There are two terms that get mixed up easily: “safety” and “security.” Do they mean the same thing?
TT: Safety refers to security against threats to the life and limb of people or threats to the environment. In connected technical systems, protection against manipulation (“cyber security”) forms the basis for secure systems (“safety”).
The cliché of the “hacker” as a man in a hoodie sitting in his “den” is a familiar image to us, mainly from Hollywood movies. Nevertheless, it is all over the Internet. What does the potential threat to cyber security really look like?
TT: All aspects of our lives are becoming increasingly digitalized and connected. Whether we drive to the office, talk to a voice assistant, or use our laptop – data interfaces and the associated risks are everywhere.
Connecting different devices and systems is convenient and offers many advantages, but comes with the potential threat of manipulation attempts as a disadvantage. And this is where intruders, or “hackers” (laughs), come into play, for example through an attack that fakes false facts, manipulates data, or creates an overload. You could even get a system to do something other than what it was designed to do by reprogramming it.
Take payment instructions, for example. If they are made through a smartphone or handled through Internet banking on a home network, cyber-attacks can cause financial loss, so-called identity theft, or loss of convenience. Let's think one or two categories bigger: In the case of connected industrial plants or vehicles, manipulation attacks would have a direct impact on safety. They could even threaten lives or cause environmental damage. Scenarios in which a hacker could manipulate entire fleets of vehicles by command while they are on the road and cause accidents must be prevented from the outset.
You describe scenarios that we really don't want to see become reality. How can we proactively counter this potential threat?
TT: That can only be done by taking a holistic view. You have to include people, the “product,” the technology, and the underlying processes in the equation. Specifically: people and their level of attention, the handling of connected devices and systems, the communications infrastructure, i.e. the “network,” and the devices in their design or purpose.
DEKRA can contribute to cyber security on all these points. For example, through training, consulting, product and security tests, assessments of the technical solutions’ architecture or processes – as early as the product development phase. But, of course, also during the product's life cycle.
Last year (2020) DEKRA established its “Cyber Security Hub.” What happens there and what approach do they take?
TT: As already mentioned, you have to look at cyber security holistically – independent of the classic organizational structures within DEKRA. That's why we are bundling existing DEKRA competencies in the Cyber Security Hub, developing them further, and coordinating existing and future services. All of this happens across our Service Divisions and Regions – with DEKRA DIGITAL as the coordinating unit.
Cyber security is a fast-growing market. We are seeing more and more demand, and new standards and legal regulations are constantly emerging. In addition, different industries are facing identical issues in this respect; they have to comply with industry-specific standards and implementation regulations. The “Cyber Security Hub” is our answer to this development. Customer inquiries can be handled as a whole, and new services can be set up flexibly and quickly.
You mentioned that standards and regulations differ from industry to industry. How does DEKRA address these specific cases?
TT: We already have different kinds of cyber security services for several industry sectors in our portfolio. In the area of product testing, for example, test procedures are carried out according to different international standards for railroad technology, medical technology, communication technology, or specific industry specifications for the IoT.
Of course, DEKRA also provides customers with general support regarding cyber security. For example, we train employees on IT security and raise awareness of increasing risks – digitally or with on-site training. Scanning websites with regard to configuration and initialization is also part of our offering.
It sounds like the future of mobility is not quite as far away as we thought. Are there also new laws on this and what do they say?
TT: Yes, new laws are also emerging at the moment regarding cyber security in cars and other vehicles. The United Nations Harmonization Forum on Vehicle Regulations, better known as WP.29, published two new regulations last year, which partner countries are now implementing in national legislation in the short term:
There is one regulation on cyber security (R155) and one on software updates (R156). They state that vehicle manufacturers must operate a certified management system for both cyber security and software updates. The certificates must be renewed regularly. In addition, vehicles must be cyber security and upload capable, as this is taken into account in type approval. It is important to note that type approval can only be granted if the management systems have a valid certificate.
What is the situation in the automotive industry? What standards apply there? After all, the inspection of cars is part of DEKRA's core business – does that also apply to cyber security?
TT: At DEKRA, we have been helping the companies and users of the mobility ecosystem to ensure that vehicles are safe for almost a hundred years now. We want to build upon this, especially for these new threats to vehicles – in line with our vision to be the global partner for a safe world.
In the automotive industry, the topic of cyber security was not really in demand until 2019. However, this changed dramatically in 2020 – thanks to a new ISO standard for cyber security, “ISO/SAE 21434.” This standard covers the entire product development and life cycle of a vehicle with all its electronic components, including software.
This means that it is not only the product characteristics of a vehicle that are decisive for its cyber security, but also all related processes. Design, development, production, operation, monitoring, maintenance, and repair must also be considered. This standard has already been published in a preliminary version and will be finalized this year (2021).
Another ISO standard for software updates in the automotive industry (“ISO/CD 24089”) is expected as a preliminary version toward the middle of the year. It applies to updates via public networks as well as in workshops.
Both standards must be complied with by the entire supply chain and, of course, by the vehicle manufacturer itself. This means there is a new and rapidly growing market for DEKRA. Last year, we set up a new international team within DEKRA DIGITAL and the Regions for this purpose and developed services and tools – including training modules on the new standard, evaluation of technical solutions, process analyses, and initial trial assessments.
And where does DEKRA DIGITAL come into play here?
TT: Everything about WP.29 poses major challenges, not only for vehicle manufacturers but also for the entire supply chain. This is because the laws will apply to new vehicles from mid-2022 and to all vehicles in production from mid-2024. In this context, DEKRA DIGITAL has also developed initial services here to take care of these tasks of certification and type testing as a technical service. We are already working with our new services with supplier companies as well as vehicle manufacturers. Early piloting in customer projects will allow us to expand our experience, refine the services, and expand our “toolbox” in this regard.
ABOUT THOMAS THURNER
Thomas Thurner brought over 30 years of experience from the automotive industry, primarily in the areas of vehicle electronics and software architecture, when he joined DEKRA in 2019. At DEKRA DIGITAL’s “Cyber Security Hub”, he is responsible for coordinating information security across all of DEKRA’s units.