This special report means to provide a few keys to enhancing corporate cybersecurity, particularly in the transportation industry.
Securing Operational Systems
As we have seen in the first two articles of this special report, cybersecurity is becoming a strategic imperative to ensure business longevity. After identifying the risk exposure of information and operational systems within organizations, risk mitigation involves laying a solid foundation to build cyberresilience.
The approach will be a key ingredient in the design phase of new products to eliminate potential security breaches at the source. That way, businesses will ensure that their operational systems meet the minimum cybersecurity compliance requirements of public and private clients.
But what about current products and services? How can you make sure they withstand cyberattacks? How can you convince and reassure customers that systems are robust and cyberresilient?
Cybersecurity Programs and Certification
Implementing an operational cybersecurity program is becoming the norm in both Europe and North America. By taking a proactive approach and the necessary precautions to tackle cybercrime, businesses and para-governmental organizations show customers and third parties (investors, employees, and the general public) that they are proactive by setting up the necessary conditions to ensure business continuity in the event of cyberincidents.
An overview of the implementation phases of an operational system within the framework of developing a cybersecurity program is presented below.
Development Phases of a Cybersecurity Program
Life Cycle Project Management: Cybersecurity-Related Actions
Certification is another step in that direction. Although standards are not yet harmonized across continents, they are becoming clearer and being implemented in a number of countries.
That is the case for regulations RN155 and RN156 that are progressively being adopted in Europe, as well as for standard ISO/SAE 21434 that covers every phase of the life cycle of connected vehicles, from electric and electronic systems, including their components and interfaces, to integrated software and the tools required for their development.
ISO/SAE 21434 was created following the exponential increase in cybersecurity incidents involving connected vehicles recorded between 2016 and 2019 – a staggering 605% (1). That number is bound to grow if nothing is done to secure the multiple systems aboard cars, such as communication units and voice assistance systems, geotracking sensors and cloud-based platforms that connect vehicles to mobility services. The Juniper Research Institute (2) estimates that 206 million vehicles will feature such capabilities by 2025, including 30 million connected to the 5G network.
Overview of the ISO/SAE 21434 Standard
A Prerequisite for Responding to RFPs?
Although the transportation industry increasingly demands vehicles be certified and meet standardized cybersecurity requirements, the challenge lies in the fact that the vast majority of these vehicles are already designed, if not already built. It should be noted that many other industries face the same issue.
Implementing an operational cybersecurity program and taking the steps to have existing systems certified poses an additional challenge for businesses trying to reconcile minimum compliance requirements, technical and financial system constraints, and time to market.
The approach to certifying current systems is similar to certifying new ones, but it can be more difficult to conduct a full system analysis. As cybersecurity risk mapping and attack scenarios are prepared using the existing architecture, the latter can be ill suited to these new requirements, making the documentation process to demonstrate cybersecurity compliance difficult, if not impossible.
The effort and resources dedicated to these analyses will incur costs that businesses may be forced to absorb in order to market systems at a competitive price point. One potential solution involves conducting a gap analysis before undertaking a cybersecurity program to assess the scope of needed efforts. To do so, businesses can call on external experts to conduct or assist in conducting the inherent cybersecurity risk analysis or review the analysis as part of an internal auditing process.
To ensure these steps are successful, involving various professionals and areas of expertise from across the organization is essential, including the sales team to explain the process and its financial implications and raise awareness of the need to integrate these new requirements when responding to RFP. The sales team can then determine the additional costs related to cybersecurity activity and leverage these add-ons.
Suppliers and subcontractors of system components are also essential stakeholders in the process; that consideration will be covered in our next article focusing on supply chain issues.
One Key Step: Reviewing IT Architecture
As previously explained, the ISO/SAE 21434 standard focuses mainly on operational systems. However, it is crucial that all information technology (IT) teams be considered essential partners in helping businesses become cyberresilient.
It is all the more important as minimum operational cybersecurity requirements are often conflated with organizational cybersecurity concerns. For example, simple system intrusion testing is often required, even though they only represent part of the cybersecurity certification process of systems.
Organizations that have yet to implement cybersecurity programs will also need to secure their organizational IT infrastructure. That involves analyzing gaps with common IT practices, upgrading methods to adopt market-compliant cybersecurity practices, and establishing policies and processes that foster these practices going forward.
9 Elements of Network Security
Once organizations have cybersecurity programs in place, developing new operational systems will have to take the revised IT infrastructure into account to ensure consistency across IT and operational technology (OT).
Examples of necessary actions to upgrade IT architecture
In light of the efforts needed, it appears that certifying operational systems poses several challenges and compels businesses to follow a strict process that involves mobilizing significant human and financial resources. And while implementing an operational cybersecurity program may constitute a first step toward certification, its impact on existing IT systems should not be overlooked.
As is the case for all major projects, proper planning is crucial to successfully transitioning to an operational cybersecurity program, including a precise mapping of the systems involved and the assistance of experienced resources to support businesses in their efforts. Successfully implementing such programs then simplifies business processes when responding to RFP going forward.
(1) Source: ISO/SAE 21434 Automotive Cybersecurity Standards Guide (beyondsecurity.com)
(2) Source: Operator Connected Car Strategies Statistics: Market Summary | Infographics (juniperresearch.com)