BUSINESS MODEL INSIGHTS: ASSESS CYBER RISK Making the automotive sector safer andmore secure
The key priority for the automotive industry has for many years been safety – the safety of vehicle occupants, other road users and pedestrians, by trying to prevent crashes from occurring and minimising injury when a crash does occur. Established international standards and regulations are in place to support this initiative. However, as connectivity and automation have increased (and are still increasing at pace), the safety challenge has now been joined by a cyber security challenge, resulting in a concept of cyber safety. Many modern vehicles have Advanced Driver Assistance Systems (ADAS), such as Adaptive Cruise Control and Lane Keep Assist, that require software to automatically control physical aspects of the vehicle, e.g. steering, braking and acceleration. These systems have primarily been designed to increase safety; however, as thousands of lines of complex code are controlling these vehicle functions, cyber security flaws could result in catastrophic outcomes and, therefore, cyber security and functional safety have become closely coupled. Regulatory compliance Automotive cyber security standards are being developed to support the industry and regulations have been recently introduced. These will ensure that the vehicle manufacturers and their suppliers don’t just consider cyber security as a checklist item during their production phase, but instead embed cyber security into their entire vehicle design and development lifecycle, making fundamental cultural changes to the way vehicles are created.
Cyber security basics and the prioritisation of cyber activities
The diverse nature of the automotive industry – from small electric vehicle start-ups to huge multinational manufacturing groups and many other shapes and sizes of organisation in between – means that cyber security has had different priorities in different companies historically. This is especially due to the tight margins within the sector. A recent industry report 6 highlighted that 30% of car manufacturers and suppliers do not have an established product cyber security programme or team. Therefore, the automotive industry is facing a steep learning curve and will require significant assistance from the cyber security community. Resourcing challenges and return on cyber investment As in many other industries, the automotive sector faces serious cyber security resourcing challenges. In an article 7 , our CTO, Ollie Whitehouse, highlighted the shortage of cyber resilience skills, explaining that from our own research, of those who planned to outsource elements of their cyber security in the next 12 months, 43% said that this was being driven by return on investment. This suggests that organisations recognise the importance of validating cyber security spend, but they are not confident that they have the skills or resources to do so in house. How we are helping the automotive industry tackle these challenges The NCC Group Transport practice has been part of the independent review process validating new automotive cyber security standards and has aligned our services (in some cases, developing new ones) to help support vehicle manufacturers to achieve compliance with the new regulations, as the most serious consequence of non-compliance is the inability to sell new vehicles. The services involve close collaboration between our governance, risk and compliance teams and deeply technical cyber security experts with automotive industry-specific knowledge and expertise. Our services help vehicle manufacturers to address some fundamental cyber security challenges, not just to achieve initial compliance with the regulations, but to maintain that compliance by changing cyber security culture. As advisory partners to our customers, we will continue to help them increase their cyber security maturity by providing expert advice, security assurance and software resilience, which over time is expected to become a market differentiator within the automotive industry.
Cyber security and functional safety have become closely coupled.