Assured 💛 Automotive
by Heidi Norman 2023-03-23
This is a first blog post in a series on cyber security in the Automotive industry and what we at Assured have learnt so far. Assured has worked in both IT security and embedded security from the start, and we have seen a steady increase in work in Automotive these last years. This year we're investing more - together with our partner companies - in the security domain of the Automotive industry. We'll come to what that means from our perspective, but first let's talk about love and marriage (or perhaps first marriage and then love). Let's start!
In vehicle factories there are stations called the "marriage point", for example, a main integration point where the chassis and cab is physically merged. With the introduction of the cyber security standards and regulations in July 2022 (and from July 2024 mandatory) for all vehicles we have reached a "marriage point" in the industry between cyber security and Automotive. The UNECE R-155 and R-156 regulations make it clear that any OEM selling vehicles within the European market needs to make cybersecurity and software handling best practices standard in their daily work. The Automotive industry has to incorporate a cradle to the grave approach to their vehicles and connected systems when it comes to security. For the OEMs this means spanning cyber security from idea generation, development to production and way beyond what the industry has previously considered "maintenance". The OEMs are responsible for their own "type approval", but the work needs to be done in all parts of the supply chain. Any supplier wanting to sell to OEMs producing for the European market needs to comply with the standards.
The standards and regulations push for:
- Management systems and awareness of risks handling at the company
- Introduction of processes to continously improve
- Security testing activities to certify
- and more...
The main message that comes with the introduction of the standards and regulations is that cyber security is no longer an option to consider lightly. As with all introductions real world change takes time. The benefit of processes, audits & tests to support cyber security work is the continous improvement over time and this is where we stand today - at the beginning of an endless journey.
So, in a world of regulations and standards, where does love come in?
We at Assured specialize in technical security and that's what we love. What we focus on is giving an honest assessment on your security and proposals on how to improve - through security testing, training and advisory services.
We love security
Although we love security we do not expect all of our customers to feel this way at all times - you are busy with your own customers, product and service development. Love comes in many forms and shapes: companies in Automotive love vehicles and transport solutions; developers love creating functionality to be used (where security easily becomes a blocker to freely create); testers love to challenge the systems, and; product owners love to deliver working value.
So how do you tackle security in a more practical way beyond the regulatory paper work? How do we "marry" these different views on the world?
What we have learnt is that improving security takes time, in any industry or company, so the best way to improve in Automotive is to start now. Although the processes and the paper work is needed it's not enough and we recommend:
- Know your system
- Create clarity internally by having traceability and documentation easily accessible for your staff
- Challenge yourself
- Never trust the process or specifications blindly, always add tests to find out the real world state of your systems
- Test internally AND get external testers to validate and challenge your "internal truth"
- Fail, learn & rise again
- Use the test results and risk asessments to help you prioritize what to fix, and when
- Set a strategy for your cyber security testing (including a regression testing strategy)
- Prepare your organisation by hands-on training (internal testing, penetration testing, technical training)
- Acknowledge failure openly in your organisation - showcase the security flaw you had and how you solved it
- Team up!
- Find great cyber security people, companies & organisations to continue growing the community because you will benefit from it in the end. So partner up, because the best things are built together and this marriage was built to last.
We want to work with our Automotive customers to introduce the most useful cyber security activity in the phase you are in. The better we understand your needs and your world the better we can give you value for your investment in security. We want to show our passion for security to shed some light on how to love this type of work and merge it into your daily operations.
So how do we do that? Let's talk about scoping tests in the next post!
And after this lengthy post - if you still feel lost - please contact us and we'll help you out!