Cybersecurity in the automotive industry | Insights from our Information Security Expert Michael Kirsch

Cybersecurity in the Automotive Industry


“While working as a TISAX® consultant, I noticed how difficult it is
to keep track of the necessary regulations, conditions and standards of Cybersecurity
and homologation (a set of regulations defined by the German Association of the Automotive Industry).
I would like to shed some light on this topic and give you an overview.” Michael Kirsch

Cybersecurity guidelines and standards

Cybersecurity, including the cybersecurity management system, also plays a decisive role in the licensing of vehicles. UN Regulation R155 was introduced to ensure consistent conditions in the context of vehicle licensing. It determines which measures manufacturers must take during and after production to ensure the cybersecurity of vehicles. Type approval can only be granted if the criteria are met. In addition to a complete risk assessment, the criteria also include the check of data security in the company’s units.

Security processes for internal development

Companies in the transport and traffic sector mainly use the cybersecurity guide “SAE J3061” for Cyber Physical Vehicle Systems. It describes practical security processes and explains, among other things, how cybersecurity systems in vehicles can be developed and set up internally by the company.

Industrial cybersecurity for production and infrastructure

The IEC 62443 series of standards (Industrial communication networks – IT security for networks and systems), on the other hand, describes technical and process-oriented aspects of industrial cyber security and is frequently applied in the company’s units for infrastructure and production of vehicles.

Work in Progress: Policy development and tight cooperation

Other initiatives also define similar guidelines or rules for the industry. Others even call on the automotive industry to actively participate in the development of safety regulations.

Some guidelines and standards are already under development, such as ISO 21434 (Road vehicles – Automotive security engineering). Here, the committee is currently dealing with the safety aspect within the framework of ISO 26262 (Road vehicles – Functional safety).

Role of the Cybersecurity Management System (CSMS) and the R155 regulation

UNECE Regulation R155 specifies that vehicle manufacturers must implement a cybersecurity management system (CSMS). The regulation defines requirements for a systematic risk-based management system with organizational processes, defined responsibilities and methods to mitigate threats and protect against cyber attacks on vehicles. It is based on the standard ISO 21434.

The Difference between ISMS and CSMS

The CSMS aims to protect people in traffic and the general public in a context of increasing digital connectivity and automation of vehicles, whereas an ISMS ensures information security within an organization and aims to ensure security throughout the supply chain.

To make a long story short: An ISMS ensures data security within your organization, a CSMS aims at the security of the vehicle and its users.

Norm ISO 27001

I repeatedly noticed that the ISO 27001 standard is a prerequisite for creating a compliant basis for all-inclusive information security – and thus also cybersecurity – in your organization and for objectively verifying this with a certificate. The international standard specifies the requirements for establishing, implementing, maintaining and continuously improving a documented information security management system (ISMS) and as well forms the basis for a successful TISAX® assessment. It affects all aspects of your company – from production to finished product and services. Without an established ISMS, the challenges of digitalization cannot be mastered.

NORM X | On the fast track to TISAX® Assessment

With NORM X, we offer a software-based solution for the automotive industry to get to the TISAX® Assessment in a fast way. Throughout the process and the audits, your personal ISEGRIM X Information Security Officer (IX ISO) guides you and is available to answer questions. 

We would be pleased to present our innovative solution to you via telephone or a video meeting. Simply use the button to arrange a non-binding meeting!

Relevance of corporate Cybersecurity

To stay competitive, you need to make information security a part of your corporate culture and make all executives, managers and employees aware of it. Current and future regulations make this an absolute necessity.

For this reason, I would like to provide you with further standards and regulations to help you. They serve as a template for implementing the necessary and required safety requirements in a complex, digitally networked world of vehicles.

  • SAE J3061: Cybersecurity Guidebook for CyberPhysical Vehicle Systems
  • SAE J3101: Requirements for Hardware Protected Security for Ground Vehicle Applications (WiP)
  • ISO 15031: Road Vehicles – Communication between. vehicle and external equipment for emissions-related diagnostics. Part 7: Data link security
  • ISO 15764: Road Vehicles – Extended data link security
  • ISO 21434: Road Vehicles – Automotive Security Engineering 
  • ISO 26262-1:2011 Road vehicles – Functional safety 
  • TS 102 940: Intelligent Transport Systems (ITS); Security; ITS communications security architecture and security management 
  • TS 103 096-1 to TS 103 096-3 Intelligent Transport Systems (ITS) 
  • TR 103 061-6 Intelligent Transport Systems (ITS); Testing; Conformance test specifications for ITS Security; Part 6: Validation report 
  • Auto ISAC – Automotive Information Sharing and Analysis Centre, Best Practices 
  • I Am the Cavalry – Five Star Automotive Cyber Safety Program 
  • UNECE – Guideline on cybersecurity and data protection of connected vehicles and vehicles with ADT 
  • ENISA – Cyber Security and Resilience of smart cars 

Any questions left? Feel free to contact me!