msg Plaut is your partner for cybersecurity in the automotive sector
The automotive industry is experiencing a revolution thanks to autonomous driving, connectivity, electric drives and innovative mobility solutions. Modern IT systems are at the heart of these advances. A modern car can contain up to 150 control units and around 100 million lines of code - and the end has not yet been reached: experts expect this figure to rise to 300 million lines of code by 2030.
The increasing networking of control units and access via external sources pose challenges for cyber security. Proven hacks by security experts have put the issue of cyber security at the centre of OEMs' attention.
Do you have questions?
DI Stefan Wachter
Business Competence Center Mobility Solutions
Harmonised standards against cyber threats
The demand for uniform security standards is becoming ever louder. The EU Cybersecurity Act introduced in 2019 has created a UNECE working group that deals with Cyber Security Management Systems (CSMS) and Software Update Management Systems (SUMS) and aims to harmonise vehicle regulations worldwide.
A certification for Cyber Security Management Systems (CSMS) was created in cooperation with the International Organisation for Standardisation (ISO) and the Society of Automotive Engineers (SAE), which will be mandatory for all newly produced vehicles from 2024. The aim is to establish a structured process for the CSMS at car manufacturers and to set a standard against cyber threats in the automotive industry. This standard raises the requirements for cyber security from individual features to a holistic management system.
Certified cybersecurity as an approval criteria
The principles established in UN Regulation 155 and the ISO/SAE 21434 standard are required for type approval in all UNECE (United Nations Economic Commission for Europe) member states and recognising third countries.
The ISO/SAE 21434 standard covers four key areas:
Management of cyber risks from the vehicle environment
Inherent safety of the vehicle and its value chain
Establishment of a cybersecurity incident response system
Remote software updates to ensure up-to-date software
A certified Cyber Security Management System (CSMS), which must be confirmed by independent auditors, is required for the approval of new vehicle types for both OEMs and suppliers. This system must also be capable of remote software updates.
The standard distinguishes between a CSMS at organisational level and its application at product level. Organisations can refer to the sections of the ISO/SAE 21434 standard that address the creation and management of a CSMS, risk assessment methods, the integration of cyber security into product development as well as production, operation and maintenance. This ensures that cyber risks are appropriately identified, assessed and addressed throughout the entire life cycle of a vehicle.
A cyber security management system comprises various processes at organisational and project level. The aim is to identify, assess and deal with cyber risks in a timely manner throughout the entire life cycle of a vehicle. The CSMS must be validated together with a SUMS (Software Update Management System) by an independent third party in order to obtain type approval. The implementation of UN Regulation 155 covers several areas - from the concept phase to product development, the management of cybersecurity systems, risk assessment methods, production, operation and maintenance through to supporting processes
Experts for IT and the automotive industry
Our experts have extensive IT and industry knowledge and support you in identifying relevant regulations, evaluating company-specific processes and homologation procedures, right through to obtaining type approval. We offer consulting, conceptualisation, technical specification and the implementation of IT systems - we will accompany you along the way!
Do you need support with the implementation
of the European NIS 2 Directive?
Our experts will be happy to support you with the implementation:
- Development of a compliance strategy
- Gap analysis and options for action
- Support with compliance
- Compliance training
Blog: The Cybersecuity Compass
Ayhan Mehmed and Natalia Petrova-Korudzhiyski are constantly presenting new and trending
cybersecurity topics in their blog. You can find all episodes here:
- Episode 10: ISO 27001 Meets DORA: How ISO 27001 Can Help Achieve DORA Compliance
- Episode 09: Navigating Compliance with DORA and NIS2
- Episode 08: DORA – Enhancing Digital Operational Resilience in Financial Services
- Episode 07: Apple AI Restrictions in EU: The Regulatory Grip on Tech Innovation
- Episode 06: Data Act Compliance – Navigating Critical Requirements
- Episode 05: The Data Act: A New Era in Digital Data Management
- Episode 04: CRA and CE Marking: Navigating CRA Compliance Paths
- Episode 03: CrowdStrike's Wake-Up Call: Enhancing Cybersecurity and Regulatory Adherence
- Episode 02: Essential Requirements for Digital Products
- Episode 01: Cyber Resilience Act (CRA): Scope
Get in touch with us!
DI Stefan Wachter
Business Competence Center Mobility Solutions