Drastic increase in cyber attacks on connected vehicles. Proof of a certified Cyber Security Management System (CSMS) required.
As UNECE Regulation No. 155 gradually comes into force, evidence of a certified Cyber Security Management System (CSMS) will be required from car manufacturers in 56 countries worldwide from July 2022 in order to register new vehicle types with registration authorities. PwC Germany conducted interviews with car manufacturers, suppliers and market experts around the world to investigate opportunities and challenges as well as the current implementation status at the companies and suppliers concerned.
“Modern vehicles are increasingly becoming connected terminals. In the course of this development, vehicle manufacturers must increasingly adopt the perspective of a software and hardware provider. This is also accompanied by corresponding cybersecurity requirements,” says Harald Wimmer, Partner and Global Automotive Leader, PwC Germany. For the companies surveyed, there is no doubt about this either: 89 percent see significant competitive advantages in a high level of cybersecurity maturity.
Obstacles on the road to greater cybersecurity
“In a broader sense, a CSMS provides the foundation for robust cybersecurity in modern vehicles. It not only” explains Joachim Mohs, cyber security expert at PwC Germany. Although all OEMs said they have already implemented a CSMS, the development status of most management systems is still in the design phase. The four biggest hurdles to implementation currently include, above all, 1. lack of skilled personnel, 2. tight timeframes for implementation, 3. lack of common interpretations and specifications of the standards, and 4. the complexity of modern value chains.
The core results of the “Global Automotive Cyber Security Management System (CSMS) Survey 2022” at a glance:
– The implementation progress and maturity levels of individual CSMS projects vary greatly – even in a direct comparison between manufacturing and supplier companies. According to the survey, the former have an average degree of completion of initial CSMS projects of 71 percent, while suppliers have an average of 59 percent. Most participating companies report that their activities to date have been predominantly related to the design of the CSMS, with full operational functionality still pending.
– With the average duration of a CSMS project reportedly around 30 months, affected companies with a low CSMS completion rate need to act now and closely examine upcoming regulatory and contractual requirements in all relevant markets. OEMs should take a results-oriented approach and adhere to the evaluation criteria of national regulatory authorities.
– Service-oriented ecosystems revolving around the vehicle will grow strongly in the future, enabling many new business models. The required CSMS not only protects the value creation of these new ecosystems, but also influences their operating costs over the entire lifecycle and ensures long-term legal compliance.
– All respondents agreed that cyberattacks on connected vehicles will increase significantly in the future.
– The CSMS is an important milestone on the journey to successful digital transformation. However, companies in the automotive industry need to network their cyber initiatives much more closely, embedding cybersecurity at the core of the company and embedding cyber risk management in the company’s risk management.