Published by The Lawfare Institute
in Cooperation With
The discussion around cybersecurity risk tends to overlook one key sector—the automobile sector. It’s an industry with some very specific cybersecurity challenges, and recent efforts from Japan reveal a successful way to combat these vulnerabilities.
In Japan, the effort to improve cybersecurity within the automotive sector began in earnest after a cascade of cyberattacks on the sector. First, a series of WannaCry cyberattacks disrupted Nissan’s factory operations in the U.K. in 2017. Cyberattacks on the Japanese automobile sector continued afterward, too. Toyota’s sales subsidiaries fell victim to cyber espionage in 2019, and the personal information of 3.1 million customers may have been leaked as a result. Honda was hit by another cyberattack in June 2020, which resulted in the temporary suspension of the company’s operations in Italy, Japan, North America, Turkey and the U.K. These incidents have been a wakeup call for the industry to realize that cybersecurity is crucial for the sustainable business operations of automakers and their suppliers.
Some observers may think that cybersecurity risks are less serious in the automotive industry than in other sectors. But potential nightmare scenarios of cybersecurity failures in the auto industry include the suspension of day-to-day operations and the theft of intellectual property and customers’ personal information. Cyberattacks on the auto sector not only can have negative consequences for the products and services for customers but also can threaten the safety of customers and make them uncomfortable about their security.
Cybersecurity for automobiles is extremely complicated. It depends on three different layers: the automobile itself, the automaker and its suppliers (this includes electric devices and software), and the service providers (such as car dealers and car-sharing services).
Cybersecurity for automobiles themselves depends largely on the security for each part of the vehicle. This includes safety mechanisms for computerized control systems, connected car services and manufacturing systems. Automakers use a large collection of information technology (IT) systems, computers and servers in-house for their day-to-day business operations. These systems also require cybersecurity to secure the components of the vehicle at every stage of production and to write safe computer programs for the automobiles. Also, automotive companies and technological suppliers have to share some of their intellectual property with each other in order to ensure the proper design and production of the automobiles. This means that data security depends on everybody playing their part.
Supply-chain risk management in the automobile industry is also intricate. Automobiles typically consist of 40,000 parts plus a rapidly growing range of software. Because vehicles increasingly come equipped with an internet connection, automakers have had to further expand their supply chain, working with new suppliers including IT vendors and manufacturers for autonomous vehicle sensors and optical sensor cameras. The cybersecurity risks continue down to the dealer level. Car dealers and connected-car service providers handle an enormous amount of customers’ personal information, including names, home addresses, and GPS records, as well as bank account and credit histories.
Currently there are no global cybersecurity common criteria or standards specifically for the automotive industry supply chain. Each automaker has adopted either one of the international security standards, such as ISO/IEC 27001, or country-driven guidelines or regulations such as the Cyber Supply Chain Risk Management by the U.S. National Institute of Standards and Technology (NIST). NIST documents used by various automakers include SP800-161, SP800-171 and SP800-58. Multilateral and bilateral efforts have attempted to harmonize individual initiatives such as cross-certification. In addition, WP.29 of the U.N. Economic Commission for Europe formed a cybersecurity task force, chaired by Japan, and through this task force 54 countries adopted an international cybersecurity regulation in June to address cyberattacks on automobiles. The regulation will become effective in January 2021.
So what’s the best way forward? A working group from Japan has devised some specific recommendations for automotive cybersecurity.
In April 2019, the Japan Automobile Manufacturers Association (JAMA) launched a Cybersecurity Working Group under its Electronic Information Exchange Committee to collaborate on cybersecurity with various stakeholders, including WP.29. The working group and these stakeholders have conducted numerous meetings to discuss cybersecurity guidelines for supply-chain risk management. All of the Japanese automakers belong to the JAMA working group, aiming to improve cybersecurity throughout the industry. A couple of months after JAMA was formed, the Japan Auto Parts Industries Association (JAPIA) also launched a Cybersecurity Working Group. The two working groups started to collaborate to discuss potential guidelines in summer 2019.
The collaborative working group had a goal to create guidelines to share with domestic and international partners, but from the beginning it has had to engage in frank conversations involving competitors openly disclosing each company’s cybersecurity efforts and policy. The members have been meeting two or three times each month. (The coronavirus pandemic has presented another hurdle: Meetings are now conducted online, and the group has had to navigate cybersecurity concerns associated with sharing sensitive documents online.)
