Cyber Security – Organisational Processes

In the context of road vehicles, Cyber Security refers to the protection of each function and electrical or electronic components from cyber-attacks. Based on the increased connectivity to which AVs will be exposed, the potential for cyber-attacks also grows, providing an additional challenge for ensuring safety to both customer and fleet vehicles, on top of the need to follow the applicable regulations. Therefore, as a first step it is important that cyber security principles and practices are well established and followed. For this, it is important to acknowledge the technologies to which the AVs are exposed, which may vary depending on the level of automation. The terms used in this topic may differ from those used in the above related references since the main scope of this topic is to highlight the most relevant cyber security aspects that shall be addressed in the development of an ADF.

To ensure that all stakeholders dealing directly or indirectly with this topic can follow the required steps and behave responsibly, it is necessary to establish a cyber security culture within the organisations. To do so, a Cyber Security Management System (CSMS) shall be established, which will gather the necessary set of systems and processes to be put in place and which will cover all development phases, including the post start of production phase, to ensure a secure development lifecycle. When implementing a cyber security culture, several measures shall be considered, such as programmes to raise cyber security awareness among the organisations and adequate training for employees (ENISA, 2019). This will help to reduce the potential for successful attacks. Relationships with external stakeholders such as suppliers across the supply chain shall be considered, including the definition of appropriate guidelines to make sure that they follow similar practices (ENISA, 2019). Information sharing with trusted industry partners on threats, vulnerabilities and risks shall also be considered (Auto-ISAC, 2016). A self-audit process is part of the cyber security culture, as it will help to institute and maintain a continuous improvement approach.

Main Question:

Is there an established and followed cybersecurity process within the organisation to ensure the security architecture of the overall function?

Sub-Questions:

1. Is there an established list of measures to be followed within the organisation (e.g. awareness programs, adequate training)?
2. Is there a similar culture existing across the supply chain, e.g. sub-contractors, suppliers and potential 3rd parties directly or indirectly working with the organisation? See also Vdata_7.
3. Is a self-audit process established to gather information about the policies and procedures followed? 
4. Does the self-audit process include a procedure to log the (hazardous) events (e.g. potential security breach) with impact on security and also procedures to report eventual vulnerabilities?
5. Does the self-audit process include a procedure to document the tests performed including the test reports?

References

• ENISA (2019) Good practices for Security of Smart Cars. Available at: https://www.enisa.europa.eu/publications/smart-cars (Accessed: 31 October 2023).
• AUTO-ISAC (2016) Auto-ISAC Best Practices Available at: https://automotiveisac.com/best-practices/ (Accessed: 31 October 2023).