for your role

Discover which of our new 8 on-demand learning bundles based on the ACP Framework competence model fits your role.

Popup

Error: Contact form not found.



 

Essential Guide

The Essential Guide to ISO/SAE 21434

How to manage the challenges of the new automotive cybersecurity standards and regulations

Essential Guide

The Essential Guide to ISO/SAE 21434

How to manage the challenges of the new automotive cybersecurity standards and regulations

X