Scribd
Upload
12 views120 pages

201812_PocketGuideAutomotiveCSIR

Uploaded by

Ahmed Alansari
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
12 views120 pages

201812_PocketGuideAutomotiveCSIR

Uploaded by

Ahmed Alansari
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 120

Automotive

Cybersecurity
Incident Response
Pocket Guide
Version 1.0
Preface

The automotive industry is facing new This pocket guide describes the necessary
challenges due to innovative information steps to build up such a process for an
and communication technologies and the Automotive Cybersecurity Incident Response
increasing connectivity of vehicles. The (Automotive CSIR). It provides checklists
security of vehicles and their protection for its implementation and questions for an
against cyber attacks is crucial for the assessment of the Automotive CSIR readiness
acceptance of these technologies and of a company. We hope that this guide helps
customer’s safety. In addition to the managers as well as security experts to
cybersecurity aware development of these improve their Automotive CSIR capabilities.
connected systems, the automotive industry Any feedback to improve this pocket guide
must ensure a fast and effective response on is welcome.
cyber attacks in case of emergency. Therefore,
a properly implemented process for an
Automotive Cybersecurity Incident Response
across the entire supply chain is required.

2
Content

The Automotive CSIR Process 5

Recommendations 37

Evaluation of the Automotive CSIR Capability 85

3
4
The Automotive
CSIR Process
Definitions, Organisational & Processual Basics 6

The Automotive CSIR Team 9

Detect & Register 15

Assess & Classify 20

Decide & Response 24

Learn & Optimize 28

Summary of the Automotive CSIR Process 32

Automotive CSIR across the Supply Chain 33

5
Definitions

Automotive is an application of the CSIR for automotive products and services, i.e. it applies to products installed in or
Cybersecurity connected with road vehicles and services used by vehicle users. (drivers, passengers, vehicle owners or fleet
Incident owners)
Response The transition from the IT as a product or service for road vehicles to the enterprise IT is usually fluid. Each
(Automotive company must define the demarcation of Automotive CSIR to Enterprise CSIR appropriate to its organisation.
CSIR) Therefore, the concrete definition of automotive cybersecurity incident and thus Automotive CSIR may differ
among companies.The goal of Automotive CSIR is the fast and effective respond to automotive cybersecurity
incidents.
Automotive is a single or series of unwanted or unexpected automotive cybersecurity events that have a significant
Cybersecurity probability of compromising road vehicles, related systems and services and threatening automotive
Incident cybersecurity.For the sake of brevity, the term cybersecurity incident is used in this guide to denote
automotive cybersecurity incident.
Automotive is an identified occurrence of a system, service or network state indicating a possible breach of
Cybersecurity automotive cybersecurity policy or failure of controls, or a previously unknown situation that my
Event be automotive cybersecurity relevant. It might turn out that an automotive cybersecurity event is a
cybersecurity incident.For the sake of brevity, the term cybersecurity event is used in this guide to
denote automotive cybersecurity event.
Vulnerability is a weakness of an asset or control that can be exploited by one or more threats.
Threats is a potential cause of an unwanted cybersecurity incident, which may result in a harm to road users.

6
The Core Activities of Automotive CSIR

The Automotive CSIR process consists of the following core activities,


each cybersecurity incident runs through:
Detect & Register Assess & Classify Decide & Response Learn & Optimize

First, a company must After registration, a Next, a company must decide Finally, a company should
detect and register the company must assess and which countermeasures learn lessons from the
cybersecurity incident. For classify the cybersecurity to carry out and how to cybersecurity incident and
this purpose, discovered incident. The assessment respond the cybersecurity optimize its Automotive
cybersecurity events, consists of a technical and incident. Although a respond CSIR process. This phase
reported vulnerabilities and business impact analysis. can only be sustainable of the process might
newly identified threats are After this phase, the if the assessment of the trigger a sustainable
registered and forwarded cybersecurity incident is cybersecurity incident product or service
to the responsible technically well understood is completed, some optimization, too.
cybersecurity unit in the and all information of countermeasures should
company. a suitable response are be initiated immediately,
available. especially in case of
emergency.

In some organization parts of the activities might be covered by a vulnerability management


process, which should be linked to the Automotive CSIR process.
7
Plan & Prepare

A company must plan and prepare the Automotive CSIR process.

According the German Federal Office for Information Security (BSI) this includes (IT-Grundschutz-
Kataloge, 2016):

Establishing Determining Determining Determining Determining of Defining Defining


a method for responsibilities reporting an escalation priorities for the guidelines for cybersecurity
dealing with in case of channels for strategy for treatment of the treatment incidents
cybersecurity cybersecurity cybersecurity cybersecurity cybersecurity of cybersecurity
incidents incidents incidents incidents incidents incidents

A comprehensive guide on how to plan and prepare Automotive CSIR can be found from page NN.

