#omnex #omnexevents #webinar
Join us for an insightful recording as we delve into the crucial realm of automotive cybersecurity within the supply chain. In this session, we explore the best practices and strategies essential for safeguarding automotive systems from cyber threats. From manufacturing to distribution, our experts discuss key considerations, challenges, and effective solutions in ensuring the integrity and security of vehicles.
Whether you’re an industry professional, researcher, or enthusiast, this recording offers invaluable insights into the evolving landscape of automotive cybersecurity. Tune in and equip yourself with the knowledge to navigate the road ahead securely. Subscribe to stay updated on more insightful content!
Contact Us: https://www.omnex.com/contactus/
okay for hello Smiles can you hear me miles we are live right now one I will start in in folks we’ll start the webinar in another two minutes people are still joining in we’ll start shortly danan folks I’m going to start with the introduction while we wait for more people to join in welcome to the implementing Automotive cyber security in the supply chain best practices you are joined today by Mr vnes sandan Dr Juan P Mel and myself Chad kiml we’re very happy to be here with you today in fact I have the pleasure of doing the initial slides and the presentations and then turning it over to omnus experts which is Juan and vignes so with that let’s get going on this very interesting subject of Automotive cyber security a brief introduction to who omnex is many of you attend you know we do multiple webinars and you may have attended but we always get new attendees so let me just tell them who we are so omnex is a global training and um implementation and also software company were headquartered in an Arbor Michigan we have offices globally and of course our Forte is working with companies implementing initiatives from different Industries and um you know very proud to say we are the authors of many of the standards that we talk about in fact uh one p Dr WP Mel is um one of the writers or the contributors to ISO 21434 for the United States a quick look at omnex offices worldwide this is something we are very proud to do we are supporting our customers in this you know International automotive industry with with the customers and suppliers all over the world we not only are in automotive but we are also in Aerospace semiconductor and medical devices we separated EV electric vehicles and autonomous vehicles from our you know standard offerings and of course as the industry moves into evav we’ll be merging the two but we have a whole practice in this electric vehicle autonomous vehicle and onean and myself and vesh we have written many many papers about how all these different standards work how ISO 21434 works with aice how functional safety and you know um cyber security you know interface with each other how to do integrated new product development which is one of my pet topics so do write to miles if you’d like to learn more about these other standards a quick look at what omnex us including in ISO 21434 or you know um R 1555 or R 156 we do a gap analysis and then we help you implement and we also have product certifications we are just months away from announcing our safe secure certifications you know division a little look at uh quick look at Dr Juan pimentel’s background you can see that um he’s got a you know he’s worked a lot in Hardware he’s a PhD in in hardware and done extensive amount of research he used to be a professor at catering and um and he’s been with us for a while and doing many different projects both in functional safety and cyber security vignes is uh focuses both on functional safety and cyber security lately he’s been doing all our many of our cyber security projects including many different cyber security ISO 21434 assessments and audits he’s also a Tara expert all right here we are this is the webinar that we have promised implementing a board of cyber Security in the supply chain best practices and with that let me turn things over to Dr Juan pantel there you go one all right let me share my screen you should be able to see my screen now can you give me a feedback do you see one or two screens we we see your screen uh one we see two screens now we see one screen all right okay now it’s fine yeah okay good morning everyone and uh welcome to this webinar and thanks Chad for the nice introduction and uh as you could see the topic for today’s webinar is about best practices implementing Automotive cyber security at omnex we have worked with several clients in the last few years on implementing cyber security and it has been quite challenging I would say and uh because of our working with this clients we have learned many questions that they had many issues and many things that they would really love to know ahead of time implementing this standards so for that reason we decided to have this webinar which are really a compendium of best practices the assumption is that you already know a fair amount of 21434 which is the automotive cyber security standard and also you’re familiar with the regulations of the European regulations r155 and r156 we don’t expect for you to be experts in the areas but we do expect that you’re are fairly knowledgeable about these two documents at least so with that let me go over the outline that we go over over the main points that we will cover in this webinar first of all we’ll set up the context that we’re talking about and that is the current status of the implementation of Automotive Service security standards and regulation I will Briefly summarize ISO 21434 which is the main standard for automotive cyber security and then these regulations particularly r155 which stands for cyber security management system we will review the new attack vectors that