Three Security Regulations Automotive Companies Need to Know
December 17th, 2020
Subscribe to our blog and stay up to date
The automotive industry is under pressure from cyberattacks targeting all angles of their business, from the parts they manufacture to the customer data they harbor within connected cars or their processing systems. This treasure trove of personally identifiable information (PII), intellectual property (IP), and critical data makes the industry a lucrative target for cybercrime and nefarious groups. As automotive companies continue to develop and enable advanced connected communications and integrated systems that share and process data, cybersecurity risk escalates.
IntSights recently published a research report breaking down the cyber threat landscape in the automotive industry. The findings demonstrate that cyberattacks have risen rapidly as the threat window continues to grow with every new advancement in automobile controls, software, and integration. The increase in industry connectivity directly correlates with greater exposure to cybersecurity risks. As is the case in any other data-rich industry sector, governments and regulatory bodies seek to measure and control the risk to these systems.
The automotive industry is no stranger to regulatory compliance, with a full gamut of regulatory controls for safety, manufacturing, and jurisdictional requirements. These regulations have long been in place to conduct due diligence and compliance testing on automotive systems, parts, and manufacturing standards.
With the growing need to ensure that critical data within connected car systems, auto retail, and auto manufacturing are safe, regulators have turned their attention to creating cybersecurity compliance standards that focus on measuring the threat from a growing list of security vulnerabilities. These regulations are being applied across the globe and function as a measuring stick within their jurisdictions to ensure the safe and secure reduction of cybersecurity risk.
The following regulations are being developed to aid the enforcement of vehicle ecosystem security:
The United Nations Economic Commission for Europe (UNECE)
The UN regulation applies to vehicles and their production, and mandates cybersecurity in connected and autonomous vehicles. The regulation outlines the necessary requirements for the production of new vehicles. It illustrates the essential security controls that satisfy production, distribution, and operation of new vehicles. Manufacturers must implement measures for managing cyber risk, embedding security by design, detection and response to security events, and ensuring security vulnerabilities are prioritized and mitigated in an effective manner via patches and updates.
The European Union will make the regulation mandatory for all new vehicles produced onward from July 2024. With the exception of North American automakers, the standard will apply to global automakers, such as those in Japan and Korea who have agreed to implement the regulation.
The ISO/SAE 21434 is still in development, but will eventually serve as a cybersecurity risk assessment standard that will help to measure how security controls have been implemented within the lifecycle of vehicle system design and production. This standard will help to add a measuring stick that can be applied to frameworks, such as WP.29 of the UNECE, to guide the assessment, implementation, scoping, and operations of the automotive system security policy. This risk assessment guideline will help automotive operations establish a CSMS (Cybersecurity Management System) in place to audit vehicle manufacturing and systems as a guide to the quality of the cybersecurity controls across the production lifecycle.
US DOT’s NHTSA
For the production of vehicle technology and systems within North America, the NHTSA (National Highway Traffic Safety Administration), leads the development of tools to implement strong cybersecurity controls. The effort to protect the full spectrum of the automotive production lifecycle is combined through collaboration with the FTC (US Federal Trade Commission) to ensure the full weight for the privacy of consumer data is considered. The overall responsibility for consumer privacy enforcement falls within the jurisdiction of the FTC, who has the authority to hold companies or individuals to account for infringements of data protection of individual information privacy. To measure cybersecurity policy, the NHTSA’s standard often uses the US NIST CSF framework as an example of a layered risk approach to shore up security posture.
Cyber Threat Intelligence for Automotive Regulations and Security
With the evolution of both security and regulatory policy, automotive companies are under increased pressure to satisfy the requirements of both threat protection and liability reduction. Proactive technology plays an important role in helping companies obtain measures of their Cybersecurity posture in order to ensure the protection of critical and personal data as well as comply with the vast amount of IT regulatory guidelines and laws. Threat intelligence plays a major role in helping to satisfy both risk measures and regulatory alignment. Combined in the right fashion and context it allows vehicle manufactures to automate the collection of threat data, quickly correlate possible threats against the manufacturer or the vehicle systems, prioritize security gaps and system vulnerabilities that can jeopardize a manufacturer’s standing under regulation, and proactively measure the risk of threats that are targeting vehicle systems and manufacturer critical data.
To learn more about cyber threat activity impacting the automotive industry, download our recent report, Beyond Car Hacking: The Cyber Threat Landscape for Automotive Companies.
Christopher Strand is the Chief Compliance Officer at IntSights. As CCO, he is responsible for leading the global security risk and compliance business, helping companies bridge the gap between cybersecurity and regulatory cyber-compliance. Chris has more than 20 years of subject matter expertise in information technology and security audit assessment and he specializes in developing enterprise security platforms and markets within hyper-growth organizations. Prior to joining Intsights, Chris launched and led the cyber-compliance business at Carbon Black (acquired by VMWare), and has held leadership and compliance specialist roles at other flagship security companies such as RSA, Trustwave, and Tripwire.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.