8
The Automotive CSIR Team
(1/4)

It is recommended that a company of the Depending on the company’s size and


automotive industry which offers cybersecurity organization, the Automotive CSIR Team can
relevant product, services or networks should be a single person, how might involve experts
have an Automotive Cybersecurity from other units for each notified cybersecurity
Incident Response Team (Automotive CSIR incident, a fixed cross-functional team having
Team). all required expertise, or something in between,
i.e., a core CSIR Team extended by further
This CSIR Team is responsible for the experts for some cybersecurity incident types.
entire Automotive CSIR process and is the
central unit for assessing and responding
cybersecurity incidents in the company.

9
The Automotive CSIR Team
(2/4)

The Automotive CSIR Team should possess or as well as organisational-legal expertise and
should have access to the required know- knowledge like:
how for a solid assessment and response
of automotive cybersecurity incidents. This • assessing cybersecurity incidents regarding
includes technical skills like: data protection acts, liability laws, financial
and organisational aspects
• technical analysing of cybersecurity incidents
• initiating non-technical measures like
• assessing the technical impact of communication with authorities, customers
cybersecurity incidents and the public

• finding vulnerabilities and software bugs

• closing vulnerabilities and fixing bugs

10
The Automotive CSIR Team
(3/4)

For example, the following persons might join the Automotive CSIR team of an OEM:

Technical Organizational-legal
System architect Member of the committee for product safety
Component manager Data protection officer
IT project manager / product owner Member of the legal department
Application officer Member of the HR department
Member of the PR department

11
The Automotive CSIR Team
(4/4)

The majority of the detected cybersecurity It is the CSIR Team that finishes the detect &
events, cybersecurity incidents, discovered register process by determining the occurrence
vulnerabilities and threats might not be of a cybersecurity incident. The CSIR Team
reported directly to the Automotive CSIR might be extended by further experts during
Team. Instead, many of those issues might the cybersecurity incident processing
be reported to a support organisation, which according the type and criticality of the
forwards them in case of suspicion of a cybersecurity incident.
cybersecurity incident to the CSIR Team.

12
Core Activities

detect & register


assess & classify
decide & response
learn & optimize

extended CSIR team


notified organisational-legal
cybersecurity events, organisational -legal
cybersecurity incidents,
vulnerabilities and technical
threats extended CSIR team
technical

13
Process Reference Model & Process
Performance Indicators for Automotive CSIR
In the following the core activities are described in more detail. For each process, there is an
overview of this activity followed by a formal description according SPICE (ISO/IEC 33020:2015):

Process reference model Process ID The individual processes are described in terms
Process name of process name, process purpose, and process
Process purpose outcomes to define the process reference model.
Process outcomes Additionally a process identifier is provided.

Process performance Base practices A set of base practices for the process providing
a definition of the tasks and activities needed to
indicators accomplish the process purpose and fulfill the
process outcomes.
Output work products A number of output work products associated
with each process.

While the process reference model defines the process and is essential, the process performance
indicators are not obligatory and should be considered only as recommendations for the process
implementation.

14
Detect & Register
(1/5)

The Automotive CSIR process starts with the detection and registration of cybersecurity events,
cybersecurity incidents, vulnerabilities and threats.

This process includes:


Monitor systems and services Accept and register incident
A cybersecurity event or incident targeting A cybersecurity event, cybersecurity incident,
vehicles, vehicle-related software or a digital vulnerability or threat can be reported by
service is monitored and detected. This can be external and internal sources e.g. customers,
done e.g. by an intrusion detection system of suppliers, authorities or dealers.
the vehicle or server.

Monitor public information pools Assign and forward incident report


A report of a vulnerability and threat is A notified cybersecurity event, cybersecurity
monitored and evaluated. Sources can be e.g. incidents, vulnerability or threat is registered
cybersecurity conferences or the darknet. and forwarded to the internal unit(s)
responsible for automotive security incidents.

15
Detect & Register
(2/5)

Process CSIR.1 Results of successful implementation


ID of this process are as follows:
Process Detect and Register 1 I nformation related to cybersecurity incidents is
collected systematically.
name
2 R
 eports of cybersecurity events, cybersecurity
Process Cybersecurity incident detection
incidents, vulnerabilities and threats are registered
and registration aims to support the
purpose detection of cybersecurity incidents,
and documented.
cybersecurity events, vulnerabilities 3 R
 eports of cybersecurity events, cybersecurity
and threats. It provides means to incidents, vulnerabilities or threats events are
receive, register, accept and forward classified so that responsibility is exposed.
cybersecurity incident reports from
external and internal parties (support 4 Reports of cybersecurity events, cybersecurity
infrastructure). incidents, vulnerabilities or threats are assigned for
further processing.

