5 ways to streamline the implementation of Automotive Cyber Security Management Systems
With the rise of technologyand advancements within the field of connected and autonomous driving, vehicles are increasingly vulnerable to cyber-attacks, underlining the need for robust systems to manage and eliminate risk. Against this backdrop, bridging the gap between current provisions and evolving security requirements is critical. In this article, Joachim Mohs, PwC Global Automotive Cyber Security Leader, explores how this can be achieved.
Connected and autonomous driving represents an exciting new frontier for the automotive industry. Technological developments in this area will create countless new opportunities for innovation, and while this prospect is hugely enticing for OEMs, suppliers and drivers alike, the escalating security risks must be acknowledged. We are entering uncharted territory and as of yet there is no definitive watertight plan for how to prevent security concerns for the automotive vehicle ecosystem.
The pace of change within this area continues to outstrip regulation, and in the absence of a clear, cohesive and sufficiently detailed set of operating rules for market players spanning multiple geographies, important question marks around the next steps for Cyber Security Management Systems (CSMS) remain.
Regrettably, the automotive industry does not have the luxury of waiting for regulators to set the direction of travel and must act to deliver on what is fast becoming a business-critical item. The success of companies in terms of implementing CSMS will go a long way to reshaping the automotive sector, and those who achieve traction in this area stand to gain an enormous source of competitive advantage. Security and safety are the bedrock of this new chapter of automotive and automotive businesses are investing accordingly. But how can they maximise their chances of success?
PwC recently conducted an in-depth survey on how automotive businesses perceive the field of cyber security, and the steps they are taking to rise to the challenges ahead. Drawing on these insights, here is a selection of steps to help businesses prepare for the future.
Adopt a proactive approach to compliance
While opinions varied between OEMs and suppliers on the nature of the cyber security challenges facing the automotive ecosystem, both groups were in resounding agreement that the number of cyber-attacks on vehicles and the automotive ecosystem will increase dramatically.
The role of regulation is to mitigate any such security risks and while certain regions have begun to implement regulations governing CSMS, in many markets legislation has yet to reach even draft stage. Thus, it is inevitable that governments will continue to tighten regulations in the coming months and years.
Such ambiguity is problematic for OEMs, given their need to uphold their regulatory obligations, as well as partners and suppliers, who are then liable for delivering technical solutions that ensure compliance.
Compliance with corresponding legislation will prove increasingly necessary to secure approval for the sale of new vehicle types. Two-fifths of interviewees in our recent survey on CSMS said that CSMS requirements will result in delays in the homologation of new vehicle types; therefore, to combat any such adverse impact, it is necessary to anticipate upcoming changes in regulation and act pre-emptively. The typical duration of CSMS projects, makes this all the more crucial.
Our survey also highlighted a low level of awareness of how they are positioned in relation to competitors from a technological and compliance standpoint – increasing visibility in this area would therefore be a worthwhile exercise. Preliminary examples show that companies that are slow to address the cyber security requirements are losing market share.
Develop a strategy for success
Compliance is undeniably important, however, it would be reductive and risky to make this the primary focus of any CSMS project. Instead, a clear and holistic business strategy should always provide the basis for digital transformation. In the first steps its important not to narrow the view to an specific aspect within the own company. For an efficient approach the cybersecurity of OEMs and suppliers must integrate more closely.
Following such an approach is proactive rather than reactive. We are already seeing OEMs placing an increased focus on efforts to address CSMS across the organisation, with greater involvement from other business functions than is the case for their supplier counterparts. For OEMs, CSMS features high on the agenda of internal governance structures and by virtue of this, such initiatives have the support and impetus from senior management to succeed.
Target opportunities for synergies
When it comes to addressing cyber security threats related to connected vehicles, the automotive industry is characterised by low levels of consistency and transparency. It must overcome its shortcomings in these areas to be able to navigate the challenges ahead effectively.
Establishing a set of common standards and requirements for CSMS would yield substantial benefits, helping to avoid complexity and customisation before common interpretations and market standards are established.