are coming out because it has a bearing on our best practices and as well as latest incidents and the current situation in the automotive service security landscape I will talk a bit about that security because it’s a one of the new topics that is coming out as well as the convergence of it and OT cber security it meaning information technology and not is operational technology also one of the best practices have to do with implementing service Security in the supply chain so we will summarize that topic briefly and then just summarize and explain our best practices in the context of what has been covered previous to that and we will conclude with some conclusions and also will show you some uh a listing of the courses and services that’s offered by omnex in areas related to cyber security so first of all this is only a preview of the best practic that we have compiled I’m not going to explain in great detail because that will be forthcoming but these are our best practice as you could see there are eight of them uh the first one is implementing standards and regulation as a team with the tier ones and tier twos and oems Al together number two realizing that automatic security is not just ISO 2 and 434 it’s much more than that and we’ll explain that particular point also the need to do a comprehensive Tara and this is particularly coming from ISO 21434 but as well as r155 we will review briefly the r and attack vectors in the industry and then the uh the next uh best practice is about the solution landscape that’s available for everyone for implementing automotive cber security the next best practice is about implementing portions of the standards meaning that as an organization you don’t have to implement all of these requirements all of these standards rather the implementation is shared between oems and tier ones and tier two so that’s kind of good good news number seven is early on in the process you need to be defining a testing and verification environment that’s so crucial and the last one is working with your suppliers or working in a supply chain organization particularly this detailing a very well written CIA which means cyber security interface agreements so this is a preview of the things that we will explain and this how best practices for you so in terms of the context this figure it’s a little bit dated but nevertheless it showed that just before in fact this figure was published just before we began work on ISO 21434 so ISO 21434 is not the first standard there have been several documents prior to that and this is an example of that as you can see you have documents related to to to 2006 and7 sorry 27,000 series 2,000 series of iso also standards that starts with an X which comes from the itu with the international telecommunications Union which is a European Body for standards you have sa standards such as 311 3138 and even you have one from ISO here regarding certificates ISO 20828 so so the point is that prior to the development of iso 21434 there were many documents and standards already available the standard 21434 is a so-called product standard okay and the product obviously is uh components of a vehicle all the way to including the entire vehicle but we’re really talking about comp components of the vehicle which standards called an item that’s a view point of this particular standard so this one kind of show several elements of the vehicle that could have a varing on cyber security and uh there are many reasons why product are security is important in this one only we list some of those particularly High connectivity related Technologies particularly Wireless Technologies sophisticated infotainment that hmis and then high level of comfort and convenience so all of these are good in a modern vehicle however the bad news is that they constitute attack vectors in other words they constitute places where hackers can get into the system and do some down again very briefly I’m not going to spend too much time on this just to an overview of the main points ISO 21434 is the main standard from ISO for cyber security engineering for road vehicles the purpose there are several of them one of them is that to realize that cyber security is key for new product development as mentioned before new vehicles are offering additional functionalities and content that are of electrical and electronics nature that’s what it- e means that is the good news the bad news is that they constitute means for hackers to get into the system and do some damage the main features of this standard is that it is risk based in fact they Define two risk levels one is called Cal and the other one is risk volume it is life cycle based you could clearly see the concept phase development phase and the post-development phases it leverages ISO 26262 in many ways particularly the Ida definition is the same and the management aspects are extremely similar in a nutshell 21434 provides a really great framework to enable cber Security Management as well as other Technologies this is a top level depiction of the main parts of this standard each part actually is called a a clause so you have Clause five six seven eight all the way through 15 closes one through four they’re not they don’t have requirements so only closes 5 through 15 are have requirements for implementing them as you could see the first two claes five and six are management oriented management with respect to the company five or with a with a prod product or project which is six number eight is interesting because this is very specific to cyber security you don’t have a counterpart on Clause eight in functional safety for instance it’s called continual Serv security activities these are activities that are performed throughout the lifetime of the products and number seven have to do with the stuff that I mentioned that implementing Automotive