Securing the Automotive Supply Chain

For those not involved in automotive, it is easy to overlook the complexity of the automotive supply chain. While most know that vehicle manufacturers don’t make every part themselves, the full extent of the supply chain’s depth and breadth often goes unnoticed. Securing that supply chain has not only become a priority of the federal government [1], but it’s a common challenge the industry is trying to solve. This article explores the significant challenges in securing the supply chain, alongside potential solutions and resources.

Cyber Supply Chain Risk Management Visibility is Low

To grasp the challenges specific to automotive cybersecurity, we first consider the general issues of supply chain cybersecurity. Visibility, or the ability to track and monitor product development stages and activities, significantly diminishes with each layer of outsourcing, as depicted in the figure 1.

End-to-end visibility has been rated as the number one challenge in effectively managing the supply chain [6] and this is especially applicable to cybersecurity which is ever evolving.

Increasing this visibility, however, is no simple task. The National Institute of Standards and Technology offers guidance for achieving stronger cyber risk management practices within supply chains (NIST 800-161r1) which was only published in 2022 [5]. In this best practices publication, integrating cyber supply chain risk management into the enterprise’s risk management at the highest levels is a key concept. Not only do those changes require much effort and buy in, but the results take time. Today, cyber supply chain risk management is often secluded to small security teams and implemented in a ‘check-the-box’ fashion with little multilevel integration.

Automotive Cybersecurity Maturity Low; Compliance Cost High

The de facto automotive cybersecurity standard, ISO/SAE 21434, was published in just 2021 [3]. July 2024 marks the UNECE’s deadline for all current and future vehicles for all manufacturers to pass type approval. A prerequisite to this is having a certified CSMS, proving the organization’s engineering processes have considered cybersecurity throughout the product development lifecycle [8].

While vehicle manufactures and some of the largest Tier 1 suppliers have gone through their first rounds of implementing ISO 21434, many suppliers are still grappling with understanding and integrating it. The costs and time involved are substantial and while meeting this standard is essential, many are looking to leverage advanced cooperative models and tools to enhance cybersecurity efficacy and efficiency.

Automobiles are Complex

While it’s been said by many that vehicles are computers on wheels, modern vehicles are closer to semi-autonomous mobile cloud networks, than a simple ‘computer’. With hundreds of electronic control units, all put together in varying network architectures, these machines contain parts from different manufactures using different hardware specs, computer programming languages, and a myriad of proprietary information that each supplier needs to protect.
When discussing automotive software complexity, Ford CEO Jim Farley says, “the problem is that the software is all written by 150 different companies and they don’t talk to each other. So even though it says Ford on the front, I actually have to go to Bosch to get permission to change their seat control software [and] . . . it’s actually their IP . . . all the structure of the software is different. It’s millions [of lines] of code” [2, 7].

Challenges Summarized

Managing cybersecurity risks in the automotive supply chain presents challenges due to limited visibility into supplier activities, the need for IP protection, and the complex nature of the supply chain. Despite advancements in enterprise cybersecurity, the industry is still in the early stages of effectively managing product cybersecurity. The transition to Software Defined Vehicles (SDV) adds new software complexities, emphasizing the importance of collaboration among stakeholders and the adoption of advanced tools to enhance cybersecurity efficacy and efficiency.

Addressing the complexities of cybersecurity within the automotive supply chain demands collaborative efforts from both automakers and suppliers. While solutions are being built and adopted to confront these challenges, effective risk management necessitates extensive collaboration across various organizational levels and the development of innovative tools. These relationships, processes, and tools are crucial not only for mitigating known risks but also for rapidly responding to emerging threats.

Rallying Behind Common Cybersecurity Standards

NIST’s Case Studies in Cyber Supply Chain Risk Management found that mature cyber supply chain risk management programs “leverage industry standards throughout the supply chain lifecycle” [4]. Luckily for those implementing ISO 21434, clause 7 requires them to ensure their suppliers implement it as well (check this video), further harmonizing requirements across suppliers and throughout the supply chain.

Clause 7 gives minimal guidance, however, on enhancing visibility or addressing identified risks. The main activities suggested per ISO 21434 are to assess supplier’s cybersecurity capability and to clearly assign cybersecurity tasks and responsibilities. Rating cybersecurity capability is important, but all respondents in NIST’s Case Studies in Cyber Supply Chain Risk Management (C-SCRM) stated that measuring supplier risk was a challenge [4]. 

Assessing suppliers is one thing, but mapping the results of those assessments back to overall organizational risk thresholds and to individual project needs can’t be accomplished without buy-in from many teams. This is why we should look to other sources for best practices of managing cyber risk through the supply chain that also align to cyber secure engineering. One such source is NIST SP 800-161r1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations [5] (hereafter referred to as “NIST Guidelines” for readability).

