Improvement Concepts
 |
Automotive Security (ISO 21434)

DO YOU KNOW WHERE RISKS LIE?

Secure processes – a foundation for automotive security adhering to ISO/SAE 21434

Systematically assessing risk allows you to recognise potential threats posed to a networked car. Clever hackers often know immediately where they can find back-door entrances that are sometimes accidentally left open during your product development process, even if you did put defence mechanisms in place. We show you when you will need to assess risks and how to put assessment tools in place. Armed with these insights, we improve your processes, systematically adding more structure. This empowers you to spot threats before they come beating down the door, thereby shielding your company and your automotive systems against dangers in the most effective possible way.

Without 24-7 connectivity, new cars are almost impossible to sell these days. Online connections are an important enabler of comfort options and modern travel services. Sadly, from a security angle, they are fraught with risks.

Automotive Security requires end-to-end safeguards:

  • Safeguards need to be in place for all areas affecting security: the product itself, processes and IT systems. 
  • Any such protective safeguards need to remain in place for the entire warranted service life of a vehicle. Responsibility for security starts in product development and extends even beyond manufacturing. Manufacturers are still responsible for security when a car is being driven, in other words while owners are actually using their vehicles or any related services. This can be a long time after the car rolls off the production line.
Security from a process point of view
Security-centric processes ensure first and foremost that effective risk assessments are carried out. These allow you to be certain if any potential threats need addressing – in product development, manufacturing, or during regular use of the networked vehicle.
Security from a product point of view
The insights gained from risk assessments can be used to develop technical measures to defend systems and protect networked vehicles from cyberspace attacks.
Security from an IT perspective
Protecting critical IT infrastructure in keeping with ISO standard 27001 helps prevent third-party access to networked vehicles via the back-end systems of vehicle manufacturers, suppliers and service providers.
Figure: Meet technical, organisational and IT threats posed to your systems.

Our security experts help you gain clarity by conducting risk assessments. They have the specific knowledge required to understand potential threats to your systems. Based on their assessment, we provide a secure plan for the workflows at your company, placing emphasis on warding off possible risks from the outset.

By working with your experts, we draft a catalogue of proactive defence mechanisms and support you with implementation of your security strategy. We also support your specialists with product security and safeguards relating to IT security (ISO standard 27001). This holistic approach provides you with end-to-end protection based on validated assessments aimed at addressing the key factors that most affect security – the product itself, processes and IT systems.

ISO/SAE 21434 – the future security standard for networked automobiles

The new ISO/SAE 21434 guidelines are likely to be published in the summer of 2020. Our security concept allows you to start taking the requirements of the future automotive security standard into account now. In keeping with this new standard, we provide you with pointers on introducing an integrated risk management concept.

This risk management concept covers

  • the networked vehicle, all components and relevant interfaces
  • product development, from initial concept development to design and development
  • production and in-service maintenance
  • normal operation including disposal in keeping with privacy protection requirements

ISO/SAE 21434 provides a framework for capturing the requirements of security-centric workflows. For the first time, this establishes a foundation for communication between all involved stakeholders. 

ISO/SAE 21434: road vehicles – cybersecurity engineering

The emergence of a worldwide standard for ensuring that networked vehicles are subject to sufficient security safeguards.

ISO/SAE 21434 is allowing international standardisation panels to lay an important foundation that will establish automotive security directly in the development process of automotive electronics. The ISO/SAE 21434 standard addresses everything relating to the core aspects of electronics development – from definition of products to design, implementation and testing. A comprehensive approach, it safeguards ‘security by design’ spanning the entire supplier chain. The German Association of the Automotive Industry (VDA) supports this integrated approach.

For more on the upcoming standard, see the interview with security expert Dr Thomas Liedtke.

Interview

The risk management concept gives you a clear overview of the targets that will be required in developing your security strategy. This also allows you to structure your processes and systems methodically according to the security requirements that are most pertinent to your company. Drawing on our expertise in developing targeted workflows, we design your process landscape in such a way that you will meet all key requirements, from the required user experience and aspects relating to business management to Functional Safety (ISO 26262) and industry standards such as Automotive SPICE®.

The four key ingredients of SFOP: safety, finance, operations, privacy

The areas of protection targeted under Automotive Security are broader – and thus more demanding – than they are with functional safety under ISO 26262:

  • Building on the protection of vehicle functions, Automotive Security also covers potential threats to your reputation and company finances.
  • It also deals with the secure use of mobility services and data protection for sensitive user data.

 

Do something now to protect your organisation

Without an actively believed-in culture of security, your efforts to protect your company and your vehicles from malicious attacks will be fruitless. All it takes is one minor oversight on the part of a colleague and everything you have put in place to provide protection can be rendered ineffective. This is why we support you in raising awareness of security issues among staff with social engineering. A culture of security allows your security measures to go full circle. Acute awareness allows the members of your team to spot threats more easily. This enhances the quality of your risk analysis and thus raises the probability that you will ward off threats in advance.

The security experts of Kugler Maag Cie help you to

  • foster awareness within your organisation of comprehensive, end-to-end safeguards
  • conduct detailed assessments of any threats posed 
  • match your security strategy to processes, products and IT requirements and manage specialists involved 
  • assess and improve your development processes with respect to security factors 
  • adapt existing workflows and procedures in order to address key security factors
  • define and set up new development processes in keeping with the requirements of ISO/SAE 21434 
  • evaluate, develop and implement security management measures 
  • select relevant security technology and industry standards according to your requirements

 

Kontakt
Softwaredrives