cyber security is a supply chain and effort so this one talks about the activities with the suppliers in order to implement the standard the life cycle phases are in the middle section the big uh boxes here closes 9 10 11 12 13 and 14 10 sorry nine is the concept phase and 10 is the product development phase as you could see 10 and 11 does cover validation and verification which is in Clause 10 which is not shown explicitly and closest 12 13 and 14 are post development phases which means that those are the Cy security activities that a designer needs to take into account after the product has been developed number Clause 15 is a companion Clause that details the methods for performing the Tara okay the the threat analysis and risk assessment which is a very important component within nine okay I mentioned that Clause 8 is very interesting and important because this is new we don’t have a counterpart in functional safety and this illustrates the activities in this Clause Clause eight so we’re talking about monitoring information in the supply chain through many stakeholders actually and the reason that you do monitoring because that eventually you may find out events or you may find out what is called incidents so it’s an escalation of the of the criticality of that of that information so a a simply a information may be an event or may be a incident depending upon the criticality of it the standard talks about that if you decide that it is an event you have to manage properly and also if you decide that it is an incident not only you have to manage properly but you have to perform the so-called incident response which is a very formal procedure in addition to that you need to perform again vulnerability analysis and also manage those vulnerabilities it may require that you go back to the concept phase and perform a Tara initially Tara is done in in close 9 as you could see here at the beginning the the service security monitoring as I pointed out before this is done done throughout the life cycle of the product meaning that way after the product is manufactured and actually it’s in the user hands you continue performing these activities in terms of the regulation 155 which is of the portions of wp29 it’s called um5 stands for or it’s about a so-called cyber security management system okay and it is a regulation as opposed to a standard by the European Community but basically any OEM that wants to sell vehicles in Europe they have to meet this regulation okay so this regulation has many requirements the bottom line is the the requirements for the designer there also requirements for the OEM in terms of registering the vehicle and answering a bunch of questions but I’m strictly for this webinar I’m talking about the technical requirements from the Viewpoint of cyber security okay the there are 17 group of requirements in three categories OEM specific vehicle specific and also for backend service and holding data like in the cloud so this applies to the cloud so I may mention that at this point r155 is a bit more General than ISO 21434 because 21434 only covers within the vehicle perimeter whereas 155 covers even outside the vehicle perimeter in addition to5 we have 156 which is a companion regulation that’s one way to look at it that includes require requirements specific to address threats related to software updates at the end of the day an oem is the Ultimate Party responsible for implementing all requirements with the help of their supply base here’s here is additional information on 155 particularly the stuff that’s pointed out in blue is very important important this standard but this is also true for 21434 they require processes either creation of utilization of processes to address and mitigate attacks so the again I pointed out earlier a couple of times at least that it is expected that oems will work with the entire value chain with suppliers in order to implement the totality of these regulations okay so it is expected that with these regulations this the oems and the supply chain actually are better able to identify and respond to security risks associated with new emerging vehicle architectures Mobility Services which is one of the new things that are coming out and also to the connected vehicle ecosystem so it’s very futur looking in terms of having this requirements apply not only to the current issues but emerging issues that may come up in the in the future the RF 155 particularly talks about requirements related to backend servers related to communication channels not only wire Communications but also Wireless Communications Vehicles regarding the update procedures or regarding unintended human actions facilitating a Cyber attack or their external connectivity and connections and also taking a look at the at the enormous amount of vehical data and code okay so in terms of what’s going on recently there are many new attack vectors that are coming up and this next three or four slides talk about even to the year 2022 so this information is very recent so we’re talking about that there are new attack vectors in these categories the first category is telematics and application servers which is really outside the scope of 21434 but it’s very important to realize that this this is a big attack Vector so this is basically making use of servers and the cloud type of information that’s out inside the vehicle perimeter another one that is fairly new is it’s keyless entry remote keyless which means Wireless skilless this is obviously uh for stealing or getting access to a physical car and this involves Wireless technology okay the the third group that’s important is ecus okay uh ECU have been around a long time and the hackers are continued to to exploit the ecus not only the ecus traditionally that have to do with uh the internals working of the car but even eus that have