The working group took four steps to develop the cybersecurity supply-chain risk management guidelines. First, they consulted with the Japanese Ministry of Economy, Trade and Industry’s April 2019 Cyber Physical Security Framework, which covers cybersecurity and supply-chain risk management The Cyber Physical Security Framework cross-references other countries’ cybersecurity guidelines and regulations for policy harmonization.
Second, the working group members shared excerpts of each company’s cybersecurity policy to compare and understand how each member company addresses the main items in the Cyber Physical Security Framework. Since each company is at a different stage of managing cybersecurity risks and uses different languages that reflect the idiosyncrasies of the company’s corporate culture, it took two to three months for the group to compare the different company’s ongoing efforts with the framework.
Third, JAMA and JAPIA agreed to use only 50 out of 129 basic items from the Cyber Physical Security Framework to set baseline standards that even small and medium-sized businesses (SMBs) should abide by. While the members of JAMA and JAPIA are major automakers and manufacturers, their contractors and subcontractors are often SMBs. Nonetheless, the baseline standards create strong cybersecurity foundations. For example, the minimum standard requires companies to have a cybersecurity policy and designate a person in charge of cybersecurity. Developing the baseline entailed much debate, and it took two months for companies to come to an agreement.
Finally, the collaborative working group took three months to draft the cybersecurity supply-chain risk management guidelines. The first version of the cybersecurity supply-chain risk management guidelines was finally released in May, and an English version will be published later. The document covers automakers and component and technology suppliers. The working group will ask some companies to adopt the guidelines for a three-month trial period and then will solicit their feedback. After the conclusion of the trial period, the document will be reviewed and updated based on members’ input.
Furthermore, JAMA plans to expand guidelines to include cybersecurity measures for companies with more advanced capabilities and to cover not only automakers and suppliers but also factories and car dealers. The Japanese automobile industry expects that the May guidelines and future versions will contribute to raising their cybersecurity level as a whole. Previously, each automaker was able to enforce its cybersecurity policy only within its group company but not with its suppliers. The guidelines allow all the Japanese companies in the automobile supply chain to harmonize their cybersecurity efforts. Their next step is to obtain a cross-certificate agreement from other countries.
The effort to establish the guidelines reflects a desire among Japanese automakers and suppliers to contribute to global automobile cybersecurity. Japanese automakers that have a market in the U.S. have joined the U.S. Automotive Information Sharing and Analysis Center (Auto-ISAC) to share Japanese insights into cybersecurity and cyberattacks with their American counterparts. Auto-ISAC was established in 2015 to exchange cybersecurity best practices and cyber threat intelligence, and the members include automakers and IT and telecommunications companies such as AT&T. Some Japanese automakers, such as Honda and Toyota, gave a talk on cybersecurity at the Auto-ISAC 2019 Summit. JAMA also launched Japan’s own Auto-ISAC, J-Auto-ISAC, in 2017 to share Japan-specific cyber threat intelligence among its members.
While Japanese automakers and suppliers have focused on expanding their new supply-chain risk management guidelines domestically, Japan will need to collaborate with other countries for cross-certification, and the industry is keen to share best practices. Germany, the U.K. and the U.S. are also working on their own versions of cybersecurity regulations. The U.S. National Highway Traffic Safety Administration, for example, issued the Cybersecurity Best Practices for Modern Vehicles in 2016. Global standards of automotive sector cybersecurity would only strengthen with greater collaboration between Japan and its allies.
The coronavirus pandemic has cast a dark shadow over the global economy. Cyberattackers are taking advantage of the sudden shift to remote work and people’s interest in the status of the outbreak by sending coronavirus-themed phishing emails and creating fake contact-tracing apps and virtual private networks. While cyber threats are growing, Barracuda Networks reported in May that 40 percent of organizations had cut their cybersecurity budgets as a cost-saving measure. In this unprecedented crisis, cybersecurity collaboration between companies and countries is more crucial than ever to fight borderless cyberattacks.
Cybersecurity presents a common challenge and opportunity for all the companies involved in the automobile industry to ensure innovation and protect customers. There are not many computerized control system suppliers in the world, and car dealers usually work with multiple automakers, so the industry must work together for cybersecurity. National- and international-level discussions to create guidelines are ongoing. Now is the time for bilateral dialogues to share best practices and achieve wins for global safety. Japan is more than ready. Who is next?