What are the characteristics of a risk management culture? What is the value of a risk management culture to the automotive sector? This article explores the fundamental tenets of a risk management culture and its importance in combatting automotive cybersecurity breaches. With many new guidelines including ISO/SAE 21434 and UN ECE 155 prescribing cybersecurity management systems (CSMS) to identify, capture and assess cybersecurity risks, automotive component and vehicle manufacturers can take steps to optimize their CSMS by promoting a risk management culture. Uncover some risk management culture characteristics for your organization.
A surge in automotive cybersecurity breaches has accompanied connected vehicle proliferation. In fact, Upstream Security’s 2020 Automotive Cybersecurity Report found that automotive cybersecurity incidents doubled from 2018 to 2019 , and experts expect that trend to accelerate with more connected cars and autonomous vehicles hitting the roadways.
Connected ecosystems drive automotive innovation — increasing automobile connectivity with the cloud, other vehicles, infrastructure and systems — at an exceptional speed. Regulatory authorities are challenged to keep pace with the level and velocity of innovation related to automotive components and systems.
For this reason, ISO/SAE 21434, published at the end of August 2021, prescribes a cybersecurity management approach aimed at managing vehicle cybersecurity risks. This standard requires manufacturers to put in place measures to identify, address, track and monitor risks, obligating them to respond to cybersecurity issues as they arise.
In order to successfully comply, manufacturers must be willing to acknowledge risk prevalence and tackle cybersecurity challenges head-on with confidence and speed. This type of approach requires a culture of risk management, characterized by the following organizational attitudes and activities:
- Discussing the inherency of risk openly — Everyone in the organization understands that they have some responsibility for managing cybersecurity risks. Even if they don’t have an active role in engineering a product, employees have access to customer and supply chain data and should work to secure data through best practices and secure routines in their daily work. A strong cybersecurity culture includes competence management, awareness management and continuous improvement whereby cybersecurity and safety have the highest priority over performance, cost or schedule.
- Taking immediate action in response to identified risks — Savvy manufacturers maintain a process for analytical risk evaluation and escalation. They record risks consistently and completely and address them with similar discipline.
- Reporting risks officially, with resolution processes in place — By taking an analytical approach to resolution, manufacturers maximize their learning from each incident and can also track their progress year over year.
- Considering risk beyond the four office walls — Manufacturers with a risk management culture understand that cybersecurity threats can be associated with elements outside the organization such as the supply chain, consumers and unexpected situations like a global pandemic. By implementing a cybersecurity monitoring process to collect and analyze cybersecurity information, manufacturers can better assess risks to their products. Cybersecurity information may come from internal or external sources such as researchers, commercial or noncommercial sources, customers and/or government agencies.
In strong risk management cultures, employees know that cybersecurity risks are prevalent, and management encourages them to share, address and escalate those issues. These practices, in turn, lead to a greater likelihood of recognizing and addressing cybersecurity threats.
The practices prescribed in ISO/SAE 21434 also position manufacturers to meet other standards’ guidelines, like the National Highway Traffic Safety Administration’s Cybersecurity Best Practices for Modern Vehicles, which should go live at the end of 2021. Its cybersecurity guidance for the automotive industry heavily references ISO/SAE 21434 and calls for many similar approaches to cybersecurity risk management.
With UL’s help, automotive products and systems manufacturers can construct methodologies to identify cybersecurity threats more effectively. In-depth training then empowers your team with insights and tools to evaluate and address threats. We can help you implement an automotive management system, the framework UN ECE R155 requires, national implementations and ISO/SAE 21434.
Learn more about UL’s Automotive Cybersecurity Advisory Services.