Supplier cyber risk concerns auto industry

Dive Brief:

In a new study by Synopsys and SAE International, 73% of respondents expressed concern about the cybersecurity of third-party providers, yet only 44% said their organization imposes cybersecurity requirements for products from upstream providers.
Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices also found 30% of organizations don’t have an established cybersecurity program or team, and 63% test less than half of the automotive technology they develop for security vulnerabilities.
“This study underscores the need for a fundamental shift — one that addresses cybersecurity holistically across the systems development lifecycle and throughout the automotive supply chain,” Andreas Kuehlmann, co-general manager of the Synopsys Software Integrity Group, said in the release.

Dive Insight:

The automotive supply chain is long and complex. A break in the chain at a small, tier 3, single-part producer can be disastrous.

There are plenty of portals and opportunities for "bad guys" to breach security. According to the EY Global Information Security Survey 2018-19, 1.95 billion records containing personal information and other sensitive data were compromised between January 2017 and March 2018, and 550 million phishing emails were sent out by a single campaign during the first quarter of 2018. The average cost of a data breach last year, EY reported, was $3.62 million.

Opportunities do exist for automotive supply chains to protect themselves. One organization, the 3,000-member Automotive Industry Action Group (AIAG), last year released the Cyber Security 3rd Party Information Security publication to support industry efforts to protect sensitive data by outlining a unified set of cybersecurity guidelines for automotive trading partners.

Its strategies are based on industry best practices and standards. The National Institute of Standards and Technology (NIST) helped create the document. Also participating were security leaders from General Motors, Ford, Honda and Fiat-Chrysler, with additional input from Toyota, Nissan, Caterpillar, Bosch, Continental and Magna International.

The guide covers such areas as access controls, data encryption, vulnerability management, security audits of suppliers/third parties, data retention and disposal and security investigations. Along with this framework, each original equipment manufacturer (OEM) can take additional measures to increase security of its suppliers and their supply chains.

"Over the course of the past 25 years, we have seen a remarkable shift in enterprise value from tangible to intangible assets. Data is the new currency," J. Scot Sharland, executive director of AIAG, said when the publication was announced. "As such, more effective command and control of data has become an enterprise risk management priority."