In my last post, I discussed reasons for the automotive industry’s heightened awareness of cybersecurity. Now I’d like to talk about the actions that I believe should follow from this awareness.
Achieving the necessary level of security is rarely straightforward, particularly when you need to safeguard legacy components that were never designed to be connected to the internet. To ensure nothing is overlooked, and to maximize effectiveness, we always recommend that automotive clients adopt an end-to-end approach to their cybersecurity.
This recommendation implies looking beyond the boundaries of a single organization, because successful cybersecurity approaches depend on collaboration across the supply chain. OEMs are now well aware that they can’t delegate responsibility for security to suppliers – yet they rely on those suppliers, especially Tier 1 suppliers, to help them implement their cybersecurity strategy. The OEM must therefore assume overall responsibility for the security of the entire vehicle and ecosystem throughout its lifecycle, while providing clear direction to suppliers as to what security requirements they need to meet.
To put these ideas into practice, it’s helpful to think about cybersecurity in terms of a two-dimensional model. This model identifies three focus areas that together cover the complete ecosystem: manufacturing, connected vehicle, and enterprise IT. For each of the focus areas, the model shows that it’s necessary to consider the entire product lifecycle including the plan and build phase and the run phase.
Using this model, the OEM and its supply chain can ensure implementation of the right security measures to address each of the three focus areas at every phase of the lifecycle. Adopting a Defense-In-Depth paradigm also helps, because it ensures that security is built in at every level during plan and build, and maintained during run.