Currently, automotive executives remain unconvinced of the need for fully integrated management systems. Despite CSMS being established to some extent in all of the organisations surveyed, the degree of interconnection with other management systems is still relatively minor, albeit it is slightly higher for OEMs than suppliers. Indeed, most of the companies PwC interviewed appear to be seeking to interlink the management systems rather than achieve full integration. This approach would address concerns around certifiability and risk segmentation while supporting the flexibility and auditability of the CSMS approach.
There is strong alignment between the business interests of OEMs and suppliers, and our survey identified a consensus that collaboration throughout the value chain will remain as important as ever moving forward, given the interconnected nature of the supply chain. However, in terms of whether the industry believes OEMs should provide suppliers with support in meeting CSMS requirements, the result was inconclusive.
Accelerate the pathway to CSMS maturity – sooner, rather than later
Our research intothe state of play within CSMS made some important findings about the maturity of the CSMS. Despite clear evidence that OEMs have begun to make progress in developing CSMS designs, the bottom line is that the maturity and scope of these measures must rapidly evolve and improve to protect against a growing array of threats.
Although suppliers and OEMs are at slightly different stages in their respective CSMS implementation journeys, they both recognise that CSMS implementation is still in its infancy. The fact that OEMs, suppliers and market experts each reported very different Interpretations of their level of progress speaks volumes about the lack of transparency on this topic within the automotive industry due to the absence of an objective framework for assessing progress. Rectifying this will ensure the entire industry is working more collaboratively to a consistent set of standards and expectations.
By understanding the exact compliance requirements for CSMS, OEMs will be better placed to measure the output of their suppliers. Similarly, suppliers can gain a competitive advantage by demonstrating that they comply with security requirements, which will become all the more important as legislation tightens. Independently assessing businesses according to a set of accepted standards will prove decisive in ensuring CSMS reaches maturity at the required pace. With 89% of OEMs in agreement that cybersecurity maturity will be a distinct source of competitive advantage for selling vehicles in the future, it is clear why this should ideally happen sooner rather than later.
Put CSMS to the test
After designing a CSMS, companies should conduct a dry run to validate whether their CSMS works effectively and is resource-saving in operation. Investing the required attention at this stage can play a vital role in identifying potential security issues, significantly impacting the cost of cyber security for ongoing business. This view was validated in our survey, in which all respondents stated that the development and testing phase would be key to revealing weaknesses within CSMS. If CSMS designs currently being implemented cannot be operated as planned, these systems will represent a potential future compliance risk.
Even with considerable investment of time and resources into testing, interviewees estimated that approximately one-third of vulnerabilities will be identified after production. Given that the post production phase can last as long as 20 years, even with the best possible CSMS designs and most rigorous testing, it is still impossible to comprehensively account for every possible security risk to arise during this period.
Place software at the heart of CSMS projects
Developments such as 5G, the Internet of Things and advancements in optical image processing will redefine the next generation of vehicles, transforming the entire automotive ecosystem in the process.
Modular and scalable software will play an integral part in advancing CSMS in the automotive sector and will enable companies to produce and operate vehicles in the most cost-effective way possible over the long term. This increases the pressure on the maturity of the secure software development. To understand why businesses must prioritise software in the context of their CSMS projects, we need look no further than the 96% of interviewees who identified software architecture as key to their future success. That 75% of interviewees identified a need for technological development in the areas of fleet monitoring and vehicle security operations centres further reinforces this fact.
As for how cyber security will transform vehicle architecture in the future, the majority of responses erred on the side of caution, which suggests that companies have not yet decided on a particular path and that the long-term future is very much open. As vehicle control systems grow in complexity, this places a greater burden on software functions, leaving them increasingly vulnerable to cyberattacks – unless appropriate solutions can be found.
Joachim Mohs Global Industrial Manufacturing und Automotive Cyber Security & Privacy Leader, Partner, PwC Germany