Which ECE field has more employment opportunities?

Interview CSMS with Dr. Michael Müller

The automotive industry is in the midst of a paradigm shift from the classic single vehicle to the connective and (partially) autonomous vehicle fleet. Through the use of new technologies and the networking of vehicles, infrastructure and backends, numerous new attack surfaces for cyber crime have emerged in recent years. The steady increase in hacker attacks shows the high risk of insufficiently protected vehicles for drivers, vehicle owners, manufacturers, insurance companies and road users. Headlines about spectacular hacker attacks graced many front pages internationally and many voices have been raised calling for regulatory frameworks for more security over the entire life cycle of a vehicle.

Now the time has come for the UNECE to set new standards in the automotive industry and only recently published the UN regulations on cybersecurity and cyber security management systems (CSMS).

The EU plans to demand compliance with the new standards for new vehicle types in the passenger car and commercial vehicle sector as early as mid-2022 and subsequently to extend it to the existing fleet. With our CEO, Dr. Michael Müller conducted an “Interview CSMS”. In an interview on Cyber ​​Security Management Systems, Dr. Michael Müller important questions about the new UNECE regulations for the automotive industry.

Dr. Michael Müller, CEO magility

Q: Dr. Müller, the information security of vehicles is now relevant for type approval. Is that right?

A: "Yes, exactly. In future, vehicle type approval will only be binding if the manufacturer can prove a certified CSMS and actively protects its vehicle fleet against cyber threats. "

Q: What is the general significance of this for the automotive industry?

A:“These new regulations of UNECE WP.29 are the first internationally binding standards that prescribe how cyber risks are to be countered across the entire automotive value chain. Now it is no longer a mere voluntary obligation to counter cyber risks, but a legal requirement with clear testing and performance requirements. This poses major challenges for the automotive industry. All processes within the OEM and along its entire supply chain must be verifiably adapted to the valid cyber security standards published by WP.29. This includes, for example, secure supplier management, secure procurement processes, the procurement of cyber-secure software, holistic "end-to-end" risk management, the safeguarding of all development and production processes through to secure after-sales processes and cyber-secure maintenance of the Vehicles over the entire life cycle, which includes the provision of secure "over-the-air" updates. "

All players involved in the supply chain or in the aftermarket of a vehicle in the automotive industry are now faced with the task of adapting all processes in their company to the cyber security requirements. When integrating a CSMS, UNECE recommends that companies orientate themselves towards ISO / SAE 21434 (Road vehicles - Cybersecurity engineering) and ISO / AWI 24089 (Road vehicles - Software update engineering), which are currently still in the drafting stage are expected in their final version in 2020. Other existing cyber security standards must also be observed.

The entire vehicle ecosystem with every potential gateway must now be secured in a binding manner. An integrated CSMS enables standardized monitoring as well as checking whether the necessary requirements have been met. If the CSMS does not meet the requirements of the UNECE, it is not certified either, and then there is no longer any type approval for the OEM. That could be a disaster similar to that of the WLTP. "

Q: How can the OEMs prepare properly now?

A: "Due to the development times in the automotive sector, OEMs and suppliers have to deal intensively with the cyber security requirements of their products by now at the latest so that they can meet the requirements for type testing by 2024. Companies should take a risk-based, end-to-end approach in order to be able to determine, achieve and maintain an appropriate level of protection. Incidentally, not only for the vehicle type but also for its external interfaces and subsystems. Both the manufacturers and the suppliers now have the task of training themselves to the extent that they can react immediately to cyber attacks and cyber security vulnerabilities, even if they occur after the vehicles have been manufactured and delivered.

For this, the establishment of an Automotive Cyber ​​Security Operation Center (ASOC) is necessary to monitor the entire vehicle fleet 24/7 worldwide. The procedural and organizational part of automotive cyber security is accordingly moving more and more into focus. What is now helping companies are cyber security experts and consultants who are able to introduce a holistic CSMS that is suitable for the company and its product portfolio. At magility, we support our customers in developing a holistic cyber security strategy and the associated CSMS action planning. Of course, we also support you in the implementation and implementation of these measures. "

Q: Which companies besides the vehicle manufacturers are affected by the new regulations?

A: "It affects not only the OEM but also software companies and e.g. suppliers of hardware, sensors and system architectures. Really every actor who is involved in the life cycle of a vehicle in whatever way is affected and must act now and adapt his processes and organization. "

Q: What measures do the new regulations still prescribe? Can you name the most urgent ones?

A: "It would take up our time to explain the exact action plan. All measures are urgent and important - there are no compromises when it comes to cyber security. If a measure is left out and as a result a gateway is not secured, it can have fatal consequences. Everyone knows the horror scenarios that can result from this. The action plans can be viewed on the UNECE website and are available to everyone. You can also find further information on our website magility.com. "

Q: We have learned: The integration of a holistic CSMS is a decisive factor for the type approval of a vehicle in the future. How is such a CSMS structured?

A: "Cyber ​​Security Management System (CSMS)" describes a systematic, risk-based approach to the definition of organizational processes, responsibilities and control in order to control risks related to cyber threats for vehicles and to protect against cyber attacks. A CSMS also includes the secure integration of service providers, suppliers and other third parties. "

Q: Do you see the legally required innovations as an opportunity for positive macroeconomic incentives, or to put it another way: Could the negative effects of Corona be at least partially offset by creating new employment opportunities through UNECE WP.29?

A: "Technical innovations are to be expected from the IT sector in particular, induced by the new requirements of the UN for cybersecurity and CSMS. Niche companies and startups could also play an important role. In addition, there are new economic opportunities for suppliers. The need to secure automotive cyber security will lead to significant investments in the years to come. I think that will play out in the billions. So the answer to the question is YES! "

Q: You are the managing partner of magility GmbH, a consulting company that has been dealing with automotive cyber security issues for many years. You have a large network in the industry. How do you see the role of magility in this profound innovation process?

A: "We see ourselves as a system integrator of CSMS for the German and European market. Through our partnerships with the independent certification service provider DEKRA, with technology companies such as Argus Cyber ​​Security and with high-tech startups and, above all, due to our experience in the automotive industry, we see ourselves as ideally positioned to advise our customers on strategy and action planning, the implementation process of the To accompany CSMS in the company and to support the implementation of the measures. "

Q: Thank you for the detailed answers in the “Interview CSMS”. At the end of the interview, give us a personal assessment of Dr. Miller? Where is the automotive industry's journey headed under these new framework conditions?

A: "The automotive industry, which was previously very strongly focused on the development, production, sales and maintenance of individual vehicles, is transforming itself into a vehicle fleet operator with a strong focus on software development. The automotive industry is becoming part of the IoT industry through the networked vehicle fleet and is therefore in competition with Google, Amazon, Baidu and other internet giants, which does not make things any easier. Compared to these new competitors, the automotive industry has a lot of catching up to do, also in the field of cyber security. The automotive industry will in future become part of the mobility industry (TaaS and MaaS) and must be careful not to be reduced to a B2B vehicle supplier. Cross-industry business models will be particularly important in the future. "

In a few weeks we will do another interview. For this purpose, we collect your urgent practical questions on the subject of CSMS. Please send your questions directly to Nada Lea Welker (CMO magility) [email protected]