16
Detect & Register
(3/5)

Base practices
CSIR.1.BP1 Check for cybersecurity events in systems and products. This activity aims for a systematic analysis of IT
Monitor systems and product-related data that may show intrusion attempts, anomalies in usage, and suspicious network
and services: traffic. It is best supported with tools that allow collecting, centralizing, aggregating, and visualizing
system monitoring data (such as SIEM tools) both in the field and in the IT infrastructure. [OUTCOME 1]
CSIR.1.BP2 Check for cybersecurity-related reports in public information pools, the press and other media. This
Monitor public activity consists of a systematic and periodic analysis of publicly available information on emerging
information pools: threats, new vulnerabilities, and new attack capabilities that are related to the organization’s services
and products. This may be complemented by dedicated threat intelligence services and tools which
actively push this kind of information into the organization. [OUTCOME 1]
CSIR.1.BP3 Accept and register cybersecurity events, cybersecurity incidents, vulnerabilities and threats. This
Accept and activity requires the availability of dedicated contact points that are known publicly and inside the
register incidents: organization. The contact points shall be available 24/7 and allow for initial registration of reports
related to cybersecurity events, cybersecurity incidents, vulnerabilities and threats. The registration
process shall be able to document all incident- or event-related information as well as information on
the reporter (such as their name, phone number, etc.) [OUTCOME 2]
CSIR.1.BP4 Assign reports on cybersecurity events, cybersecurity incidents, vulnerabilities and threats to internal
Assign and forward entities that can further validate, assess and, if required, respond to the reported cybersecurity
incident reports: incident. [OUTCOME 3, 4]

17
Detect & Register
(4/5)

Output work products

Cybersecurity A cybersecurity incident report is the documentation of a disclosed cybersecurity incident. It contains
incident reports: information on the reporter (such as its name, contact details, etc.), the time (of registration and of
observation), the reporter’s observations of origin, effects and status, and any other information that is
initially available. [OUTCOME 1, 2, 3, 4]

18
Detect & Register
(5/5)

first level support second level support third level support


Dealer Component manager Automotive CSIR team
Customer
Helpdesk
Field opserver (sales)

IT operation
Importer
Competitor
Supplier
Service Provider
Bug bounty operator
White Hacker
Public relation
Press/media
Legal department
Authorities

Example of a support organization and an information work flow for detecting and registering automotive cybersecurity
incidents at an OEM (italics: external reporters)

19
Assess & Classify
(1/4)

The Automotive CSIR team must assess the notified or discovered automotive cybersecurity
incident – technically and organisational-legally. It must found and understood the cause of the
cybersecurity incident and analyse the impact.

This process includes:


Analyse incident technically Inform internal stakeholders
The cybersecurity incident is technically Internal stakeholders are appropriately
analysed and assessed. The cybersecurity informed about the automotive cybersecurity
incident is well understood and the underlying incident.
vulnerabilities discovered.

Analyse risk
The business, safety, legal and operational
impacts of cybersecurity incident are estimated
and classified. Their risks for safety, data
protection and functionality of the vehicles are
assessed.

20
Assess & Classify
(2/4)

Process CSIR.2 Results of successful implementation


ID of this process are as follows:
Process Assess & Classify 1 T
 he content of each cybersecurity incident report is
validated.
name
2 T
 he technical cause and impact of cybersecurity
Process Cybersecurity incident assessment
incidents are well understood.
& classification aims to validate
purpose cybersecurity incident reports, to 3 T
 he business, safety, legal and operational risks of
assess cybersecurity incidents, cybersecurity incidents are well understood.
and to identify the technical and
organizational causes and impacts of 4 Internal stakeholders are informed.
cybersecurity incidents. This includes
identification of vulnerabilities,
assessment of the technical impacts
and business, safety, legal and
operational risks.

