Automotive cybersecurity: BSI presents status report

Daniel Wuhrmann

At the start of the month, Germany's Federal Office for Information Security (BSI) presented its status report for the automotive industry (only in German), in which it calls for manufacturers, suppliers, developers and other service providers in the automotive industry to take the legal requirements with respect to automotive cybersecurity into consideration at an early date.

According to BSI, statutory requirements should ideally be incorporated directly into the development cycle of new vehicle models. It stated that, in general, the risk of attacks on vehicles and infrastructure has multiplied with the trend towards digitization and connected vehicles. In particular, BSI names the increasing integration and interdependence in the supply chain as a possible avenue of attack. It notes, for example, that attackers may train their sights on suppliers in an effort to gain access to the systems of the manufacturer, their real target. This, in turn, would give attackers access to companies which themselves maintain more sophisticated defense mechanisms.

The growing integration and interdependence of manufacturers' and suppliers' IT infrastructure, and the associated risks, are evident e.g. in case of attacks using encrypting Trojans ("ransomware"). Not only have companies repeatedly been confronted with ransom demands in exchange for decrypting their data, but entire supply chains have sustained financial damages due to production stoppages. In addition, manipulated software and hardware components pose a substantial risk for public transportation, and may therefore affect a large number of people. (only in German)

Regulatory requirements for cybersecurity

With implementation of the UNECE Regulations, a single and binding set of rules is now in place at the European level for the first time with regard to cybersecurity and software updates in the automotive sector, and these rules apply for type approval. While most of these requirements apply to manufacturers directly, they have an indirect impact on suppliers as well. Additional regulatory requirements apply e.g. with respect to autonomous vehicles, for which major new regulations were recently adopted through the Autonomous Vehicles Act. In addition, the General Data Protection Regulation (GDPR) plays a key role with regard to the processing of personal data, and must be heeded in the product development process as well. Moreover, a Delegated Regulation on the Radio Equipment Directive (RED), which is currently being prepared by the EU Commission, may establish major new regulations for the after-market and third-party providers.

Experiences from our consulting practice

We have also noted the growing importance of legal requirements for cybersecurity and data protection in the automotive sector in our own consulting practice. For clients in this industry, the challenge is to present the many different (new) legal requirements for companies in a structured and lasting manner, so that the frequently abstract rules can be implemented in practice. We accomplish this by working with our clients to establish a cybersecurity compliance management system, i.e. by adapting their existing process landscape so that technical processes reflect the statutory and contractual requirements for cybersecurity and data protection.

[September 2021]