Electric cars, hydrogen cars, self-driving cars …
In the near future, we will see a completely different automobile industry from what we see today. And what’s emerging as one of the most important topics with these recent changes? Security.
In particular, Level 3 autonomous cars, which provide conditional automation that can make informed driving decisions, will start arriving this year. Mercedes-Benz has already received internationally valid regulatory approval to produce vehicles capable of Level 3 autonomous driving. BMW, Audi, Honda, Volvo, GM, and Tesla, among others, also have similar projects in the works.
Level 3 autonomous driving, as defined by SAE International, means that the driver can hand over control to the vehicle, but must be ready to take over when prompted. Autonomous vehicles communicate with and receive data through far more sensors than electric or hybrid vehicles. This means there is a high possibility that the personal information of vehicle owners and important data related to automobile software will be leaked.
Global Security Requirements
Against this backdrop, the global automobile industry is investing heavily in security-related technology development and certification. Automotive security regulations have also been tightened, requiring the United States, the EU, Japan, Korea, and other countries to identify and respond to threats in accordance with the International Cybersecurity Standard ISO/SAE 21434. This standard specifies engineering requirements for cybersecurity risk management in the design and development of car electronics. It covers cybersecurity governance and structure, secure engineering throughout the life cycle of the vehicle, and post-production security processes. The supply chain is also included to cover each step in automotive production.
New cars sold in Europe starting in July 2022 and all new cars sold in 54 countries starting in July 2024 must meet these requirements. The manufacturer must be certified for cybersecurity management capabilities, which include protecting the sensitive data used in the design, development, manufacturing, and servicing of these vehicles.
All phases of a connected vehicle’s lifecycle covering electrical and electronic systems, including their components and interfaces, are covered in ISO/SAE 21434 including:
- Design and engineering
- Operation by customer
- Maintenance and service
This lifecycle approach to cybersecurity management makes ISO/SAE 21434 one of the most comprehensive approaches to connected vehicle cybersecurity. Certified test reports issued by certification centers are mutually recognized worldwide, including in the United States, Europe, Korea, and Japan, and have equal efficacy and public confidence internationally. Compliance with security regulations now serves as a “right to enter” into new markets, and only companies with this capability can export and gain new supply chains.
Getting TISAX and ISO 21434 Certified
TISAX (Trusted Information Security Assessment Exchange) certification, a cybersecurity framework devised by the German Automobile Industry Association (Verband der Automobilindustrie, VDA), has established itself as an information security standard in the global automotive industry. Sensitive data in CAD/CAE files, office documents, and supplier information, which are the center of corporate competitiveness, are shared within a huge supply chain. Since important information is being circulated on a much larger scale than in other industries, affiliates must prove each other’s security level to prevent information leakage during the collaboration process.
Virtually all companies in the German automotive supply chain (automobile manufacturers, OEMs, partners, suppliers), whether based in Germany or not, must demonstrate a level of information security management in accordance with the requirements set out by the VDA-ISA. The problem is that TISAX and ISO 21434 certifications are complex and difficult to obtain compared to other international standard information security certifications (ISO) or information security management system certifications (ISMS).
Protect Sensitive Vehicle Information
The best approach to meet the certifications and enable selling into global markets is to use a data-centric security approach to protect and manage files that contain the sensitive data used during the design, development, and manufacture of autonomous vehicles.
Enterprise DRM (EDRM) protects sensitive information from unauthorized access and controls what an authorized user can do with it. By encrypting the files and applying dynamic access controls, you can grant or block a user’s ability to view, edit, print, copy, and even take a screen capture of the information. You can control derivatives of documents since engineers and other users frequently share PDFs or other common formats both internally and throughout the supply chain. Since you have a complete audit trail of user and document activity, you know if someone accessed the documents inside or outside your network. You can also revoke access or change permissions after you distribute a document if the sensitivity of the information changes or those who should have access to it.
Protecting your sensitive intellectual property (IP) while complying with ISO/SAE 21434 and TISAX will be critical for any company working in the automotive industry. Using EDRM to protect your files without changing user workflows will meet these requirements so you can compete in this market.
Do you have questions about protecting CAD files and other sensitive data with Enterprise DRM?
Contact us here.