21
Assess & Classify
(3/4)

Base practices
CSIR.2.BP1 This activity aims to analyze and assess the technical cause and impact of incidents. Each cybersecurity
Analyze incidents incident report is initially validated and assessed on whether the report contains information on a critical
technically: cybersecurity incidents or whether the reported cybersecurity events require further investigation. If
so, a full technical assessment of the incident is carried out. This includes a technical impact and a root
cause analysis as well as the identification which products or services are affected. [OUTCOME 1,2]
CSIR.2.BP2 Analyze and assess the business, safety, legal and operational impacts and risks of the incidents.
Analyze risks: Business, safety, legal and operational risk assessment and management units should be involved.
[OUTCOME 3]
CSIR.2.BP3 Distribute cybersecurity incident-related information to affected internal parties and stakeholders.
Inform internal [OUTCOME 4]
stakeholders:

22
Assess & Classify
(4/4)

Output work products


1 Cybersecurity A cybersecurity incident record is a record of all the details of a cybersecurity incident that documents
incident records: the status of the incident response. It contains life cycle information starting with the initial detection
and concluding with the resolution and closure of the cybersecurity incident. It may reference additional
records related to the cybersecurity incident, such as cybersecurity incident reports, vulnerability records,
forensic analysis, countermeasure documentation, etc. [OUTCOME 1]
2 Cybersecurity This is a sorted list of cybersecurity incident records that organizes the order and schedule of
incident assessment and response. [OUTCOME 1]
prioritization list:
3 Assessment This is the documentation of the cybersecurity incident assessment. It contains the results of the
results: technical impact and risk analyses, information regarding causes and origin of the incident, as well as
the business, safety, legal and operational impacts and risks of the incident. [OUTCOME 2,3]
4 Internal This is a document about the cybersecurity incident and its importance for the organization that is
cybersecurity appropriate for internal communication within the organization.Note: Depending on the target group,
incident such a document may vary widely in its information content and its level of confidentiality.
notifications: [OUTCOME 4]

23
Decide & Response
(1/4)

The Automotive CSIR team must decide which countermeasures should be carried out and how to
response to the automotive cybersecurity incident. The countermeasures can be technical as well
as organisational-legal.

This process includes:


Carry out immediate countermeasures Carry out sustained countermeasures
Immediate countermeasures are carried out in Sustained countermeasures are carried
case of an emergency. Even if the cybersecurity out, controlled and verified. The successful
incident might not be completely analysed, implementation of these countermeasures a
some cybersecurity incidents might require an required to finish this process.
instant respond.
Inform external stakeholder Preserve evidence
Costumers, authorities and other stakeholders Evidence of origins, causes and effects of the
are properly informed and given instructions. automotive cybersecurity incident is preserved
for further forensic investigations.

24
Decide & Response
(2/4)

Process CSIR.3 Results of successful implementation


ID of this process include the following:
Process Decide & Respond 1 I mmediate actions are executed as required
name 2 C
 ountermeasures are specified and agreed upon

Process Cybersecurity incident decision 3 C


 ountermeasures are executed and monitored
& response aims to ensure the
purpose confidentiality, integrity and 4 Incidents are resolved
availability of an organization’s cyber-
services and products by responding
5 Proofs and evidence on origin, effects and course of a
cybersecurity incidents are documented and archived
to cybersecurity incidents (including
attacks and intrusions as well as 6 Users and stakeholders are informed as necessary
other kinds of cybersecurity policy
violations) to minimize the damage
incurred by cybersecurity breaches.

25
Decide & Response
(3/4)

Base practices
CSIR.3.BP1 Carry If required, this activity executes immediate actions that are required to prevent and contain damage and
out immediate preserve evidence in case of a critical or rapidly evolving threat. [OUTCOME 1]
countermeasures:
CSIR.3.BP2 Carry The aim of this activity is to define, decide, execute and monitor sustained countermeasures. This may
out sustained include technical actions, such as software updates, new or changed cybersecurity configurations
countermeasures: (such as firewall settings), application of custom configurations, creation of new accounts, and
application of access controls. Since these measures are intended to restore products and systems to
an operational, safe and secure state, appropriate testing and assurance of the product’s and system’s
integrity and stability must be performed before rollout. Moreover, the countermeasures’ effectiveness
with respect to the identified threats must be assessed and validated after rollout. [OUTCOME 2, 3, 4]
CSIR.3.BP3 Collect, preserve and archive forensic evidence that may be required to reject legal claims.
Preserve evidence: [OUTCOME 5]
CSIR.3.BP4 If required, users and other stakeholders are informed of the product or service failures as soon as
Inform external possible. This process may involve distributing other information of importance to stakeholders, such
stakeholders: as cybersecurity alerts. Effective customer service, including regular communication, ensures that
external stakeholders are kept informed on the mitigation and recovery process. [OUTCOME 6]

26
Decide & Response
(4/4)

Output work products


1 Countermeasure All implemented countermeasures are documented, including their rationales and decision and
documentation execution status. [OUTCOME 1, 2, 3, 4]
and status:
2 Forensic These data records store references to forensic artifacts, such as software images, memory dumps,
evidence log data, etc.Note: Storage of forensic data must satisfy specific requirements with respect to
records: confidentiality, integrity and long-term safekeeping. [OUTCOME 5]
3 External These are documents used to distribute information about the cybersecurity incidents and their
cybersecurity importance to external stakeholders.Note: Depending on the target group, such documents may vary
incident widely in their information content and confidentiality. [OUTCOME 6]
notifications:

27
Learn & Optimize
(1/4)

After the automotive cybersecurity incident is resolved, the Automotive CSIR team should carry
out a retrospective to capture the lessons learned and to optimize the CSIR process or trigger
product improvements regarding cybersecurity.

