Creation of an overall cybersecurity management policy in automotive industry to reduce the potential project risks

Abstract

The importance of cybersecurity is an unknown phenomenon for many people who are working in the automotive industry. Furthermore, future trends like connected cars, driving assistance systems, autonomous driving, e-mobility, etc. will require more cybersecurity. If companies do not define how to deal with the cybersecurity risks in a project with a systematic approach, they can go even into bankruptcy. Although a company-specific, project and location independent overall cybersecurity policy is the initial step to start with, there is no guideline or standard available as state of the art, which explains how to create such an overall cybersecurity policy to reduce potential cybersecurity risks. Despite the fact that the state of the art norm ISO/SAE 21434 is expected to be released at the end of 2020, it is neither a handbook, nor a checklist which explains the steps to be followed. Hence, the objective of this thesis is to create an overall cybersecurity policy, which can be used as a guidance by other (automotive) companies to reduce potential project cybersecurity risks. The thesis will not only help more people, specifically the executive management to understand the importance of cybersecurity, but also it will solve a significant problem in automotive industry, namely how to deal with cybersecurity risks in a systematic approach specifically in projects/products. Such an approach is required for ISO/SAE 21434 compliance, hence product liability. Throughout the thesis, after explaining the importance of and challenges about cybersecurity, the research focus, problem definition, research questions, aim of the thesis and the research approach and methodology are elaborated. Afterwards, the project related cybersecurity risks, the theoretical framework and background information are provided. Subsequently, necessity of an overall cybersecurity policy is proven by means of a quantitative survey and a qualitative break-out session at a conference. In total, the opinions of hundreds of people from the automotive industry were taken into account. Furthermore, the experience of a well-known consulting company, which conducted a self-assessment regarding cybersecurity, reveals the criticality of an overall cybersecurity policy. The assessment indicates the low level of time required for completion of such implementations and the high benefits the overall cybersecurity policy can provide in project risk reduction. Therefore, by applying this overall cybersecurity policy (or its adapted version), companies can reduce cybersecurity risks and it could be implemented very quickly (i.e. mostly less than 3 months). Finally, the overall cybersecurity management policy was validated by means of Magna Powertrain expert reviews.