Implementing a Cyber Security Management System (CSMS)
Challenge
As a manufacturing organisation in the automotive sector, cyber security regulations, good practice, and standards are relatively new, and cyber security was not fully embedded across the organisation.
As a result, this manufacturing company was seeking a partner to deliver and implement a CSMS, that would enable them to demonstrate compliance with automotive regulation UNECE-155 (a legally binding regulation) and obtain vehicle type approval for distribution that would ensure they maintained their market presence and uphold their reputation for quality and compliance within the transportation industry.
Without adhering to UNECE-155, our client would face significant barriers in commercialising their vehicles, potentially leading to market exclusion and hampering their ability to compete effectively.
As vehicles become increasingly connected and autonomous, they become more vulnerable to attacks. As a result, cyber security needs to be considered at the earliest stages of vehicle development.
Solution
To meet the requirements for an audit by the Vehicle Commissioning Agency (VCA) and enable our client to fulfil their order in Germany, we had to work within challenging timescales.
We successfully delivered CSMS deliverables and a vehicle Threat and Remediation Analysis (TARA) document, and methodology to support the identification and assessment of cyber security risks, aiding our client in achieving compliance with industry regulations.
Impact
1. As well as supporting delivery to meet audit requirements and obtaining of UNECE-155, we have been integral in educating and raising awareness of cyber security risks and vulnerabilities which may compromise the vehicles and have a detrimental effect on the organisation. Our tailored approach has provided our client with direction on how they embed cyber security, as well as raise the significance of adopting cyber security best practice as part of the engineering lifecycle.
2. We conducted a performance gap analysis against industry standards ISO21434 to assess the current cyber posture across the organisation, position the scope of delivery, and provide recommendations to ensure best practice guidance to meet UNECE-155. This analysis was crucial in identifying potential cyber security vulnerabilities and weaknesses across the organisation, enabling proactive risk mitigation, ensuring compliance with international automotive cyber security standards, and providing a clear roadmap for improving the organisation's overall cyber resilience and security posture.
3. We established a Statement of Applicability (SoA) to create a central document used by both security auditors and the organisation to improve understanding and provide clear direction through the CSMS process controls. The SoA supported and explained succinctly the cyber security controls that are relevant to the vehicle and the business. By creating this comprehensive and clear document, the organisation streamlined communication between security teams and auditors, reduced potential misunderstandings, and provided a single source of truth for cyber security controls. This approach enhanced the organisation's ability to demonstrate compliance, facilitate more efficient audits, and ensure a consistent understanding of security requirements across different teams and stakeholders, ultimately strengthening the overall Cyber Security governance and Risk Management framework.
4. We created procedures for incident response, clear policies, processes, and tools to be integrated into existing incident management processes and support the manufacturer's ability to respond to a cyber incident. In addition, we ensured that as part of continuous improvement, a capability for detection and analysis of cyber security threats and vulnerabilities is defined. Effective threat monitoring will ensure that our client can: a) detect and prevent cyber attacks against vehicles and b) support the monitoring capability of the vehicle manufacturer to detect threats, vulnerabilities, and cyber attacks relevant to the vehicle type.