to do with telematics for instance there is a telematics control unit as another fact that it’s a target for the new attack vectors still another area are in general we have a lot of software as you know in the cars and the amount of sof software will continue to increase and a big aspect of the software is the So-Cal apis which is the application programmatic interface or programming interface this constitutes a new attack Vector that’s being exploited today mobile applications are on the rise okay for various reasons but they also constitute an attack Vector for hackers to get access through that mobile applications to the vehicle and be able to control critical control functions infotainment systems have been around for a while and this continue to be a attack Vector that is important for attackers and also for Defenders so these infotainment systems I think everybody’s fairly familiar with but this they constitute a great place for attackers to get into the system initially and from there they could access the communication networks like the can buas or other networks and then access to other ecus and do a lot of damage a new attack Vector that is fairly that just happened recently is taking advantage of the electric vehicle charging infrastructure so as you know electric vehicles need to be charged and when they go to this charging stations they get access to the grid and through that grid there many ways that attackers can get into the car itself and access a lot of information or do a lot of damage Bluetooth has been around for a long time and uh the attack Vector I said with Bluetooth continues to be exploited because it’s happening more and more particularly with mobile applications and then we have the over the air software update otaa that again constitut a great attack vector by the way many of these have several examples that just happened the last year or the last few years unfortunately because of space considerations we cannot give you information about that but here we we gave you one in May 2022 ha hackers discover a new attack Vector in a Chinese OEM which allowed them to conduct unapproved soft upgrades to Vehicles so what are the implications of these new attack vectors well there are many as you could imagine this is just a short list of them first of all uh as I pointed out again also the smart Mobility even though this produces a great deal of advantages it also has some issues because they introduce new attack vectors also the connectivity of vehicles we’re talking about vehicle to vehicle vehicle to infrastructure vehicle to persons they also constitute a great place for hackers to to to gain into the system to get access to the system and then to realize that automo cber security is much more than what’s inside the vehicle it also involves it cyber security and these are some of the examples that are correlated to not only Automotive cyber security but it cyber security for instance subscription Services thirdparty mobile apps charging infrastructure as I mentioned before Fleet Management Mobility as a service and even new insurance models so at this point we have a PO question here um miles I think we have a slightly different version of this questions can you admin administer this this poll question on your end and see the answers there you go yes Po’s launched so there’s slightly different version of this same poll question here please rank to highest to lowest these particular areas where you see that the the the highest percentage of incidents happens in other words do you believe that the highest percentage of incidents is in apis for instance or infotainment so rank them in a relative order okay so the answers came in um so let’s see uh the answers are color coded highest is blue lowest is reddish okay so a is about 50% a b a b is uh highest oops ranking um C almost similar to a apis again High infotainment came very low F came kind of in the middle just like like uh the first one and Bluetooth came overall equally okay okay great so let me go to the next slide because next slide is the result of a recent study made by Upstream security which shows the percentage the actual percentage actually of these latest incidents it showed that uh as of last year and this is what surprising telematics and observer was 35% remote keyless 18% ecus TCU gateways 14% API is 12% infotainment 8% it’s interesting to know that infotainment was much higher in the in the Years prior to that it’s coming down most mobile apps 6% EV charging 4% and Bluetooth 3% so this a bit surprising because in the past few years bluetoo was higher and so was uh ecus and uh what is really surprising here is the EV charging is starting to pick up and this telematics and observers which is basically on the cloud as are becoming much higher and also the the remote keyless entry that’s another area that’s it’s a bit surprising uh I think the reason for that is that if you think about it those are the areas with where it’s the easiest to perpetrate the attacks so the landscape is definitely changing okay another area of change for instance is the share amount of dollars involved in these attacks relatively speaking Automotive in the Years 2019 to 20123 $505 billion do as an examp example banking is 347 billion and insurance is 305 billion so Automotive is surpassing that of banking and insurance also there’s an increase in data privacy that’s also very interesting there is also an increase in the number of thefts and break-ins and also the financial impact to insurance providers is becoming to be knowledgeable all right along with this we have another poll okay so uh miles please administer this poll similar to the one before but this one is to get to try try to estimate okay the highest percentage of different types of incidents in these categories in terms of data privacy service disruption