Cars as victims of cyber attacks

Cars as victims of cyber attacks

According to the “Automotive Industry Situation Report” from the German Federal Office for Information Security (BSI), ransomware attacks are currently the biggest operational threat to cyber security. The automotive industry is therefore increasingly demanding TISAX assessments from its suppliers for information security, which are divided into three protection classes (levels). Many of the approximately 900 Austrian automotive suppliers are also affected by this. CIS – Certification & Information Security Services GmbH is responding to this and now offers Level 2 assessments in addition to Level 3. CIS is an Austrian service company in the field of certification of management systems and the certification of people.

“The automotive industry is particularly closely interlinked due to the complex supplier pyramid - the risk of a chain reaction in the event of a cyber attack is correspondingly high,” explains Christoph Schuh-Wendl, TISAX manager and network partner of the CIS. Since the outbreak of the Russia-Ukraine conflict, sensitivity to this has increased further. In fact, it is not possible for development suppliers in the industry to submit offers if they do not have the required certificates and labels. While certifications according to IATF 16949 (quality), ISO 14001 (environment) or occupational safety (45001) have long been standard requirements in the automotive industry, TISAX assessments have also been increasingly required recently. TISAX (Trusted Information Security Assessment Exchange) is an industry-specific exchange mechanism in the field of information security. "All companies must initially register on the automobile manufacturers' so-called ENX platform and then undergo an assessment. Once the test results are available, the test labels issued can then be viewed by all existing and potentially new business partners on the platform, provided this information is shared with them," explains Schuh-Wendl. At the beginning, the automotive companies only demanded TISAX from their direct suppliers (Tier 1), but now the trend is also affecting the downstream supply chain (Tier 2).

If companies are involved in vehicle development in any way, level 2 assessments are usually required - from software developers to design offices or even waste disposal companies. "Every carelessly thrown away piece of paper can become a security risk. The test catalog focuses particularly on the areas of confidentiality (industrial espionage), availability, cybersecurity as well as the integrity and awareness of employees and suppliers," emphasizes Schuh-Wendl. Klaus Veselko, Managing Director of CIS - Certification & Information Security Services GmbH, is convinced that security requirements will increase in the future: "Due to the transformation towards e-mobility, digitalization in the automotive industry will progress rapidly - this will subsequently also increase the security requirements for developers."