This process includes:


Improve cybersecurity policies Improve product security
Experiences from the incident resolution Findings from the incident resolution
are used to fine tune the existing are used to optimize new products
cybersecurity policy. regarding cybersecurity.

28
Learn & Optimize
(2/4)

Process CSIR.4 Results of successful implementation


ID of this process are as follows:
Process Learn & Optimize 1 P
 rocess and policy improvements to the
organization’s cybersecurity policies, the
name cybersecurity incident response process, or related
Process The learn & optimize sub-process aims partner processes are identified and elaborated.
to identify potential improvements Measures are specified and agreed upon.
purpose to processes and products in the
aftermath of the cybersecurity incident
2 I mprovements to the affected products or systems are
identified and elaborated.
handling process. The incident
handling process is to be competed 3 T
 hreat and vulnerability information is adapted
and closed by reviewing what initially according to new knowledge obtained by the
occurred, what measures were cybersecurity incident handling process.
implemented during detection and
response, and how well the overall
intervention worked. Learn & Optimize
should be carried out after any major
cybersecurity incident and periodically
to cover lesser incidents.

29
Learn & Optimize
(3/4)

Base practices
CSIR.4.BP1 Evaluate cybersecurity incidents and the cybersecurity incident handling process with respect to policy
Improve and process changes and identify concrete measures and procedures that require improvements
cybersecurity to increase the efficiency and timeliness of the cybersecurity incident response process. This must
policies and include the identification of gaps in the qualifications or knowledge of personnel that could be
processes: remedied with training and education. [OUTCOME 1]
CSIR.4.BP2 Identify concrete improvements that will help to make the affected systems more resilient against
Identify product similar future cybersecurity incidents. This must include that development units and partners are
improvements: sufficiently informed about vulnerabilities and that similar vulnerabilities in software variants and
versions are addressed. This should include the identification of trends and patterns in threats and
vulnerabilities and develop means to address them and may include participation in a community to
exchange information on vulnerabilities, threats and incidents. [OUTCOME 2,3]

30
Learn & Optimize
(4/4)

Output work products


1 Cybersecurity A cybersecurity policy is a definition of rules and regulations that allows the secure operation of
policy: systems products and processes. [OUTCOME 1]
2 Process A process improvement report includes a summary of instances in which the process has not
improvement performed as expected, suggestions for improvements to address the issues identified by the team to
reports: move towards a better process, and the action items that are chosen to prevent the recurrence of such
instances. [OUTCOME 1]
3 Product A product improvement report includes a summary of flaws, weaknesses, vulnerabilities and other
improvement cybersecurity-relevant findings in the organization’s products, suggestions for product improvements,
reports: and the concrete action items chosen to address these findings. [OUTCOME 2]
4 Cybersecurity Cybersecurity bulletins include information for users, developers and partners to support and facilitate
bulletins secure operation of the organization’s products. [OUTCOME 3]
(i.e. updated
vulnerability
and threat
information):

31
Summary of the Automotive CSIR Process

Detect & Assess & Learn &


Register Classify Optimize

Monitor systems
and services Improve
Analyse incident Analyse risk Inform internal
product security
technically stakeholders

Monitor public Assign and


information pools forward
incident
report Carry out Preserve Inform external Carry out Improve
immediate evidence stakeholder sustained cybersecurity
countermeasures countermeasures policies
Accept and
register incident
Decide &
Response
32
Automotive CSIR across the Supply Chain
(1/3)

In contrast to cases in which damage is caused vehicle-to-home, and other forms of vehicle
by mechanical components, the vulnerabilities networking. It may become necessary to
exploited in automotive cybersecurity involve the operators of these external IT
incidents may be situated in IT components components in the Automotive CSIR process
which are the responsibility of neither the OEM as well.
nor any of its suppliers or subcontractors. For
example, vulnerabilities in the IT systems of The term supplier is still used here. However,
the network operator or cybersecurity leaks this is not limited to suppliers of purchased
from mobile devices that are connected to the parts that are installed in road vehicles or IT
vehicle may lead to automotive cybersecurity systems outside the road vehicle as part of the
incidents. In the future, the attack surface entire communication infrastructure; rather, it
of the road vehicle is likely to increase even also includes the operators of digital services,
further with more external IT systems, such as which may lead to cybersecurity incidents.
vehicle-to-infrastructure, vehicle-to-vehicle,

