OEMs face huge challenges when coordinating cybersecurity efforts across the entire supply chain. How can OEMs and Tier 1s effectively implement open communication across all tiers of suppliers, and why is this essential to effective cybersecurity?
Introduction
Today’s sophisticated connected vehicle architecture is inherently more vulnerable to attack from malactors, posing a significant risk to drivers and passengers alike. Connected vehicles can host up to 150 electronic control units and run on 100 million lines of code; tomorrow’s vehicles may contain up to 300 million lines of software code. New connected in-vehicle services such as apps, online offerings, and vehicle features serve to expand opportunities for attack. Complex vehicle architecture and the software underpinning new in-vehicle offerings also mean more contributors to the supply chain.
With the entry of these new suppliers and sophisticated vehicle technology, it has never been more essential to work together as an industry to open clear networks of communication that span the automotive supply chain. Fortunately, these challenges can be overcome. The industry has an opportunity to streamline cybersecurity communication to benefit the entire supply chain. This can be done by evaluating where the industry is now and assessing what works and what doesn’t work for industry-wide communications, decluttering old supply chain management comms pathways in the process, and leveraging comprehensive cybersecurity lifecycle management platforms to aid communication efforts and changes in cybersecurity policy.
Where the industry is now
In a list of the top ten most expensive recalls globally, half of them are from the automotive industry, ranging from airbags to engines. These can cost the industry billions of dollars apiece, depending on where the recall originates. In one of the costliest examples, the Takata Airbag recall in 2019 impacted 19 different OEMs and 37 million vehicles on the road. Currently, the industry has several Supply Chain Management practices and teams in place to deal with recalls when necessary, all while working to prevent them in close alignment with quality assurance teams.
Now, imagine a recall where liability is front and center and millions of megabytes of passenger data is at risk, a very possible scenario when considering the sheer number of connected vehicles on the road. To prevent this, the Automotive ISAC (Information Sharing and Analysis Center) has focused all its efforts on creating a space for sharing information around automotive cybersecurity. Current activities are excellent opportunities for OEMs and various suppliers to touch base and tackle industry-wide issues, but streamlining Auto ISAC shared knowledge into a de-facto practical Risk Assessment process that can be easily adopted by the manufacturers remains a challenge, something the industry is actively working together to solve. By implementing a new, holistic culture of cybersecurity as a safety issue, OEMs and Tier 1s will lead the industry in navigating conversations throughout the supply chain, leveraging the resources of Auto ISAC while doing so.
Decluttering communication across the supply chain
Industry-wide cybersecurity standardization has long been neglected by the automotive industry. This is largely because, up to now, it has been fortunate enough to not experience consumer backlash from a well-publicized hacking event. More sophisticated connected vehicle architecture is making that neglect dangerous to drivers and companies’ bottom lines.
New ISO 21434 standards for automotive cybersecurity are an encouraging example of industry-wide collaborative efforts. However, they are limited because they are only guidelines with no concrete or practical implementation guidance. Furthermore, standards lack a plan for ongoing communication across the supply chain required for implementation. Now is the opportunity to develop an effective, tailored channel of communication designed specifically for the exchange of cybersecurity standards and practices given the industry is in closer collaboration than it has been in the past.
Though cybersecurity supply chain management (SCM) is a new concept, the automotive industry has been grappling with complex supply chains for over a century. According to Dr. Dan Georgescu of the Ford Motor Company, “for supply chains to be successful, performance measurement must become a continuous improvement process integrated throughout.” Cybersecurity is now the key focus of that continuous performance process: similar to how the industry has leveraged supply chain communications in the past for other vehicle components, now it must do the same for cybersecurity. This will serve both the supplier and OEM alike. Dr. Georgescu continues, “supplier development is absolutely core to OEM performance.” Because SCM has been top priority for the industry for so long, it can apply many lessons learned to this new challenge.
Whereas in most scenarios, SCM is a cumbersome process of collecting quality and delivery metrics to optimize performance, the industry now has an opportunity as an industry to redefine that process with relevant KPIs tailored to cybersecurity. The industry has already begun the process of understanding cybersecurity complexities, and are addressing these in the development of ISO 21434 standards. Now, we must move to learn from supply chain management processes of the past to make communication clearer.
What does the ideal communication platform look like?
The automotive industry needs comprehensive management platforms to manage cybersecurity needs across the entire supply chain, and throughout the vehicle lifecycle. These cybersecurity lifecycle management platforms should empower OEMs and Tier 1s with the visibility required to meet all the cybersecurity needs of connected vehicles across the entire vehicle lifecycle, and overcome the complexity of vehicle cybersecurity systems.
The goal is to create unparalleled transparency into the entire cybersecurity lifecycle, enabling streamlined management of each phase: risk assessment, planning, policy creation and policy enforcement. This transparency will act as the ultimate enabler for communication, providing all stakeholders throughout the supply chain with real-time, easily accessible information that will prevent miscommunication or the spread of out-of-date information.
Conclusion
Opening communication across the entire supply chain is essential to the success of new cybersecurity practices and regulations that are being put in place, like ISO 21434. Though there are undoubtedly barriers to overcome, the industry can leverage its century of successful supply chain management to craft new channels of communication tailored to cybersecurity needs. It can leverage Auto ISAC as an opportunity to discuss how to translate action items into resources for the industry, as well as implement new security communication channels. This opportunity will allow the industry to implement an ideal communication platform that enables visibility and transparency throughout the vehicle lifecycle. While many may view communication across the supply chain as a challenge, advances in cybersecurity as an industry pose an exciting opportunity to become more collaborative, communicative, and safer than ever before.