Kelly Stephenson, Solutions Architect for LHP, provides product and engineering leaders with insights into the complex realm of cybersecurity and its importance in achieving product safety and success in any manufacturing environment.
In these discussions, Kelly works closely with leaders to explore cybersecurity from both an engineering and manufacturing perspective, defining what cybersecurity is and why it exists, and sharing the impacts of both cyber-related vulnerabilities and effective cybersecurity responses on an organization’s business. Typically, the scope and impact of relevant regulations are also examined, and a practical step-by-step roadmap is outlined for achieving effective cybersecurity.
The following are the top five questions that leaders typically ask Kelly, and his responses.
Question 1:
For an organization with a presence in both the automotive realm and in industrial applications, is it preferable for the organization to adopt one holistic cybersecurity management system that encompasses both their automotive and industrial businesses or is it more effective for their businesses to manage cybersecurity separately?
I recommend the “one umbrella” approach. The ISA/IEC 62443 series of standards define requirements and processes for implementing and maintaining electronically secure industrial automation and control systems (IACS) and provide a definitive plan for implementation. In comparison, ISO/SAE 21434:2021 “Road vehicles — Cybersecurity engineering” specifies the engineering requirements for the risk management of cybersecurity in electrical and electronic (E/E) systems in road vehicles, including their components and interfaces. The common ground addressed by these two standards is manifested in a Cyber Security Management System (CSMS). This is a set of policies and processes that provide a framework for cybersecurity for your organization. ISO/SAE 21434 directs the organization to implement a CSMS.
It is through the CSMS that the organization puts together the cybersecurity policies, processes, and governance that are relevant and specific to that particular organization. If a business satisfies the requirements defined in the organization’s CSMS, then they have satisfied several of the requirements of both standards.
There is a synergy between these two standards, which also goes a long way in driving an organization toward compliance with UN Regulation No. 155 – “Cyber security and cyber security management system.” The organization can go a long way toward nailing three things at one time, which is the kind of efficiency we are looking for. But what about the Internet of Things (IoT)? With separate CSMS you would be trying to sort, manage, and keep in sync, two different CSMS. And then, where do you put your newly developed IoT product that potentially has a broad application? It is not purely industrial, and it's not purely automotive. It is some other thing. How do you sort it into one system or another?
Vehicles, industries, and IoT all experience threats. Some threats are different from one realm to the other, some are the same, and some overlap. Likewise, the security controls that address them may also have differences and share some similarities.
Threat Assessment and Remediation Analysis (TARA) is an engineering methodology used to identify and assess cyber vulnerabilities and select the appropriate countermeasures to mitigate them. As we dive down into the details and think about the TARAs and the subsequent threat libraries that we will need to build and maintain, there will be different TARAs for the different domains. All of this can result in a lot of complexity, so, we want to make sure that we don't create separate, independent CSMS. We want to maintain a realistic and achievable level of control over the amount of work that we must do for cybersecurity and not add to that complexity unnecessarily. So, from a high-level point of view, CSMS governance becomes more efficient under one unified umbrella. A common umbrella makes all of this easier to harmonize.
Question 2:
Under the organization’s common umbrella of this single cybersecurity management system, there will be different pillars for the different applications. So, from an organizational standpoint, will we then need to determine who is aligned to which pillar? And then on the local level, do we break down the tools that are to be implemented?
Yes. That is an excellent idea, a good plan. We tend to see this in a lot of organizations where they have a larger cybersecurity group. They start breaking that down to support various products. And at the top of the group will be people holding the governance and cascading policies downward, and perhaps even managing certain higher-level processes.
If the organization is trying to drive processes into the New Product Development (NPD) group, or even further down into individual groups, these groups may have some processes that are unique to their group, and they might also have processes that are shared across groups. For example, if we are concerned about software development, that group might have policies around software development that must be adhered to across all groups, because software is a common lifeblood technology for these systems that enables data to flow from one system to another in an organized and coherent manner. But the processes for implementing specific code might differ slightly from group to group because they all have different packages.