vehicle threat fraud and stuff like that e all right here is the the partial answer so visel ruption was very low data privacy was kind of in the middle uh V brakins are a little bit higher than that the vehicle Control Systems Pro was the highest okay uh I guess if the manipulation of vle system would be the lowest location tracking kind of in the middle the violations and other would be the the last that’s kind of understandable all right so let me show you again the answers again this study was conducted by the same company Upstream cyber security and uh this was a bit surprising to me also the highest percentage was in data privacy which is pointing out that there is a new area in this called Automotive cyber security called data security that is extremely important the next one is the service disruption 23% vehicle thefts and breakings 22% controlling the vehicle other controls 13 and then all the other on were kind of low below 3% fraud manipulating the car systems location tracking policy violation or or others so the very interesting thing here is about this data bridge data security which is the the next topic so data security is different than cyber security uh there are many things in common of course they’re very similar and yet they’re distinctly different the the main thing about data security I would say that it it it has to do with uh the second Point here it deals with personal identifiable information the so-called pii that includes okay including sorry the collection of this data the processing of that data storing that data or transferring that data particular if you could do a cross country transfer there are many regulations particularly gdpr in Europe CPR in California and miit in China that Focus strictly on data security and this is an upcoming thing where we see some regulations but unfortunately we don’t have too many standards in the area of data security so this is an area that is in our recommendation also to to focus the data security also we mentioned that there is a convergence between it and OT cyber security operational technology so strictly speaking Automotive cyber security belongs to OT it’s operation it is not an information technology however they are intertwin you can no longer talk about Automotive Service Security in a silo you have to talk about it and OT cyber security so it involves Technologies and a convergence of methodologies of both it and OT cyber security I borrow this diagram in fact from the defense sector where they try to categorize the layer of layer of Defense of cyber security in several areas perimeter security network security endpoint Security application security and data security as well as talking about the operational aspects and also the management aspects so this is not directly related to the iso standard but you could clearly see that some areas here have a varing on ISO 21434 and also even on the regulations not directly but indirectly so I have put here a a specific topics or sub areas in each one of these categories belonging to this framework of cyber security pertaining to these various layers of protection and also pertaining to the particular techniques of cyber security for instance you could see gdpr here data protection you have Bluetooth protection you have secure domains you have firewalls you have OBD2 protection uh IDs IPS on the left you have the meaning of those acronyms in case you don’t remember so the bottom line here is that uh when you think of Automotive cyber security it’s no longer strictly Automotive it goes beyond Automotive in terms of the new CV found this is the listing in the last few years okay obvious L they’re increasing and as you know cve means for cyber security vulnerability exposures those are the actual vulnerabilities found by various people okay also in terms of where the vulnerabilities belong in the supply chain OEM 75 relatively speaking 32 pertaining to tier one 130 pertaining to tier two and then 110 pertaining to the the service providers I mentioned that uh automotic service security is not just ISO 21434 here is a list of additional standards that have a varing these are important standards and even this list is not comprehensive or totally inclusive there are probably a few others that have a varing but you’re talking about here in addition to obviously wp29 and 21434 you have 2489 okay which is related to the uh the the requirements and then uh you have few other ones and I let uh big NES speak about these standards as well as uh other considerations B NES yes thank you one so I will take you all through a few slides few topics on the different standards in automotive cyber security asan has mentioned he has focused on important standards like ISO 21434 but there are a lot of other standards as vehicle manufacturers as component manufacturers you might have to focus on so next few minutes we will understand the significance of these standards and how this will impact your product development okay so one has mentioned about r155 and r R 156 so I will broadly uh divide these different standards into three things one is we have regulation which is r155 and r156 which is driving all the standards so countries have regulations so in this case un has a working party wp29 and they have this r155 and 156 regulation which is coming into place into full all the vehicles from 2024 July and this regulation is driving a lot of other standards in the industry so we have many standards and then we have some best practices as well okay and one of the two main standards that is related to cyber security and software update is one is ISO 21434 which is directly related to the r155 the cyber security management system so if your organization is focusing on implementing r155 requirements on cyber security management system ISO 2434 is directly impacting you so this standard