Our expert for questions
Joachim Mohs
Partner and Global Industrial Manufacturing & Automotive Cyber Security & Privacy Lead at PwC Germany
Tel: +49 40 6378-1838
E-Mail
The automotive industry is in a state of upheaval: both the boom in alternative drive options and the increased connectivity of vehicles are opening up new business models for manufacturing companies and suppliers. Enabled by numerous new digital features and services from manufacturers and third-party providers, the car is evolving from a pure means of transport into a space for living and working.
This transformation has a strong impact on the ecosystem in which vehicles operate. Ensuring and actively managing the security and functionality of this ecosystem safeguards the well being of all users and also enhance the financial performance of automotive companies. For example, a lane-keeping assistant blocked by a denial-of-service attack endangers not only the occupants but also non-digital vehicles, pedestrians or other road users.
Accordingly, expectations are high around the automotive industry’s response to minimising such risks via the use of resilient cyber security management systems (CSMS). PwC's Global Automotive CSMS Survey 2022 looks at how far OEMs and suppliers have come in implementing these systems and what more needs to be done.
Key findings include: In terms of maturity, there is still considerable variance between different CSMS projects. With a view to the average CSMS implementation period of 30 months, the pressure to act is also increasing – companies are not advanced enough in their implementation journey and must act with urgency to address their contractual and legal obligations. Because CSMS will protect the entire value chain of digital ecosystems in the future, significantly influencing operating costs and ensuring compliance, it is fast becoming a business-critical issue for the automotive industry.
However, it is also clear that the CSMS is just one important milestone on the road to successful digital transformation. Companies in the automotive industry need to network their cyber initiatives much more, embedding cyber security at the core of the company’s operations and integrating cyber risk management into the company's risk management. The digital transformation strategy must also lead the way for purely regulatory-driven projects.
“A CSMS is the foundation for the protection of connected vehicles. It not only ensures the safety of vehicle occupants, but also reduces the risk of attacks on the digital ecosystem of the manufacturing companies.”
In order to get a clear picture of the degree of implementation across the industry, we interviewed representatives from different areas of automotive. These included experts from manufacturing and supplying companies, but also proven market experts. There was 100% agreement that cyber attacks on connected vehicles and the entire automotive ecosystem will increase. The Economic Commission for Europe (UNECE) recently reacted to this development with its own regulation (UNECE Regulation No. 155), which stipulates that manufacturing companies must implement a fully functional and audited CSMS in order to monitor and control the cyber security of their vehicle fleet. From as early as July 2022, an audited CSMS must be presented to the national registration authorities in order to register new vehicle types. From July 2024, this will even be mandatory in order to be able to produce new vehicles. Almost all survey participants agreed that this step is necessary to guarantee the security of new vehicles in the long term.
While all representatives of manufacturing companies stated that they had already implemented a CSMS, most respondents were not yet fully operational. However, about two thirds have already had their CSMS design audited by an audit service provider. It is primarily manufacturing companies that are affected by regulations such as UNECE Regulation No. 155, despite them having a limited influence on the safety of individual components, given that 75 per cent subcontract these to third party suppliers via contractual specifications. Consistent with this, just as many suppliers report that they have already received CSMS-specific contractual requirements from their customers. Although the implementation of cyber security management systems results in clear competitive advantages for suppliers, they still lag behind those of manufacturing companies (71%) with an average of 59% having completed the initial phase. Especially in international markets, companies have to struggle with the lack of uniform standards.
It is clear that both OEMs and suppliers must redouble their efforts to increase the maturity and integration of their security management systems in the future. While the security of consumers is fundamental, the entire digital ecosystem around the connected vehicle must also be increasingly protected against attacks in the future. After all, it is these services that will facilitate the development of new business models that will enable manufacturing companies to take a decisive step forward.
In many global markets, manufacturers are threatened with a ban on the registration of new vehicle types if they cannot demonstrate an adequate CSMS.
Resilient cyber security requires in-depth expertise - but this is currently known to be scarce. According to the survey, the lack of specialists for the implementation of cyber security management systems is currently the biggest hurdle for manufacturing and supplying companies. There was also a large consensus with regard to deadlines: almost all respondents shared the view that time pressure is a major difficulty in CSMS implementation.
In the course of the study, we asked which persons or departments in the companies are actively involved in CSMS projects. OEMs were found to have a higher level of involvement across all divisions. This indicates that suppliers still have a rather selective view of the systems and only consider them for services or products they offer to manufacturing companies. For OEMs, on the other hand, the CSMS has become more a part of their internal governance structures.
For 96 % of respondents, software is the key to the development of cyber security management systems, impacting heavily on performance criteria such as user-friendliness, safety and ease of maintenance. Both the modularity and scalability of the software architectures used and overall computer capacity within the vehicle are fundamental prerequisites for enabling the production and operation of vehicles in a cost-effective manner, even in the long term.
Most of the companies surveyed said that they rely on external partnerships to accelerate their progress on the CSMS. Again, there are differences between manufacturing and supplier companies: Nearly four-fifths of OEMs receive support from a project management office (PMO), compared to only two-fifths of supplier companies. Support for software development is also higher among OEMs (67%) than among suppliers (38%).
Given the lengthy implementation of CSMS projects, manufacturing and supply chain companies need to react now in order to be prepared for upcoming directives. This requires the examination of legal requirements and a firm grasp of their contractual implications.
Regulatory-driven projects should always follow the business transformation strategy. Only companies that consider regulatory requirements holistically and combine them with a genuine business motivation will master the race of digital transformation.
Due to the high cost and time pressure, companies should use the structures of existing management systems for the design and implementation of their CSMS. Complexity can be significantly reduced with standardised tools and processes.
For early identification of risks, the maturity level of the CSMS must be constantly evaluated and made transparent to relevant stakeholders, including management level and important business partners for their input in the development process.
To validate that the system is effective and resource-efficient in operation, companies should conduct extensive trial runs after developing a CSMS.
Manufacturing companies must set clear requirements for the software architecture and embed it within their own value chain to ensure the secure integration of OEM and supplier software.
“Automotive manufacturers are becoming software producers and providers of networked end devices alongside machine manufacturers. A high level of cyber security maturity therefore creates clear competitive advantages.”
PwC's Global Automotive Cyber Security Management System Survey 2022 interviewed representatives from automotive manufacturers, suppliers and market experts, most of whom are involved in product security, research and development, quality assurance and information security. Interviews of 60 minutes duration were conducted in March and April 2022 using a web-based questionnaire. 39% of the respondents work for manufacturers, 35% for suppliers, 26% are market experts. Most of the participants come from management level (78%), 13% are experts or employees (9%). The participants are based in 11 countries: Austria, Czech Republic, Finland, France, Germany, Italy, Japan, South Korea, Sweden, the United Kingdom and the USA. All results are anonymised and rounded for graphs.