Cyber is more than an IT issue in the automotive industry: report
APMA's Institute for Automotive Cybersecurity and KPMG in Canada help suppliers close cybersecurity gaps
TORONTO — At a time when the automotive industry is increasingly focused on connected cars and information services, less than half (42%) of Canadian auto parts manufacturers recognize how vehicles are potential hotbeds for cybersecurity threats, finds a new report by the Automotive Parts Manufacturers’ Association’s (APMA) Institute of Automotive Cybersecurity (apmaIAC) and KPMG in Canada.
The joint apmaIAC / KPMG Canadian automotive cyber preparedness report finds that many auto parts suppliers have yet to embrace the elements of security, privacy, and cyber safety in their operations because they feel their individual product offering is not technologically advanced. Yet, today’s vehicles are micro-communities in themselves with vehicle-to-everything technology. And, cyber threats also extend to the manufacturers themselves and they need to guard all parts of their operations including supply chain systems, the hardware and software facilitating manufacturing equipment, robotics, customer channels, and back-office operations from attacks.
“Cyber has many faces in today’s automotive industry and pose significant risks if left unchecked,” said Flavio Volpe, president, APMA, in a prepared statement. “The reality is that now, more than at any other time in manufacturing, companies must safeguard their products, operations, and systems no matter the type of components, parts, systems, and assemblies they produce.”
The report notes automobile original equipment manufacturers (OEMs) and their suppliers in Canada need to prepare for several domestic and international vehicle cybersecurity-related regulations – from Transport Canada’s Vehicle Cyber Guidance to the United Nations Economic Commission for Europe (UNECE) World Forum for Harmonization of Vehicle Regulations. The U.N. regulation, for example, will require companies to document how they will prevent specific kinds of incidents, report information on cyberattacks and inform authorities at least once a year on whether their cybersecurity measures have been effective.
As well, the forthcoming IS021434 Road Vehicles Cybersecurity Engineering standard has set cybersecurity risk management requirements for road vehicle systems, components, and interfaces throughout all stages of their development from engineering, production, operation and maintenance to decommissioning, according to the report.
OEMs reported they are holding suppliers at every tier more responsible for protecting their contributions to the supply chain, underscoring the urgency to shift the mindset on cybersecurity.
“Building a cyber secure culture means keeping security awareness top of mind for all individuals in the organization – not just IT,” says KPMG’s John Heaton, partner, cybersecurity services. “Every company – no matter the product – has cyber ‘digital crown jewels’ that must be secured. Companies at every link in the supply chain must identify and protect these and ensure the partners they share data with are taking the same steps.”
Closing the cybersecurity gap
The report highlights six key considerations to help the industry close its cybersecurity gaps and embed cyber governance throughout the organization:
- Embrace a new cyber culture: Everyone in the supply chain must take cybersecurity into consideration. It only takes one weak link to expose the entire chain.
- Identify your cyber leader: Every organization needs to identify a senior leader, who is accountable for cyber. They should not be an IT executive, but somebody senior, who is accountable for cyber across the enterprise and equipped with the skills and knowledge to do so effectively.
- Understand your crown jewels: You can’t protect your operations effectively if you don’t know what needs protecting.
- Look beyond IT: Your IP and operational technologies are your competitive edge. Failure to protect them from theft, damage, or leaks could mean losing your market position.
- Consider your lifecycle: Cybersecurity isn’t all about the final product. Effective cyber governance covers the entire process, from design and engineering, to production and distribution, post-sale service and beyond. Each step comes with its own cyber considerations.
- Don’t wait to lead: While there are many good examples of Canadian companies taking charge with cyber, the sector tends to wait on directions from their OEMs or customers to make a culture shift. It’s important to take that lead now, both within your enterprise and among your supply chain, because anything that happens will inevitably impact you.