gives different uh perspectives on how to do product development which Juan has already covered in detail and another important standard which has recently published is ISO 2489 24 489 has a direct impact uh and a direct relationship with the r156 regulation okay by following this regulation you can cover most of the aspects by following this ISO 2489 you can cover most of the aspects of r156 so r156 and ISO 2489 talk about the software update management system okay I have one slide to go in detail for that and there are a few companion standards as well okay whenever we talk about cyber security in automotive we talk about [Music] vulnerabilities and how to handle those vulnerabilities so these two standards next two standards ISO 30111 and ISO 29147 talks about the vulnerabilities and how do you handle that so ISO 301 talks about vulnerability handling so once you have identified a vulnerability for your particular product how do you handle those vulnerabilities and we have ISO 29147 which talks about the vulnerability disclosure procedures okay and this is impacting vendors and when you receive vulnerabilities also when you disclose vulnerabilities how do you handle that there are a few guidelines as well I have a slide quick slide to cover that and then you all must be familiar with Automotive spice Automotive spice has a plugin for cyber security okay which is also impacting all the manufacturers which if you are into Automotive spice you might have to take a look at this omnex we are working on developing a lot of these standards we are working with customers and implementing these standards as well there are a few companion standards where depending on the product you are developing might impact you for example you have sej 3101 which talks about Hardware assisted functions and the best practices and the requirements for that you have Saj 3138 which talks about security for any external test equipments and finally ISO 15118 specifically the part two of it which talks about when you have a EV electric vehicle and electric vehicle Supply equipment information exchange so which is the charging infrastructure what kind of security you need to look at okay on we can go to the next slide so let us quickly look at the uh standards which are not discussed in the previous slides one is ISO 2489 which is the called the software update engineering so this particular standard was officially published published this year in February okay and as I have said this standard directly has a relationship with even r156 so the standard covers mainly how the software update will be handled by organizations so in this case it can be your over there software update it can be your physical software update so the standard gives you requirements how do you implement policies and procedures at your organization level and at your for project level and there are a few requirements for your infrastructure related security handling for software updates you have for vehicle and Vehicle Systems level and there are two topics on software update package how do you package information and verify and validate the software update package and also how do you do software update campaign requirements okay how do you prepare that execute that and complete that this is one of the important standard manufacturers are working on complaint okay next slide please and ISO 29147 and 30111 are very closely related to each other okay 29147 is mainly for vendors and reporters who report vulnerabilities so when vendors or reporters report vulnerabilities to manufacturers there should be a clear communication path there should be a process established to report these vulnerabilities so 29147 primarily talks about that and 301 is mainly the internal vendor process so once you receive vulnerabilities from your reporters how do you handle those vulnerabilities so this could include your triaging of vulnerabilities your investigation and Remediation of the vulnerabilities okay so these two standards always go hand in hand next slide please all right and then we have a lot of best practices in the industry so nhtsa has cyber security best practices for new vehicles I think this was recently updated last year and EU has Ana which is they talk about good practices for security of smart cars you have supply chain cyber security best practices as well and auto ISAC has a lot of best practices like incident response practice how you should handle that Etc so as manufacturers you might also have to look at these best practices because a lot of these best practices have good level of information they talk about uh how do you do a risk management activity how to follow a secure design approach and they also talk about threat analysis incident response Etc okay in addition these standards are not complete there are more standards coming for automotive cyber security specifically for activities like performing an audit so you have a standard called ISO 5112 which talks about how to audit cyber security systems and when it comes to project level evaluation there is an upcoming standard called ISO 5888 which talks about cyber sec evaluation and we also have a few other standards coming for validation of cyber security activities which are not currently explained in detail in the current standards so this one is called ISO 8477 which talks about cyber security verification and validation and there are few standards for maturity model and cyber security Assurance level as well so cyber security standards are continuously evolving new standards are coming up so as manufacturers you might have to involve in implementing these standards and ensuring security of your work products okay so I will hand it over to one one please take over okay yeah thank you vesh so moving forward again uh as it was pointed out there are many requirements and the