Getting out of the security bubble: Recap of first Automotive Cybersecurity Europe in Munich

End of the year in Munich. Lobby of Hilton Hotel Munich City. While some of us have had a veritable on-site workshop and conference marathon at the end of the year, others are still enjoying the personal get-together after the pandemic.

It's Automotive Cybersecurity Europe, the first time Automotive IQ has organized a conference format for Europe in Munich. Automotive cybersecurity experts from all over the world and along the entire supply chain come together for around two and a half days of intensive sessions.

Where the industry currently stands is clear.

Type approval, certification and ever-increasing cybersecurity requirements continue to put pressure on the entire value chain. Some say it openly, they are not here by choice, they just have to.

What is also clear is that from the Swabian SME to the tech startup from Berlin Mitte to the largest OEMs - all players are equally affected with very different starting situations.

The most important aspects (+ 6 key takeaways at the end) at a glance:

Systematizing the uncertain future

Although the industry is happy (ok, maybe revise that wording?) that the regulations and standards are finally here - the UN-R155 timeline to July 2024 was in almost every other presentation - in general only the present, or rather the past, is still considered. The future is mostly left out.

Exemplary of the current debate about the future of cybersecurity in the automotive industry? The debate about future threats from quantum computers.

The general interest in it is comparable to a qubit.

Currently either not at all (0), "the present has more urgent problems", but at the same time somehow forced (1), if one considers "harvest now, decrypt later" scenarios.

Although the timeline of when and how quantum computing will bring what vulnerabilities is still nebulous, the question of what can already be done today should not be dismissed. Integrating the in-depth examination of risks and threats of the future into current risk analysis methods at an early stage seems logical, even if scenario analyses here are currently based only on subjective assumptions. As long as they are considered in a consistent manner.

The demand for generic / universal processes

Many of the questions raised in the various presentations came to the same conclusion: It is often a question of information and communication flows within the value chain. These are currently at a level that still needs to be improved.

In which direction is communication taking place and by whom, e.g. when it comes to specific questions?

For example, with regard to legitimate questions such as the fact that components that are in the field or will be further installed may not yet have been developed in accordance with ISO/SAE 21434? Which sub-supplier, supplier or even the OEM is responsible here for communicating what to whom?

The way things are handled here is largely non-uniform at present.

It is important to streamline the exchange of information along the entire value chain and to establish common strategies for efficient information transfer.

At the conference, we encounter calls for standardization in countless places.

From the need for efficient standardized handling of cryptographic materials along the entire supply chain to questions of globally uniform verification of the application of ISO/SAE 21434 (keyword: need for harmonization of ISO/SAE 21434 certificates) to the need for standardized translation of region-specific regulations (e.g. with regard to the Chinese market, etc.).

Currently, we encounter again and again individual procedures, non-standardized methods, custom-developed questionnaires, and much more. The consequence? The complexity increases more and more. Combined with the consistent lack of resources and specialists, this can also lead to a risk situation in which real cybersecurity risks are at some point simply no longer seen.

The importance of consistency of methods

Even if we are all too often asked for concrete best practices, tools and recommendations, which are always supposed to promise a kind of template as relief for one's own work: It always remains the work in one's own organization, in one's own structures, in one's own project, in one's own teams.

However, from our consulting perspective, one of the most important tips we always pass on is this: work consistently.

When asked at the conference how exactly to approach a particular activity, you hear in many places that you should, above all, be consistent.

Consistency in methods, consistency in scenario analyses, even if they are based on assumptions, and consistency in designed structures are widely underestimated criteria when considering cybersecurity issues in a comprehensive manner.

Sum up: The security bubble and the need to get out of it

Two and a half intensive days with insightful presentations and valuable exchange of experiences on the side have brought to mind: The still quite young field of automotive cybersecurity, from which worldwide leading organizations, relevant players have made their way to Munich, has a certain tendency to form a bubble.

A bubble in which everyone agrees.

But around it, the connectivity and interactions out of the bubble towards the organization, the project, and towards the decision makers run the risk of being insufficient.

Is automotive cybersecurity getting too busy with itself instead of initiating what is feasible?

Better not!

In summary, the many good presentations and the discussions and expert talks resulted in six impulses that have an overall impact:

• Culture eats strategy: How strong is the cybersecurity culture? It is important to provide more guidance to people rather than just designing processes. Build real cybersecurity expertise in various functions within the organization. Software developers, purchasing, etc. - well beyond the cybersecurity team.
• Educate the executive level: the impact and consequences for the core business must be made clear - in the language of management.?
• Allow iterative progress: What is considered a minimum requirement today may not be so in three or six years. And that is also fine and can be communicated in this way. At the moment, there is still a lot of room for interpretation; it's a matter of searching for the truth.?
• This is the starting line, not the finish line: the UN R155, the ISO/SAE 21434 in the "First Edition" are here, now the race is on. It's time to start the race to increase organizational maturity. Define KPIs, state the maximum achievable, set milestones - show a roadmap to get there.
• Beyond compliance: One of the biggest dangers right now is that the emerging "certification process monsters" are being tackled at extreme expense, with the actual product falling by the wayside. It's important to not only do the right thing for certifications, regulations and documents, but to do the right thing for the product.

Cybersecurity good. Cost efficiency even better? How can something be implemented that doesn't put too much pressure on costs?

This central question is more or less above everything. Organizations and projects find the answer individually, of course. But the joint exchange of approaches to solutions helps immensely to find the right answers.

See you next year.