Three Initiatives Driving Automotive Industry Cybersecurity

The automotive industry is experiencing unprecedented digital and technological trends. From autonomous, self-driving and software-defined vehicles to connectivity, artificial intelligence (AI) and smart factories, companies have a lot to understand and navigate to produce the best vehicles and driver experiences. All while cyber threats from nefarious actors threaten the progress, trust and sales gained from technological mobility masterpieces.

Steer clear of cyber threats

ISO/SAE 21434 – the first international standard for automotive cybersecurity

The shift toward vehicle connectivity and automated vehicles, coupled with increasing numbers of complex automotive components, has heightened the risk of cyberattacks. Integrating electronic systems, connectivity and automation into vehicles increases the chances of hacking, data breaches and virus or malware infection, among other threats.

ISO/SAE 21434 is the automotive industry’s first international standard for automobile cybersecurity. It aims to reduce the risk of cyberattacks by embedding best cybersecurity practice into automotive products throughout their lifetimes.

This standard specifies engineering requirements for cybersecurity risk management. These cover the concept, product development, production, operation, maintenance and decommissioning of series production electrical and electronic (E/E) systems in road vehicles, whose development or modification began after the standard was published in 2021. This includes their components and interfaces.

ISO/SAE 21434's framework covers processes for risk assessment, treatment, monitoring and review, as well as requirements for cybersecurity processes and a common language for communicating and managing cybersecurity risks.

Automotive manufacturers must also demand that their suppliers comply with relevant cybersecurity standards, such as ISO/SAE 21434.

The standard does not prescribe specific cybersecurity technologies or solutions.

What are the benefits?

ISO/SAE 21434 certification gives you a competitive advantage and helps ensure customer trust. Certification follows successful completion of an audit and enables you to:

• Ensure that products and services are developed and maintained via a secure and trustworthy management process
• Better identify and mitigate potential threats and vulnerabilities
• Indicate that you have conducted a security assessment with the greatest possible independence
• Demonstrate your level of embedded cybersecurity to customers
• Improve operational efficiency
• Reduce costs
• Contribute to UN Sustainable Development Goal (SDG) 9 – industry, innovation and infrastructure

Certification can also help you comply with relevant standards and regulations, such as UN Regulation No. 155 (UN R-155) – cybersecurity and cybersecurity management system – and the General Data Protection Regulation (GDPR).

How can we help?

Successfully implementing ISO/SAE 21434 is a complex and ongoing process. You must fully understand the standard, gain commitment from top management and regularly conduct comprehensive risk assessments. You must also develop and document cybersecurity policies and procedures, so cross-functional teams can respond to incidents effectively and undertake continuous improvement.

Combining our extensive automotive and digital trust experience, we can help you along the path to certification with an ISO/SAE 21434 audit. Your audit can include a gap assessment and benchmarking. We will determine your level of competence and provide advice on how to achieve ongoing improvement.

SGS Academy also offers an Introduction to ISO/SAE 21434 training course that introduces automotive cybersecurity, the standard, cybersecurity in product development and how to implement best practices.

TISAX® – trusted automotive industry information security

Businesses wanting to remain competitive in the digital age must pay close attention to information security. This is particularly true for the automotive industry, where massive amounts of confidential data are exchanged daily.

The Trusted Information Security Assessment Exchange (TISAX) is the leading automotive industry information security initiative. The assessment helps ensure a uniform level of information security among car manufacturers, service providers and suppliers. It helps to protect data by confidently ensuring integrity and availability in automotive business processes, including manufacturing.

A dedicated online platform has been developed for the exchange of information security assessment results. After registration, companies can share their assessment results with trusted business partners.

TISAX is based on the Information Security Assessment (ISA) developed by the German Association of the Automotive Industry (VDA) and Volkswagen. The catalog includes criteria for assessing automotive supply chain organizations’ information security based on ISO/IEC 27001 (information security management systems) and ISO/IEC 27002 (information security controls), but has additional requirements as well.

The ENX Association maintains the ISA, audit provider criteria and assessment requirements (TISAX ACAR). It also approves audit providers and monitors the quality of implementation and assessment results. ENX is supported by the TISAX Committee, comprising manufacturers, suppliers and associations.

What are the benefits?

Successfully passing a TISAX assessment allows your organization to share the TISAX label with business partners. This helps highlight your information security status. Key benefits include:

• Assessment results recognized by all TISAX participants
• A commonly accepted assessment standard that enables the exchange of assessment results
• Accepted by suppliers and original equipment manufacturers (OEMs)
• Saves time and money
• Creates confidence in your company
• Eliminates duplicate and multiple assessments

How can we help?

Utilizing our key experience and global network of experts, we are perfectly placed to provide TISAX alongside helping you manage your supply chain, provide safe and reliable vehicles, improve quality, efficiency and safety, and reduce environmental impact.

We can guide you through the entire TISAX process, including registration, assessment provider selection, document review and/or on-site assessment and exchange of results.

SGS Academy also offers a TISAX Introduction training course. On completion of this face-to-face or virtual instructor-led training (VILT) course, you will understand TISAX requirements and elements, the differences between this initiative and ISO/IEC 27001, and how to execute a TISAX project.

ENX VCS – a standardized, industry-wide cybersecurity audit scheme

Recognizing an evolving need, individual automotive industry stakeholders asked ENX to create and maintain a standardized, industry-wide audit scheme for a supply chain vehicle-cybersecurity management system (V-CSMS).

The ENX Vehicle Cybersecurity (ENX VCS) audit provides the industry with a uniform road vehicle cybersecurity standard for suppliers, leveraging the existing ENX audit framework and infrastructure.

ENX governs ENX VCS by managing an approved pool of auditors, maintaining provider criteria and assessment requirements, and monitoring audit quality. It also administers the exchange mechanism and provides a single results database.

UN R-155 requires vehicle manufacturers to manage dependencies of their V-CSMS with supplier-related risks to the security of vehicles or vehicle components. V-CSMS supplier audits can support vehicle manufacturers in managing such dependencies.

What are the benefits?

ENX VCS is the universal certification standard for an ISO/SAE 21434-compliant V-CSMS and wholly implements ISO/PAS 5112 (road vehicles – guidelines for auditing cybersecurity engineering recommendations). ENX VCS provides:

• A universal standard for third-party V-CSMS certification, avoiding the growing number of proprietary schemes
• Alignment with the proven ENX Automotive Compliance, Assurance and Risk Services (ACARS) framework used for TISAX
• A standard that adopts and works with key TISAX mechanisms
• Alignment with ENX’s proven governance regime to ensure quality and comparability
• A standard developed and maintained by an international, open group of experts from leading automobile manufacturers and suppliers
• Reduced cost and effort by avoiding redundant audits and various proprietary schemes
• Relief from having to create and maintain acceptable assurances
• An approved pool of audit providers, including SGS, and audit quality monitoring

How can we help?

As a qualified and experienced provider of TISAX assessments, along with other key solutions, we will support your specific ENX VCS needs and guide you through the entire process. Our ENX VCS audits, support and expertise enable you to:

• Confirm your ENX VCS compliance
• Ensure effective cybersecurity throughout your supply chain
• Provide safe and reliable vehicles
• Improve quality and efficiency
• Reduce your environmental impact

A trunkful of trusty services

These are just some of our Digital Trust Assurance services. Contact our experts now to determine your digital needs and reinforce your protective measures.

This information is part of our new white paper – Steering clear of automotive industry cyber threats. Download it now.