responsibility for implementing the service security requirements is shared between an oem and the supply chain particularly tier one organizations and tier two requirements so you could think of requirements then as belonging to OEM requirements tier one requirements and tier two requirements which are colorcoded in this diagram some of these are shared as you could see but the sharing depend upon the level at which the organizations work so it’s very important to have this effort so at the end of the day which is what I mentioned earlier also single organization is not expected to implement all of the requirements of all of the standards all of the uh regulations it is a shared effort so which is the the good news however managing that implementation is not trivial and we’ll talk about that later on again this is another summary as an example of what organizations sorry what standards are applicable to some organizations some of them are generic for instance 21434 is an umbrella type of standard you could imagine that they’re important for all of them but not at in the same fashion oems look at 21434 differently than tier ones differently than tier twos however there are some standards for instance J 3101 which is strictly applicable for tier two not for tier ones and oems again this is another uh diagram of the what we call the landscape pretty much what it has been talking about before putting into a graphics format and I added here in addition to to 27,000 n 800 series that have to do a lot with it cyber security and this go goes along with the fact that I mentioned that Automotive cyber security is no longer strictly Automotive it is Automotive plus it cyber security and this is the reason why you bring other areas or other standards even from the grid from the cloud and from it all right going back to the best practices that we compile for you hopefully now they will come they will be better understood and uh now it’s time to explain a bit more about each one of these best practice so number one it says implement the standards and regulation as a team effort so this was pointed out a few times you have OEM organizations tier one organizations tier two organizations the best practice is that you need to see this as a team effort to work as a team rather than adversarial type of uh uh work so it’s extreme extremely important that you view it as a team effort number two autom c security is just is much more than just ISO 21434 this was explained several ways okay first of all we need it cyber security which is Broad and this involves even the mo smart Mobility sector it also involves regulations in addition to standards and there’s just few examples we’re expecting to have more regulation coming up in the future particularly for data security automotic C Security based on 21434 follows a very specific framework and also process which begins with an ID definition you define the assets then you identify threats and from the threats you identify your goals from the goals you develop design requirements and then you move bong of course from the design requirements to implement and bring in cyber security controls to be able to meet your goals so this design process very specific to Automotive however it follows a different process alog together they do not based on item definition rather they use a established Frameworks so it’s very important that you consider the framework so there is a framework for the defense sector for manufact facturing for uh even the Telecommunications industry they they have a different framework but these Frameworks again share some similar methodologies and methods okay but at the end of the day we see two main uh Frameworks one is totally automotive and the other one is it related framework so you need to consider those two Frameworks and and and keep it clear that you’re talking about different Frameworks because you need to implement standards or requirements belonging to these two different type of Frameworks also we showed you that the nature of the recent attack vectors is changing and actually this will show up if you do your item definition very well with 21434 that will show up with the recent attack vectors because the item definition keeps track of the latest vulnerabilities in your product okay but particularly you need to pay attention to the so-called continual vulnerability assessment which is part of clause eight of iso 21434 best practice number five is that the you need to be extremely aware that the solution sescape for automotive service security follows this continual cyber security that we talked about therefore you have to perform event management and inent response and this could be in scope or out of scope the reason for the question mark here is that it depends on your product in general the answer is yes but a particular product may not have all of these items in scope so this is why it’s very important that this item definition or this Tara is done very well and ahead of time because it will guide you through the remaining of the process also you need to leverage a supply chain which is related to a previous one but it is extremely important we have seen working with several customers that some projects did not go well and in analyzing the reason for that is because the supply chain cooperation was not well done from the very beginning number seven the testing verification validation just like in functional safety for cyber secur is extremely important and you need to Define this early in the process the problem that we have seen is that companies or pro project have defined this late in the process and this has caused a lot of problems okay particularly because the various players did did not know what they were responsible for doing not only that but there aren’t too many I guess companies or even people who are Extreme Experts