Auto­mo­ti­ve cyber­se­cu­ri­ty: BSI pres­ents sta­tus report

At the start of the month, Germany’s Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI) pre­sen­ted its sta­tus report for the auto­mo­ti­ve indus­try (only in Ger­man), in which it calls for manu­fac­tu­r­ers, sup­pli­ers, deve­lo­pers and other ser­vice pro­vi­ders in the auto­mo­ti­ve indus­try to take the legal requi­re­ments with respect to auto­mo­ti­ve cyber­se­cu­ri­ty into con­side­ra­ti­on at an ear­ly date.

Accor­ding to BSI, sta­tu­to­ry requi­re­ments should ide­al­ly be incor­po­ra­ted direct­ly into the deve­lo­p­ment cycle of new vehic­le models. It sta­ted that, in gene­ral, the risk of attacks on vehic­les and infra­struc­tu­re has mul­ti­pli­ed with the trend towards digi­tiza­ti­on and con­nec­ted vehic­les. In par­ti­cu­lar, BSI names the incre­asing inte­gra­ti­on and inter­de­pen­dence in the sup­p­ly chain as a pos­si­ble ave­nue of attack. It notes, for exam­p­le, that atta­ckers may train their sights on sup­pli­ers in an effort to gain access to the sys­tems of the manu­fac­tu­rer, their real tar­get. This, in turn, would give atta­ckers access to com­pa­nies which them­sel­ves main­tain more sophisti­ca­ted defen­se mechanisms.

The gro­wing inte­gra­ti­on and inter­de­pen­dence of manu­fac­tu­r­ers’ and sup­pli­ers’ IT infra­struc­tu­re, and the asso­cia­ted risks, are evi­dent e.g. in case of attacks using encryp­ting Tro­jans (“ran­som­wa­re”). Not only have com­pa­nies repea­ted­ly been con­fron­ted with ran­som demands in exch­an­ge for decryp­ting their data, but enti­re sup­p­ly chains have sus­tained finan­cial dama­ges due to pro­duc­tion stop­pa­ges. In addi­ti­on, mani­pu­la­ted soft­ware and hard­ware com­pon­ents pose a sub­stan­ti­al risk for public trans­por­ta­ti­on, and may the­r­e­fo­re affect a lar­ge num­ber of peo­p­le. (only in German)

Regu­la­to­ry requi­re­ments for cybersecurity

With imple­men­ta­ti­on of the UNECE Regu­la­ti­ons, a sin­gle and bin­ding set of rules is now in place at the Euro­pean level for the first time with regard to cyber­se­cu­ri­ty and soft­ware updates in the auto­mo­ti­ve sec­tor, and the­se rules app­ly for type appr­oval. While most of the­se requi­re­ments app­ly to manu­fac­tu­r­ers direct­ly, they have an indi­rect impact on sup­pli­ers as well. Addi­tio­nal regu­la­to­ry requi­re­ments app­ly e.g. with respect to auto­no­mous vehic­les, for which major new regu­la­ti­ons were recent­ly adopted through the Auto­no­mous Vehic­les Act. In addi­ti­on, the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR) plays a key role with regard to the pro­ces­sing of per­so­nal data, and must be hee­ded in the pro­duct deve­lo­p­ment pro­cess as well. Moreo­ver, a Dele­ga­ted Regu­la­ti­on on the Radio Equip­ment Direc­ti­ve (RED), which is curr­ent­ly being pre­pared by the EU Com­mis­si­on, may estab­lish major new regu­la­ti­ons for the after-market and third-party providers.

Expe­ri­en­ces from our con­sul­ting practice

We have also noted the gro­wing importance of legal requi­re­ments for cyber­se­cu­ri­ty and data pro­tec­tion in the auto­mo­ti­ve sec­tor in our own con­sul­ting prac­ti­ce. For cli­ents in this indus­try, the chall­enge is to pre­sent the many dif­fe­rent (new) legal requi­re­ments for com­pa­nies in a struc­tu­red and las­ting man­ner, so that the fre­quent­ly abs­tract rules can be imple­men­ted in prac­ti­ce. We accom­plish this by working with our cli­ents to estab­lish a cyber­se­cu­ri­ty com­pli­ance manage­ment sys­tem, i.e. by adap­ting their exis­ting pro­cess land­scape so that tech­ni­cal pro­ces­ses reflect the sta­tu­to­ry and con­trac­tu­al requi­re­ments for cyber­se­cu­ri­ty and data protection.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.