In partnership with NQC, a global leader in cyberthreat detection, AIAG has launched a new Supply Safe™: Cyber Initiative in support of industry efforts to protect shared data throughout the supply chain.
Over the last five years, Morrison has spearheaded the implementation of NQC’s cyber risk-related solutions to enable organizations to understand potential information security risks within their supply chain. He is a strong advocate of the need for good cyber hygiene and educating supply chains to understand what “good” looks like.
In this interview, Morrison shares details on the new AIAG cyber initiative and explains how members can assess their cybersecurity quickly and easily with the new tools.
Q: What prompted the need for the AIAG Cybersecurity program? What is the story behind it, and what has been your role in it?
Morrison: The AIAG Cybersecurity Program was developed from the work undertaken over the last few years between AIAG and key OEMs and Tier 1 automotive suppliers. The group recognized cybersecurity risk within the automotive supply chain as a growing area of concern as supply chains are becoming more complex, and due to new innovations like electrification, new entrants are joining the market that haven’t traditionally been in the industry.
As sensitive commercial and confidential information has to be shared with suppliers to support the development of new vehicles, it is clear that not all suppliers have the same handle on how they manage data in their organization, making them susceptible to phishing attacks or hackers. The larger global organizations may have the budget to invest in teams of staff to address such issues, but for smaller organizations, this isn’t always possible, so there is a clear lack of knowledge and expertise that needs to be addressed.
After AIAG — in partnership with OEMS and Tier 1s — created the CS-1 Guideline, which includes requirements on cyber-related controls that they would expect suppliers to have implemented to be “cyber safe,” it was recognized that to enable suppliers to assess themselves against the Guideline and identify any cyber risk, a set of complementary products needed to be developed. NQC and AIAG worked together to develop the Cyber Risk Assessment and the Cyber Virtual Audit to support suppliers’ understanding of where their cyber controls were lacking and to help address any areas of weakness.
NQC has turned the paper-based CS-1 Guideline into an interactive online assessment where suppliers receive a corrective action plan after they complete an assessment. Suppliers can also access a virtual audit that undertakes an external vulnerability scan of a supplier’s external facing systems to check that they are secure.
Q: What are some of the unique and valuable characteristics of the program? What can it do for AIAG members?
Morrison: The program allows AIAG members to assess their cyber capabilities against the CS-1 Guideline to understand where they fall short. The Cyber Risk Assessment is an online assessment that doesn’t need the involvement of external consultants to be completed and can be accessed easily via a web browser. The assessment provides immediate feedback through a set of suggested corrective actions based on the answers provided so that a member can start to prioritize their next steps to improving their cybersecurity.
The Cyber Virtual Audit provides a security check of a member’s external-facing systems through a remote vulnerability scan. It simulates what a hacker would be looking for and then reports any found weaknesses back to the AIAG member so they can take action to address the potential vulnerability. It also provides a double check that the expected technical controls are actually in place and doing their job correctly.
Used together, the Risk Assessment and Virtual Audit can provide an AIAG member with a comprehensive view of the effectiveness of their current cyber controls and where they could be open to a potential cyberattack.
Q: How aware are automotive companies of the cybersecurity challenges and threats that face them? What are some of the misperceptions?
Morrison: Individually, I think we are all aware of the cyber risks relating to phishing emails and malware on our laptops, phones, etc. as high-profile data hacking cases are in the news on a daily basis. However, applying the same caution within an organizational context is a little different, and many organizations do struggle to address the basics in the corporate environment.
Organizations need to focus on technical controls as well as the people aspects as often phishing attempts target individuals with rogue emails, or data is lost because someone stored it incorrectly. The combination of sound technology, structured process, and educated staff limits an organization’s exposure to potential cyberthreats.
The common view is that “it won’t happen to me” and that “a hacker wouldn’t be interested in my data,” but this is a real misconception. A loss of data can cause huge damage to an organization’s reputation and have a significant financial impact. It shouldn’t be underestimated.
Q: What is your advice to AIAG member companies and how they should use the new Cybersecurity program to their best advantage?
Morrison: Take cybercrime seriously! Members need to understand where they have potential vulnerabilities by completing the Cyber Risk Assessment and the Virtual Audit. This will give them a good overview of where to focus their time and resources to minimize the potential of a successful cyberattack.
However, once is not enough. Organizations need to be constantly re-checking their status as cyber criminals are finding new ways each day to achieve a successful attack. As technology evolves and new people come into an organization, businesses need to be checking and re-checking the controls they have in place to protect their sensitive data.
AIAG members should take advantage of the free tools offered by AIAG that have been developed by a community of professionals to support their ongoing program of cyber awareness and protection.