in automotive cyber security we have much more experience and many more experts in it cyber security but not so much in automotive cyber security SO waiting for this to do at the end especially with people with enough with not enough experience in automotive then this is a very difficult thing to do so we recommend that you do this early in the process you getting experts in automod to help you out and the last one is the CIA going back to the supply chain again as you know CIA means cyber security defense agreement in fact there is an entire Clause Clause number s of iso 21434 deals with CIA which means that you need to do a comprehensive uh document detail document detailing everything that needs to be uh you know shared between the various players in ACI also the last thing I want to mention is that omnex has a product called ewq am IMS and this this product has several modules and the most significant modules that I like to talk about today is functional safety and cyber security however as you could see here it has modules for aice and iatf as well so this is the portion that deals with the cyber security as you could see here uh we have implemented these modules okay uh in addition to it works together with iitf with aspice and with functional safety and here on the right side you have elements of this particular implementation dealing with the plan requirements and the configuration these are additional uh information about this we have implemented 43 work products the standard talks about 45 but the we found out that two work products are not being used by our customers lately we may expand that in the future the the there are also modules for service security audit assessment the service security plan the flowdown requirements flow down Tara and the cyber security case so if you’re interested in this particular product then I encourage you to go to the uh omnex website and look that ewq IMS so in conclusions the industry is moving forward along with the implementation of 21434 r55 and i56 implementations the indust is getting a lot of experience as well as a lot of challenges through these implementations there are new attack vectors and vulnerabilities that are gradually increasing there are the automotive service sec security is no longer a silo but rather needs to be implemented together with information technology which really opens a lot of doors a lot of possibilities for additional work automa security is the responsibility of the entire supply chain the OEM would be the ultimate responsible party however the O is expected to work with tier ones and tier two organizations now working with part Partners have become imperative and it’s extremely important that you identify what should be in a CIA the cyber security interface agreement and developed a good CIA from the very beginning so that you could work smoothly with all your suppliers and the last one is that new standards are emerging the latest standards are in the area of data security Mobility applications and grid cyber security at the end you have additional information of upcoming training from omx related to cyber security and related areas so you may take note of some of this or you could come to the website and also view some of this we have a whole curriculum for cyber security as you could see here we have training on a spice or spice and also in functional safety and this continues also related to functional safety you have core tools like dfmea fter analysis and CER analysis we also have a few courses on the agile stive and stive would be pertaining to the U automated vehicles and the standard is 21448 there is also training available on the latest editions of FMEA particularly the so-called AIG BDA version of it again this is the software I mentioned earlier and as you could see here it has a complete set of modules this are the seven levers the main areas that omnex is concentrating as you could see iatf functional safety spice supply chain practices soip cyber security and H apqp and omn services has several categories and we do work in all of these areas so if you need help in assessment audits implementation of Standards uh even help with engineering Gap analysis then you need to go to the omn website and get additional information with that I’d like to close the webinar and we’re open for some questions if there is any miles were able to see some questions posted yeah there is a question posted in the Q&A could you read the question for me please sure it is it says do the automotive oems require compliance or third party certification to ISO 21434 if so how is that communicated yeah no the answer is not ISO 21434 does not require that there is the so-call informal certification than through companies like omnex in other words the entire supply chain organizations they require certification among one another in other words an oem will will require a tier one organization saying you need to implement 21434 you know and they have to do that otherwise they will not they will not get the business so it’s done at that level but it is not a formal process well I think that’s what they’re they’re asking do the oems require that and how do they communicate I think that’s through their CSR is that correct yeah there are several ways that they communicate that one way is through uh just a regular uh uh when they select suppliers they will require that implementation okay okay and we have another question that I can answer it says will the slides be available for viewing and yes they will just give us some time to get the recording up and it will be available on our website oh okay that’s it all right well with that then um I’d like to thank everybody for your participation and uh I hope you have benefit from this webinar and good luck on your uh cyber security Endeavors thank you and goodbye thank you