We can put all of that into place, but at the same time, we are trying to manage the overall cybersecurity posture. The effort that our team performs underneath that top level is a manifestation of the policies created at that topmost level. It is our job at that top level to communicate these policies clearly and completely so that the right processes can be put in place at all levels.
Question 3:
Our organization is at a point where we are starting to become increasingly digital in our products. At this moment, most of our products are not digital, but this is evolving quickly. And we need to somehow strike a balance so that as we add products to our digital portfolio, we do so in a way that is cyber-secure and under the one umbrella of our CSMS. But we have to make this transition incrementally. What about our small business units? If a unit is on the threshold of migrating its product to the digital space, how is its work managed?
You are trying to prepare your organization for the future because the need for effective cybersecurity is here right now. It is not going away. Instead, it is growing rapidly. Every organization regardless of size will face this issue at some point in time, and it will only become more complex. The longer they wait, the more challenging the transition will become. But if we start the transition now, the impact on your organization may not be as large as if you try to delay the inevitable.
Challenges like this will be conquered because everyone will be working towards the same goal regardless of the size of their individual business units. This can be visualized: You are not standing behind each business unit pushing them individually; instead, you are standing in front of them and leading all of them to a common goal under your one umbrella. They will all be aiming for this common goal using the common policies that you define, regardless of where they are now.
If we work together now to get the transition completed, you are going to look like heroes, because you will have anticipated the need in a timely manner. You are going to have it all completed and ready when it is finally asked for. You see, at some point, the organization is going to reach the point where they can’t kick the can down the road any longer, and leadership is going to realize the business urgency of putting all of this in place. At that moment you will be able to say, “We’ve got this, we already took care of it, and we are already up and running.”
So, this timing is a nice win for you because you are just starting out, and it sounds like your products are just now starting to become more complex. When you do finally hit that elevated level of complexity, we will already be hitting the ground running, and we will have everything in place that you need.
Question 4:
There is a three-year certification requirement. Is there also an annual maintenance audit that is required in these types of situations?
No, an annual maintenance audit is not required. For the group addressing the requirements of the UNECE World Forum for Harmonization of Vehicle Regulations (WP.29), every three years, UNECE asks to make sure that your CSMS still has a certificate of compliance. You are required to reapply every three years.
However, if you make a change to the CSMS only (there is no language for the vehicle type), you must submit that information back to UNECE, and they might decide that there is a need to come back and take a look at your CSMS again. They could come in and do that. And they can also come in and audit your CSMS whenever they feel like it. There is not an annual requirement per se, but they have the option to check up on you any time they want. And if you are found to be non-compliant, they can pull your CoC for the CSMS, which can impact vehicle sales.
Question 5:
Having our engineers earn their certifications is one of the methods of compliance. Is this the most typical method of compliance, to ascertain which engineers are certified, and to document the key experts that were utilized for their training and certification?
Yes, and all of that is easy to prove when asked. What we at LHP are trying to do is to prove that our clients’ people are competent, by having them earn their certifications so they can provide them when asked.
Not only do your people have to be trained, but they also have to be tested to prove they possess the prerequisite knowledge. We can set this up in-house or on an as-needed basis. Once your people earn their cybersecurity certifications, your organization will be ready to move forward and get the real work accomplished.
There are a variety of next steps available to you. There are the training and certification processes, of course. We also have some deeper dives available, including two-day power-ups, and an extended version of this presentation where we explore these topics in depth. LHP also has available a full expert-level certification course, where we explore cybersecurity in detail.
There are various levels of training available. But most importantly, we want to make sure you are making progress. We are here to help take the mystery out of cybersecurity. We want to help you map out the scope of your work, perform some of that gap analysis and then get the ball rolling, to ascertain where your organization is and where it needs to be. And then we want to help you get there.