33
Automotive CSIR across the Supply Chain
(2/3)

Within the Automotive CSIR process, suppliers A supplier should also have a CSIR team,
essentially take on the role of development known to the OEM’s Automotive CSIR team
departments. In other words, suppliers as a contact. The exchange of information
cooperate closely with the Automotive CSIR between the OEM’s technical Automotive
technical team to analyze vulnerabilities CSIR team and the supplier’s CSIR team in
identified in their systems and fix these addressing a vulnerability is shown in the
vulnerabilities themselves. In addition, the following table:
suppliers carry out risk assessments regarding
the identified vulnerabilities and inform any
other customers similarly affected by them.

34
Automotive CSIR across the Supply Chain
(3/3)

No Message Content Sender / Receiver


1 Reporting the Description of the automotive cybersecurity incident Customer to supplier
cybersecurity incident Description of the assumed vulnerability
2 Acknowledgment of Designated contact Supplier to customer
report Information about already available countermeasures
(optional)
3 Acceptance criteria Criteria for accepting a solution (possibly with message 1) Customer to supplier
4 Analysis result Confirmation of vulnerability, otherwise justified rejection Supplier to customer
Assessment result
Information about forwarding to subcontractor (optional)
5 Measures Description of measures carried out Supplier to customer
Information about acquisition of updates (if applicable) incl.
system documentation
6a Confirmation of Confirmation if all acceptance criteria are fulfilled Customer to supplier
acceptance
6b Rejection Reasons for rejection if acceptance criteria are not fulfilled Customer to supplier

35
36
Recommendations

Recommendations to the upper management 40

Recommendations to the Automotive CSIR team 54

Recommendations to component managers 78

Recommendations to IT Operations 82

37
38
Recommendations

Based on the foundation described in the first part, this second part
recommends concrete activities for preparing and optimizing an
automotive cybersecurity incident response.

These recommendations are intended for executives and employees


of companies in the automotive industry who are directly or indirectly
involved in the Automotive CSIR process or its preparation.

39
Recommendations to the upper management

Define basic cybersecurity policies and automotive cybersecurity incidents

The upper management should set the basic The definition should consider that existing
cybersecurity guidelines and define what organizational units are already processing
the company considers to be an automotive incidents. Here it must be checked whether
cybersecurity incident. The basic cybersecurity these existing organizational units are to
guidelines should describe the secure and be included in the automotive cybersecurity
rule-compliant normal state when using process or should work separately from the
vehicle IT so that an automotive cybersecurity Automotive CSIR process.
incident may be identified as a violation of
or deviation from this defined normal state.
Based on these guidelines, an automotive
cybersecurity incident can be distinguished
from other incidents and events.

40
Tasks Define basic automotive cybersecurity guidelines

Define automotive cybersecurity incidents as distinct from other,


non-vehicle-related cybersecurity incidents and other non-security
incidents
Communicate specifications

41
Recommendations to the upper management

Establish basic Automotive CSIR process and build up Automotive CSIR team

The upper management should describe the technical and organizational-legal assessment
basic Automotive CSIR process, appoint an of automotive cybersecurity incidents and
Automotive CSIR team, and instruct them in to independently initiate countermeasures
the structure and detailed definition of the appropriate to the incidents’ criticality and
process. Upper management should further urgency in accordance with the cybersecurity
equip the Automotive CSIR team with the guidelines for automotive cybersecurity
necessary specialist competencies and/or incidents.
organizational rights to enable it to perform

42
Tasks Define and communicate the basic Automotive CSIR process

Build up an Automotive CSIR team and provide the necessary


resources
Define and communicate the decision-making rights of the Automotive
CSIR team
Establish guidelines for reporting to the upper management by the
Automotive CSIR team
Define and communicate the escalation process

43
Recommendations to the upper management

Build up or expand a support organization

The upper management should set up a support competitors, IT Operations and first-level
structure suitable for automotive cybersecurity support
incidents or adapt and expand the existing
support structure for automotive cybersecurity • Third-level support known and accessible
incidents. Support might include the following: to second-level support, the bug bounty
operator (if any), the PR department,
• First-level support in the form of a publicly and the legal department
accessible help desk accessible via hotline,
chat and/or e-mail, for example, and known • All support levels should be available
to all external and in-house bodies 24 hours a day, 365 days a year. The support
staff should have the necessary qualifications
• Second-level support known and accessible to detect and register automotive
to all component managers, field analysts, cybersecurity incidents and to carry
importers, suppliers, service providers, out defined countermeasures.

