Maximizing your investment in cybersecurity
ISO/SAE 21434:2021 “Road Vehicles — Cybersecurity Engineering” is the standard that addresses the cybersecurity perspective in the engineering of electrical and electronic (E/E) systems within road vehicles. Fulfilling these requirements can necessitate a significant investment, but doing so can also offer even greater rewards in the form of increased safety, the reduction of risk, and the safeguarding of an organization’s reputation and brand.
There are many considerations for maximizing your investment in cybersecurity. For example, do you have a large array of different products that each need a cybersecurity focus, and might require approaches optimized for each type of product? Or conversely, do you have a flat organizational structure supporting one type of product, where you need to standardize around one Cyber Security Management System (CSMS)?
Whether the organization is large or small, a thorough risk assessment is invaluable for identifying an organization’s needs and vulnerabilities and aids greatly in clarifying the most efficient and effective approach to implementing cybersecurity within that particular company.
For example, a risk assessment for a given organization might reveal that safeguarding the organization’s reputation is paramount for them. For an established brand with both a long history and a broad spectrum of product offerings, loss of reputation could be so critical that it easily ranks as the most important consideration. In this instance, investing in multiple cybersecurity tools, each one selected as the best fit for a given family of products makes good business sense. This remains true despite having to employ more people in order to have assigned expertise within each product family, because selecting the best cybersecurity tool for a product is typically more efficient than trying to shoehorn a wide spectrum of vastly different product types into one cybersecurity tool.
In comparison, a smaller organization might only have one or two cybersecurity people, who are addressing the needs of only one or a few similar products. Their budget needs are likely to be smaller than the larger organization, and adapting one tool to their needs might be more cost-effective than each of them learning and maintaining a different tool of their own.
Threat Analysis and Risk Assessment (TARA) drives cybersecurity tool selection
Supporting legacy products
Regardless of the organization's size, the cybersecurity team will have to maintain its products. And sooner or later, every product will become a legacy product. A Threat Analysis and Risk Assessment (TARA) must be performed, and then it has to be kept up to date, until the end-of-life of the product. Because new threats are being introduced all the time, this burden will continually grow. But because cybersecurity in automotive is still relatively new, this challenge may not be as obvious now as it is soon going to become.
What are some of the impacts of supporting legacy products? For one, there seems to be a trend to keep people focused on one product, so that they are constantly building on their knowledge and expertise. But at the same time, the burden of new threats continues to grow. And each year, there is more for these experts to learn and stay knowledgeable about, while more vulnerabilities emerge for them to safeguard against and be responsible for. So, after about ten years, someone who has been performing cybersecurity work for the same product family might find themselves overwhelmed by all the new things they have to learn, while at the same time, performing the support work for all of the legacy products that they have to deal with. Too often, they find themselves boxed into a no-win professional situation, feeling that their only means of relief or escape is to leave. And when they do, there is no quick or easy way for their replacement to catch up.
So, investing in the right tool(s) is critical. It not only results in the most efficient and cost-effective way of performing the work, but it also aids retention by reducing individual burdens and helps to safeguard all of the investments made over the years in the people performing the work.
Reducing costs through increased efficiency, automation, and scope
With legacy products, we are trying to use careful tool selection to make it easier to properly support these products. A lot of these tools are promising, suggesting possible staff reductions of approximately 50% to 80% depending on the situation, which in turn could result in savings that can help to partially offset the investment. (Variations in these numbers usually depend on the specific tool and the number and type of options it has.)
Some of the most impactful tools can aid with multiple types of management, such as adding the capability of vulnerability management, and they typically have some capacity for automating processes.
After an organization goes into production with a product, vulnerability management can become a significant burden if it has to be performed manually by teams of humans. For example, simply identifying possible relevant Common Vulnerabilities and Exposures (CVEs) from among the swarms of new threats that appear around the clock and connecting the dots to an organization’s specific products and systems, used to take a small army of people when it had to be performed manually. If someone was monitoring CVEs manually and a vulnerability happened, and someone on the team thought it might have an impact on one of the organization’s products or systems, everybody would drop what they were doing. They would look at the controllers they are in charge of and see if this CVE impacted any of their areas of responsibility in any way. It could easily take two weeks. And while this analysis work was being done, other work was not getting done. The organization would have to staff more people to address vulnerability management. You can’t do this and work on new stuff at the same time.
Maintaining products and systems becomes way easier when the tool is automated. The tool monitors online resources that share information about the latest threats. If a relevant CVE is detected, the tool alerts the team. It connects the dots automatically, notifying the team of potential issues, and indicating what products are affected and where to look.
It is important for an organization to clearly understand the scope of cyber elements within their organization. If a company has a wide variety of product types, all of them might not require the same type or level of cybersecurity, and some products might not require cybersecurity at all. So, what at first might seem like a daunting task for a company that has a variety of subsidiaries under its corporate umbrella, might become more manageable once they weed out the products and systems not impacted by cyber concerns. For example, if one of their subsidiaries makes electrical control sensors but the next subsidiary makes hammers, the latter won’t be impacted by cybersecurity concerns and an investment will not have to be made there. So, that type of foundational assessment should be performed first. ISO/SAE 21434 Annex D includes a helpful flowchart for determining cybersecurity relevance.
What are the timing considerations for implementing cybersecurity?
Organizational maturity can impact timing
Needs and expectations for implementation timing can vary greatly from one organization to the next. This is yet another instance where a TARA can really prove its worth. It will answer a fundamental question: How much of ISO/SAE 21434 applies to your particular situation and business model?
A large portion of the considerations around timing are governed by the maturity of the organization. If yours is an organization that is starting from nothing, those impacts will be very different from those from an organization that is adding a product type and already has a cybersecurity team in place with trained and experienced people, and processes that have already been woven into the fabric of the organization.
