Cybersecurity is a major topic in the automotive industry. However, for newcomers in the cybersecurity world, it is not easy to understand how to integrate it as smoothly as possible into the company’s operations. Thus, this blog post aims to clarify the landscape of cybersecurity standards and regulations that can be used as guidelines to implement and grow cybersecurity culture in companies involved within automotive sector. Applying standards is not a shield against all incidents. But they are establishing the baseline of security checks, processes and guidelines to be addressed for a good cyber security hygiene.
The blog post will be divided into two main sections: Definitions and differences of IT-, OT- Security, and Product Security . Then, the blog post will focus on the interconnections between those three domains and how to map relevant standards. The figure below illustrates those interconnections.
Note: This infographic only illustrates the use case and does not represent a real infrastructure.
This first domain is the most mature one. IT Security has been a concern for years now. The scope behind IT Security is all relevant assets required to run the business and ensure their Confidentiality, Integrity, and Availability, also known as the CIA triad. Several standards guide companies to secure their IT infrastructure. The most known is ISO/IEC 27001, which requires a complete Information Security Management System (ISMS). It aims to implement security measures to secure the whole company’s information. As a side note, ISO/IEC 27001 covers IT and non-IT assets (such as paperwork, access to the building, and proprietary knowledge…). The advantage of ISO/IEC 27001 over NIST (National Institute of Standards and Technology) Cybersecurity framework is the certification process behind the ISO standard. The certification could give competitive advantages against other companies that are not certified. Furthermore, it ensures that risks are covered, and an incident response plan is implemented and documented in case of attacks against any company’s assets.
For years, companies have claimed their infrastructures are secure due to on an “air-gapped” network from the IT network and only containing several PLCs (Programmable Logic Controllers) without any OS and ethernet connections. Consequently, the significance of OT security remained relatively subdued. Nevertheless, a shift has occurred, as major corporations now prioritize OT security to safeguard their manufacturing facilities. Initial measures involved raising awareness among factory personnel about optimal cybersecurity practices. Subsequently, technical protocols were implemented to identify and secure various assets. Asset classification aligns with the CIA triad, although certain domains emphasize availability over confidentiality. This divergence stems from the substantial financial repercussions of machine downtime, potentially costing companies millions due to halted production.
Building on this, a major suite of standards known as ISA/IEC 62443 can be introduced. This set of standards covers a broad spectrum, from high-level policies to specific component requirements, including the Security Development Life Cycle (SDLC). Furthermore, this set of standards encompasses the entire supply chain, from factory operators to machine suppliers. This common vocabulary is maintained consistently across the supply chain, ensuring effective communication and alignment throughout. Major concepts that can be taken from ISA/IEC 62443 include the defense-in-depth principle and the zone and conduits framework. The zone and conduit framework involves creating several zones by grouping assets with common security requirements. Between these zones, conduits are defined to set communication technology and their security requirement.
IT & OT Convergence
IT & OT security have been presented as two different domains. However, treating them as two separate things is a bad idea. It could lead to unnecessary work made on both sides as it could be centralized and valid for both the IT and OT world or, worse, thinking that one domain did the job for both when it is not the case, and it could lead to security breaches in the company. This separation of IT and OT makes sense, for example, during the assets’ inventory and to prioritize which cybersecurity properties, confidentiality, integrity, and availability are the most important or to consider safety. But facilities are becoming more and more aware of OT security and more connected. Thus, it could lead to a partial or complete IT & OT activities merge.
The primary distinction between product security and OT/IT security lies in their focus. In the case of an OEM, product security aims to protect organizational products, such as a vehicle and its backend. On the other hand, IT/OT security is geared towards securing the IT infrastructure and an OEM’s factory.
Product security is trending and is a major topic of discussion due to new regulations required by UNECE’s country members. This regulation, UN ECE R155, Cyber security and cyber security management system, makes it mandatory to apply a management system that implements cybersecurity measures, both at the organizational level of the company and at the product level. In addition, one of the requirements is to take supply chain risks into account, so this regulation is going to bring changes to the whole automotive industry. This transition is made visible by the ISO/SAE21434 standard directly referred to in the regulation. Third-party suppliers use this standard to show to the OEM (Original Equipment Manufacturer) or their Tier superiors that they are compliant with the regulatory requirements addressed to them. This standard is ISO/SAE21434. A second regulation from the UN ECE working group, R156, Software Update, and Software Update management systems, is raising some concerns as the related ISO norm, ISO 24089, was published in Q1 2023 and requires some cybersecurity evidence through the supply chain.