44
Tasks Define support structures

Provide resources for support structure and qualify employees

Guarantee technical prerequisites for the availability of the support

45
Recommendations to the upper management

Prepare Automotive CSIR communication to external stakeholders

Upper management should define guidelines at what time by whom, so that all necessary
for communication with external stakeholders information obligations are fulfilled, the
(including customers, authorities and the press) necessary confidentiality is maintained, and
in case of automotive cybersecurity incidents. efficient action is ensured.
It should clarify what is to be communicated

46
Tasks Identify and document communication channels

Define events that trigger external communications

Clarify responsibilities for external communication

47
Recommendations to the upper management

Demand CSIR capability in the supply chain

Upper management should demand that also requires this from its IT component
suppliers of IT components provide a CSIR team suppliers, so that CSIR capability is present
and a CSIR process on the supplier side. This throughout the entire supply chain.
CSIR capability further implies that the supplier

48
Tasks Define CSIR process guidelines for contracting IT component suppliers

Communicate procurement guidelines

Negotiate contracts with the IT component suppliers according to the


guidelines and adjust them if necessary

49
Recommendations to the upper management

Test Automotive CSIR process (optional)

Upper management should have the should be informed and it must be ensured
Automotive CSIR process tested. For this that genuine damage is avoided. If necessary,
purpose, critical incidents should be identified external experts are t o be commissioned
and described as test scenarios. When for this.
conducting a test, as few people as possible

50
Tasks Identify critical cybersecurity incidents and define a test scenario

Prepare the test to exclude the possibility of actual damage

Carry out the test

Identify the strengths and weaknesses of the Automotive CSIR process


and remedy deficiencies

51
Recommendations to the upper management

Sensitize and train employees

The upper management should inform the should be clearly illustrated and employees
employees of the company about the risks of should be sensitized to the subject. This
cybersecurity threats and provide necessary applies especially to employees who may be
training and support. The importance of involved in detecting automotive cybersecurity
automotive cybersecurity for the company incidents or eliminating vulnerabilities.

52
Tasks Explain the importance of automotive cybersecurity for the company
to the employees
Offer training courses on cybersecurity in general and automotive
cybersecurity in particular

53
Recommendations to the Automotive CSIR team

Specify cybersecurity policies

The Automotive CSIR team should stage, assess them initially, and provide
substantiate and communicate the basic effective support in the further processing of
cybersecurity guidelines approved by automotive cybersecurity incidents:
the upper management. The concrete
cybersecurity guidelines should contain • The secure normal state when using
guidelines for conduct regarding automotive vehicle IT
cybersecurity incidents for the various groups
• Possible automotive cybersecurity events
or organizational units.
• Basic safeguards in case of a automotive
The support staff and the managers of
cybersecurity incident
IT components should be familiar with
the following so that they can recognize • Validated vulnerabilities, their detection, and
automotive cybersecurity events at an early countermeasures

54
Tasks Specify cybersecurity guidelines for automotive cybersecurity
incidents and define guidelines for conduct for each group or
organizational unit
Document and classify automotive cybersecurity events

Document validated vulnerabilities (detection and countermeasures)

Communicate cybersecurity guidelines for automotive cybersecurity


incidents

55
Recommendations to the Automotive CSIR team

Network with relevant experts and managers in the company

The Automotive CSIR team should know and • Data protection or legal department
be able to integrate at any time the experts
and managers in the company necessary to • Product safety
assess automotive cybersecurity incidents,
• Component managers
mitigate the damage, remove the causes of
damage and/or restore the system. These may • Human Resources
be employees of any of the following business
units (among others): • Communication / PR

• Technical development and software


development

• IT Operations

56
Tasks Identify all experts and managers relevant to the Automotive CSIR
process
Agree upon and define communication structure with experts and
managers
Ensure availability of experts and managers in emergencies

Communicate cybersecurity policies deficiencies

57
Recommendations to the Automotive CSIR team

Access to compromised systems

The Automotive CSIR team should ensure


in advance that it is permitted access to the
compromised systems. For this purpose,
organizational and technical framework
conditions must be established.

58
Tasks Review and prepare legal, organizational and logistical options for
accessing affected vehicles and vehicle components
Organize access rights to IT systems for members of the Automotive
CSIR team or have a facility secured in an emergency
Set up any necessary access software for IT systems

Seek instruction in the operation of the systems

Access to log files and other relevant data

59
Recommendations to the Automotive CSIR team

Build up and use a network of external experts

The Automotive CSIR team should know


external experts and, if necessary, consult
them and be able to integrate them into
automotive cybersecurity incident processing.