For an organization that is new to cybersecurity and starting from scratch, it can take one to two years to create and implement the processes and policies, secure management buy-in, build the organization, and get everything in place. Going through all of this and doing all of the work just takes a while; it takes a long time.
For an organization that already has cybersecurity in place, it can be a much different story. If they already have processes, policies, document management and control, and ISO 9001 compliance for quality management systems, among other critical pieces, they already have a robust starting point. Such an organization might be able to start by looking at specific clauses in ISO/SAE 21434, or even post-development or post-production steps. Those clauses can be targeted at a detailed and specific level. Even if the starting point is Clause 6, which focuses on project-dependent cybersecurity management, the right organization could accomplish its work in about six months if it already had its templates created and its processes in place.
The impacts of the calendar, and the cybersecurity tool provider
Another impact on timing comes from those elements governed by the calendar:
- When does your organization’s fiscal year start and end?
- Given the strong influence of model years in the automotive realm, is your organization tightly linked to model years? If so, how far in advance of the new year do you release products?
- Is there a particular time of the year that's more advantageous for the organization at certain levels? Or is the need and interest within the organization pretty much homogenous throughout the year?
One item that is impacted by all these considerations is the tooling itself. Not only how long it takes to install and deploy the tooling, but also what fiscal year the tooling is budgeted in. All sorts of financial considerations factor into this decision, far too many to detail here. How does an organization accommodate the investment in cybersecurity, if they didn’t realize that they needed it until after the budget for that year had already been set?
All of these considerations vary greatly from one company to the next and can also vary greatly depending on the time of the year that the discussions are taking place. It is not unusual for an organizational team to ask for something in the spring, in order to have it in the budget next year. And the cost of the cybersecurity tools themselves can vary depending on the customer, the number of seats required, and when they need them by. And of course, adequate time needs to be built upstream to accommodate the negotiations about such matters, and that will also vary greatly from one cybersecurity tool to the next. It is in matters such as these that having a partner like LHP can really ease the burden and make it much easier to navigate these complex waters.
The impact of industry and society’s momentum
There is a strong sense that the industry is building momentum in its embrace and implementation of cybersecurity. People are getting on the train; they are moving in that direction. And part of what is driving that movement is regulation. The organization looks ahead and sees that cybersecurity can be a real problem if it isn’t addressed properly. They are doing their due diligence. And they're investing millions of dollars in cyber to try to prevent some of the bad things from happening.
Cyber-attacks are growing exponentially because of the increased connectivity and complexity within our systems. This is driving more attention to cybersecurity which in turn is driving more regulation, not just in the automotive industry, but across the many different industries that are working with products and industries that are now connected through the Internet of Things (IoT) and other technologies.
Cybersecurity threats have been evolving, and as a result, are generating more and more attention from the automotive industry. Most automotive organizations are already somewhere along the lifecycle of implementing cybersecurity within their businesses. Some are farther along than others. But they are all moving forward in the same direction.
The automotive industry as a whole seems to possess a heightened awareness level, certainly more than it had 10 to 15 years ago. Cybersecurity hacks and other threats are now a fairly common story in the daily news, and when they are reported, even the non-technical in the audience have a pretty good grasp of what they are talking about. Organizations routinely put their people through cybersecurity-related training to recognize phishing attempts and other data security concerns. The industry is gaining awareness. And the recent revelations about artificial intelligence have become the talk of dinner tables and chat threads alike. The people who grew up never knowing a world without the internet and cybersecurity, now have adult children who will never know a world without personal devices, social media, and constant connectivity, immersed in both the rewards and hazards they can bring. We are living in an unprecedented age of cybersecurity awareness and education.
Avoiding the paralysis of fear
Cybersecurity is one of those topics that can quickly overwhelm a person the moment they first start looking into it. It can seem too expensive, too complex, a losing battle that is completely insurmountable. That perception is understandable. It is also incorrect.
Does cybersecurity require an organization to make both a cultural and financial commitment and investment? Yes. Is cybersecurity complex? It certainly can be, but the more time you spend with it, the more it makes sense and the more proficient you become.
Most importantly, know this: Cybersecurity is absolutely doable.
First, you aren’t alone. No matter where your organization is on the cybersecurity pathway, you have company. Others are right there with you. Others have also come here before you and solved these challenges. And still others will follow behind you and solve them just as you will, and you are. And when new threats emerge, the entire cybersecurity community rises to meet and defeat them.
Second, you are not inventing these solutions from scratch. You are defining a palette of cybersecurity solutions tailored to meet your needs, with the aid of vetted standards that have already been proven to work. There is no one-size-fits-all solution, and there shouldn’t be. This isn’t guesswork, it is engineering. You are working upon a framework that, when executed properly, gives tangible and worthwhile results that make the world a better place.
Third, without cybersecurity you do not have safety, period. Likewise, the potential liability risks will not go away by doing nothing. No part of the cybersecurity realm gets better by doing nothing. And frankly, the bad actors will not let you get by with doing nothing. It is a constant struggle, but one with a highly worthwhile reward. Remember, the ultimate goal is to reduce your risk.
And most important of all, you have good company to help you succeed on your journey. You do not have to take on the world alone. LHP Engineering Solutions is the functional safety committed to creating safer transportation through ADAS, AUTOSAR, ISO 26262, advanced analytics, and cybersecurity. We understand where these disciplines and their standards intersect, and our cybersecurity experts will work side-by-side with you to provide instructions, context, and guidance, and help build your cybersecurity culture. Together, we will draw back the veils of mystery and figure out where and how cybersecurity needs to live within your organization’s lifecycle, so you can thrive now and into the future.