OEM Use case example:
The second part of this article will illustrate the integration of these three standards in a fictitious company acting as an OEM. The choice of OEM was made to consider as many standards as possible. For small SMEs, the implementation and continuous improvement of frameworks proposed by ISO27001 and IEC62443 would be neither valuable nor sustainable, given the work involved. That is why we recommend a tailored approach based on best practices where standards are not mandatory for these companies.
A simplified OEM company structure could be seen as four pillars: Headquarters with administrative departments and top management. Then, Research & Development teams develop future vehicles and factories that will produce vehicles. And finally, “operation” includes the management of vehicles currently on the roads to perform their update and monitor potential vulnerabilities on them.
Business area: “IT Security”
Related to the IT world in an automotive company or a company involved in it, ISO27001 standards will implement a strong baseline for the whole information security.
In addition to this standard, with some fine-tuning, particularly for data protection, a TISAX, Trusted Information Security Assessment Exchange certification could ease your business relationship with other manufacturers or suppliers. TISAX is a certification developed by the VDA(DE: Verband der Automobilindustrie, EN : German Association of the Automotive Industry or VDA) and ENX, European Network Exchange, European Association of Vehicle Manufacturers, and their suppliers. This certification ensures that suppliers and providers in a commercial deal have a strong cybersecurity culture. A complete blog post about TISAX and what it means to be TISAX certified will be published soon.
R&d teams & operations: “Product Security”
Those teams think and develop new vehicles and/or vehicle functions. This is where all the technical knowledge is developed. Thus, a specific standard for cybersecurity applied to road vehicles was released in 2021, ISO/SAE 21434. It is founded on the same principle as ISO 27001, incorporating establishing a management system known as the Cyber Security Management System, often referred to as CSMS. A whole miniseries about this standard is available on our blog post, see here. In essence, this standard encompasses both organizational and product-level considerations. It outlines prerequisites concerning the cybersecurity qualifications of employees at an organizational level. Meanwhile, at the product level, it entails directives related to risk assessment, development methodologies, and verification&validation phases. Additionally, the standard extends its purview to the post-development phase, mandating manufacturers and tier-x suppliers to monitor their products for potential vulnerabilities. These steps introduce novel aspects for companies operating in the automotive industry and are a big challenge for them.
A new standard published in 2023, ISO 24089, is focused on the software update capabilities from both vehicle and infrastructure points of view. Although it is not a specific cybersecurity standard, some requirements are focused on cybersecurity with risk assessment and requirements, for example. To delve deeper into this standard, a dedicated miniseries is available on our blog post here.
ISO/SAE 21434 and ISO 24089 are derived from UN ECE regulations R155 and R156. Thus, they are almost mandatory for all suppliers due to supply chain requirements in regulations applied to vehicle manufacturers.
Factory: “OT Security”
There is no obligation for the factory owner regarding factory regulations and laws. However, the mandatory ISO standards for road vehicles’ cybersecurity referred to a well-established IEC, International Electrotechnical Commission and ISA, International Society of Automation, standards, IEC/ISA 62443. IEC/ISA 62443 is made of 14 sub-parts that describe the requirements for high-level companies’ policies to the specific requirement for components integrated in devices sold to factory operators. In the context of an automotive company operating a factory, IEC/ISA 62443’s advantage is mapping with ISO27001 for the policies and technical specifications. Another significant input will be the suggested “Purdue” model to create different zones to isolate them. Furthermore, this standard has been written by automation and industrial sector experts. Thus, its readiness and comprehension for non-cybersecurity specialists is good and centered on those sectors. For more information about IEC/ISA 62443, an in-progress miniseries about this standard is available on our blog post catalogue , see here.
Finally, as an overview, the figure below resumes the different departments and the related standards.
CertX as you partner for cyber security
If you have any questions about the new regulatory situations around cyber security for the automotive industry, or any other open points about how the application of relevant standards and certification could be used for compliance, please do not hesitate to contact our cyber security experts