Jun 07

Building cybersecurity skills in automotive development: A Guide.

build cybersecurity skills in automotive

Across the automotive value chain, the latest buzz is: The entire organization must relearn cybersecurity as part of its development work. How can this be achieved? New positions are being urgently advertised, recruitment agencies are working at full speed, and external service providers are being called in to do the job. New cross-divisional competence centers for cybersecurity are emerging everywhere. Is that enough? In this blog, we want to provide some tangible inspiration for building up new automotive cybersecurity expertise.

Quality, risk, and engineering managers in the automotive industry know: The pressure to integrate cybersecurity, as well as related cybersecurity management and cybersecurity engineering knowledge into organizations, teams and ongoing (and especially future) development projects is increasing.

No matter if from the level of management systems (e.g. with regard to the CSMS as required by the UN Regulation No 155), from the process perspective or coming from the real development work: automotive cybersecurity know-how is needed, and a lot of it.

In the following, we try to put this general challenge into concrete terms. Here we go.

Competence management in accordance with ISO/SAE 21434 and UN Regulation No. 155

Although it may seem like we are in total firefighting mode, it is important to take a step back for a moment and look at the big picture.

When it comes to automotive cybersecurity education and competence building, we currently observe these three flyways as the most common starting points:

  • Individuals who have a very specific need for knowledge.
  • decision makers, who on their own are driving the development of competencies for (project) teams
  •  responsible cybersecurity managers who strive to build up automotive cybersecurity competence within the organization as a whole.

Looking at the range in which, for example, the ISO/SAE 21434:2021 standard affects almost all structures, procedures, and processes along the entire lifecycle, it becomes clear: In an ideal-typical TARGET state, a varying level of automotive cybersecurity competencies is required.

For each organization, aligned to different roles and functions, the respective needed competencies have to be built up.

Here it is important to increase the own automotive cybersecurity maturity level: Moving away from selective knowledge acquisition to systematic competence development. For this purpose, the application of an automotive cybersecurity competence management framework is indispensable. Taking into account ISO/SAE 21434 and UN Regulation No 155, this requirement can even be derived quite concretely.

Learn more about this in our recently released video learning course Automotive Cybersecurity Competence Management“.

Don’t underestimate: Cybersecurity is an issue of culture

With the advancing awareness of cybersecurity, there is an increasing realization that the proper consideration of cybersecurity is also to be considered a corporate culture topic. What may sound abstract from a technically minded engineering perspective is even explicitly stated in the ISO/SAE 21434 standard: a culture of cybersecurity must be established.

Anyone who has already worked in a wide variety of development projects knows that serious dynamics of their own can arise in teams – especially, in the ever-present area of potential conflict between performance and security.

In addition to the continuous effort to do the right things in terms of subject matter, the most important drivers for establishing cybersecurity are basic attitudes, behavior, and working methods (i.e., characteristics of the corporate culture). Systematically addressing these issues is becoming an indispensable task for cybersecurity managers.

Learn more about this in our video learning course Cybersecurity Culture in the Automotive Industry.

Gain expertise in specific domains, e.g., cybersecurity know-how for software development teams.

Development work in automotive organizations makes it clear that the focus of vehicle development is different today than it was in the past. Nowhere is this more evident than in the area of software development. In the current transformation of the entire industry towards digitalization and IT, on-demand learning opportunities on specific technical topics are becoming absolutely essential.

The CYRES Academy online learning platform is the world’s largest video learning database on automotive cybersecurity. The main idea of the platform is to bring easily consumable knowledge content directly to the specialists. More than 100 learning videos have already been released in the last few months.

Get a first impression, e.g. with our recently completed Cybersecurity implementation video learning courses on these topics:

  • How software quality affects performance and cybersecurity in the automotive industry: in video learning course Software Quality.
  • How to ensure good and reliable code in software development: in video learning course Coding Guidelines, Rules and Standards
  • Automotive development work with AUTOSAR in the context of cybersecurity: in the video learning course AUTOSAR Cybersecurity

In addition to the self-service learning offerings on the platform, we are currently developing further deep-dive training courses with cooperation partners in order to be able to offer more niche learning offerings in the future.

Retraining and fresh starts in automotive cybersecurity? Just get started with low-threshold introductory learning opportunities

In companies, retraining, re-educating, and entering into a new subject area may sound like a major challenge at first. How can something like this succeed in everyday work?

In this context, with a view on automotive cybersecurity, it is important to bear this in mind: When it comes to implementing cybersecurity in automotive development projects, automotive cybersecurity is a largely new domain that increasingly affects almost all aspects of development.

Accordingly, automotive cybersecurity should not be seen as a separate responsibility: Rather, competence development in this area is not only universally reasonable for all positions and roles, but also already easily possible and achievable today.

For example, with the first introductory videos of the above-mentioned learning platform (see also our overview page on chapter 01 Cybersecurity Awareness Online Courses or chapter 02 Automotive Cybersecurity Standards and more) or via participation in the two three-hour (online) live training courses of the first automotive cybersecurity training level ACP Level 1 “Foundation” (see also Automotive Cybersecurity Training).

In addition, the first practice-relevant publications for self-study are finding their way onto bookshelves, such as The Essential Guide to ISO/SAE 21434 (CYRES Consulting, 2021) or (only in German) Automotive Cybersecurity: Security-Bausteine für Automotive Embedded Systeme (Manuel Wurm, 2022).

Importance of automotive cybersecurity certification as a compliance related topic

In addition to the organization-wide issues of audit and certification along the ISO/SAE 21434 (see also our latest blog on ISO PAS 5112:2022), personal certifications are becoming more and more important as proof of automotive cybersecurity competence.

Here, it is important to keep in mind that relevant knowledge is currently only continuing to emerge.

The official publication of ISO/SAE 21434:2021 took place less than a year ago, while ISO 24089 (related to SUMS and UN Regulation No 156) is still pending (as of June 2022).

Although the automotive industry is already demanding the corresponding training courses and even more so the corresponding certification options, they are still very rare.

In the evaluation of advanced education offers, a clear distinction must always be made: The aim is to train and certify specialist knowledge that is specifically tailored to the needs of the automotive industry. Generalist know-how in the area of information security is always helpful, but usually insufficient for automotive development work.

Learning opportunities, certificates of knowledge, and various other awards can, of course, also be found on the subject of cybersecurity. But to what extent do these meet the high quality requirements of the automotive industry? Independent examination bodies that ensure fraud and forgery-proof examinations and certificate issuance processes are indispensable for reliable proof of automotive cybersecurity competence. With hundreds of certificates now issued worldwide, the ACP Framework and its associated Automotive Cybersecurity Professional certificates with TÜV Rheinland Certified Qualification are beginning to gain further acceptance. Please refer to the FAQ section on the related page as well as Certipedia, TÜV Rheinland’s personal certification database, for further information.

Sign up for our CYRES Consulting Automotive Cybersecurity Newsletter

Stay informed! Receive regular insights into current topics related to cybersecurity in the automotive industry directly to your inbox.

Sign up here for the newsletter, free of charge and with no obligations.

X