Actively Strengthen The Supply Chain’s Cybersecurity Practices

Whether assessing general cybersecurity capabilities of suppliers or assigning individual cybersecurity activities for a particular project, there will be cybersecurity gaps that a supplier cannot adequately perform. This means outsourcing organizations will either a) perform that activity on behalf of the supplier or b) require the supplier to address the gaps. Ideally, both should be done. Since the outsourcing organization has likely addressed this gap already (or is actively working to improve it), there’s a strong argument to work together with suppliers to jointly improve cybersecurity capabilities. This will help strengthen the supplier’s supply chain as well, which in turn strengthens a product’s quality.

A main component of the NIST Guidelines is to integrate supply chain cybersecurity risk management into enterprise-wide risk management at the highest levels of the organization. The critical success factors listed in that document cannot be accomplished by a product cybersecurity team, regardless of its size so buy-in from the top down, throughout the organization is a must. The document also calls out advantages of having certain activities assigned to a dedicated and centralized Program Management Office for C-SCRM although it does recognize there are many operation models. Other relevant critical success factors include: supply chain information sharing, training and awareness, and continual improvement processes.

Much like Toyota improving its own quality and efficiency by teaching the Toyota Production System to its suppliers, the best way to strengthen the cybersecurity of the supply chain is to simply work together to do so. While a subset of respondents in NIST’s case study stated that they typically focus on only selecting cyber mature suppliers to help alleviate supporting activities, “nearly all of the interviewed organizations provided examples of preventive and corrective actions taken to improve their suppliers’ baseline cybersecurity practices.” [4].

Automate Cybersecurity Risk Management with Advanced Tools

An organization and its entire supply chain could have the most advanced and tightly controlled cybersecurity engineering practices on the planet, but there is no such thing as a permanently secure system and vulnerabilities are just a part of the product life cycle. Some vulnerabilities will present a low risk while some will be high. Some of these risks will pop up within the control of the organization and some within that of its suppliers. Some will surface during the design phase of the vehicle while others will surface in individual components years after product release.

Even the largest OEMs and suppliers out there don’t have the tool to solve all these issues yet, but they’re building & sourcing it—some with Block Harbor, utilizing our Vehicle Security Engineering Cloud (VSEC), and some by piecing together internal resources. Whether an organization is using VSEC or is building their own solution, the cybersecurity tasks recommended in ISO 21434 are labor/time intensive and costly if done in isolation. A simple example is ensuring that vulnerabilities identified after product release a) are sent to the right teams for action; b) are updated in engineering specs, c) are added to components for future TARA’s, and d) added to cybersecurity catalogs and / or lessons learned to ensure no repeat occurrences.

Conclusion

Major OEMs and suppliers recognize ISO 21434 as the foundational standard for ensuring cybersecurity in safety-critical systems, yet they are aware that adhering to it increases costs without necessarily enhancing the cybersecurity of their products beyond their immediate sphere of control. Of the numerous guidelines and deliverables outlined in ISO 21434, only a handful directly address supply chain management, leaving the iterative nature of clause 7 to work through the supply chain.

Companies that proactively engage in enhancing the cybersecurity practices across their entire supply chain, and not merely comply with basic standards, gain both a competitive edge in cost and product quality. They achieve greater transparency in cybersecurity across their products, which is a significant advantage.

Every participant in the supply chain, from OEMs to Tier N suppliers, bears responsibility for the cybersecurity of the final product. When a significant vulnerability emerges, the responsibility falls on them, regardless of whether the issue originated from a component supplied by another party. Therefore, it is imperative for companies to collaborate closely with their suppliers to fortify the cybersecurity measures throughout the supply chain.

  1. Executive Office of the President. Executive Order 14028: Improving the Nation’s Cybersecurity. [Online] May 12, 2021. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
  2. Fully Charged Podcast. YouTube. [Online] June 5, 2023. https://youtu.be/8IhSWsQlaG8?feature=shared
  3. International Organization for Standardization & the Society of Automotive Engineers. ISO/SAE 21434:2021 Road Vehicles – Cybersecurity Engineering. SAE International, 2021.
  4. National Institute of Standards and Technology. Case Studies in Cyber Supply Chain Risk Management. [Online] 2020. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.02042020-1.pdf
  5. National Institute of Standards and Technology. NIST SP 800-161r1 – Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. [Online] May 2022. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf
  6. Steinerg, Glenn. How reinventing the supply chain can lead to an autonomous future. EY. [Online] 2019. https://www.ey.com/en_us/consulting/how-reinventing-the-supply-chain-can-lead-to-an-autonomous-future
  7. Stumpf, Rob. The Drive. [Online] August 7, 2023. https://www.thedrive.com/news/ford-ceo-explains-why-legacy-automakers-take-forever-to-issue-ota-updates
  8. Vehicle Certification Agency. Cyber Security and Software Updating. Vehicle Certification Agency. [Online] 01 2024. https://www.vehicle-certification-agency.gov.uk/connected-and-automated-vehicles/cyber-security-and-software-updating/