60
Tasks Identify external experts and build up and maintain a network

Clarify contractual conditions and, if necessary, conclude contracts


with external partners

61
Recommendations to the Automotive CSIR team

Ensure effective communication with external stakeholders

The Automotive CSIR team should ensure • Suppliers of IT components


that any needed communication with external
stakeholders’ functions effectively. The • Authorities
stakeholders include the following (among
• Competitors
others):
• Customers (for subcontractors)

62
Tasks Know the contact persons at the external stakeholders

Coordinate communication (triggering events, channels, data, data


formats) with the external stakeholders and implement requirements
Install or create and maintain processes, tools and templates for
external communication

63
Recommendations to the Automotive CSIR team

Prepare risk assessment for automotive cybersecurity incidents

In coordination with the upper management,


the Automotive CSIR team should establish
a risk assessment procedure for automotive
cybersecurity incidents and prepare templates
for the procedure with examples.

64
Tasks Define risk assessment methods

Define process for risk assessment

Create templates with examples

65

65
Recommendations to the Automotive CSIR team

Document automotive cybersecurity incidents and secure forensic evidence

The Automotive CSIR team is to set up and evidence. The team must consider that the
operate systems for consistently documenting data collected must be kept confidential and
automotive cybersecurity incidents and stored for an extended period. The systems
forensic evidence (data and systems) as well used must be designed for this purpose.
as ensure professional processing of such

66
Tasks Define requirements for systems for documenting automotive
cybersecurity incidents and preserving evidence
Implement evidence preservation and documentation systems

Seek training in the use of the systems for securing evidence and
documentation
Organizationally and technically ensure the confidentiality of the
collected data
Search for automotive cybersecurity incidents and connect or link
automotive cybersecurity incident reports
Determine the processing status of automotive cybersecurity incidents

Build up and maintain expertise in forensic evidence preservation

67
Recommendations to the Automotive CSIR team

Ensure ability to validate effectiveness of countermeasures

The Automotive CSIR team should be able to


verify the effectiveness of countermeasures.
For this purpose, all necessary organizational
and technical measures must be prepared.

68
Tasks Secure access to information about events in the field

Be able to assess the information

Ensure that automotive cybersecurity incidents are closed only by the


Automotive CSIR team

69
Recommendations to the Automotive CSIR team

Gather automotive cybersecurity threats from external sources

The Automotive CSIR team should actively process. Information sources include
inform themselves about new automotive cybersecurity conferences and publications
cybersecurity threats and, if necessary, on cybersecurity, among others.
integrate them into the Automotive CSIR

70
Tasks Screen sources and obtain information (for instance, by subscribing to
newsletters, attending conferences, etc.)
Install processes and tools for information gathering

Evaluate external information about potential automotive


cybersecurity threats and, if necessary, integrate it into the Automotive
CSIR process

71
Recommendations to the Automotive CSIR team

Perform penetration tests (optional)

The Automotive CSIR team should be able to


independently commission penetration tests to
discover hitherto unknown vulnerabilities.

72
Tasks Know experts in penetration testing and be able to commission tests
promptly if necessary
If necessary, route the results of a penetration test into the Automotive
CSIR process as an automotive cybersecurity incident

73
Recommendations to the Automotive CSIR team

Build up bug bounty platform (optional)

The Automotive CSIR team might build up a


bug bounty platform that allows hackers to
legally report vulnerabilities.

74
Tasks Develop a conceptual design (organizational, legal, financial, etc.) for
building a bug bounty platform
Operate the bug bounty platform

75
Recommendations to the Automotive CSIR team

Ensure capacity to disable critical features

The Automotive CSIR team should make


it possible to switch off critical functions
if necessary, provided the legal framework
allows it.

76
Tasks Identify functions that should be capable of being disabled

Describe the disabling mechanism for each of these functions

Implement and test disabling mechanisms

77
Recommendations to component managers

Understand the significance of the component for automotive cybersecurity

The component manager should know the knows and has documented what data is
cybersecurity architecture and understand stored in the component and what levels of
the significance of the component for which confidentiality the data has.
they are responsible. The component manager

78
Tasks Be familiar with cybersecurity guidelines

Understand the significance of the component for automotive


cybersecurity
Know the data stored in the component and its level of confidentiality

79
Recommendations to component managers

Ensure ability to identify vehicles incorporating an affected component

The component manager should know which


vehicles incorporate the component they are
responsible for in order to be able to provide
this information to the Automotive CSIR team
for risk assessment.

80
Tasks Provide information about the vehicles with the component as needed
in a timely manner

81
Recommendations to IT Operations

Log and monitor automotive cybersecurity events

IT Operations should be able to record Automotive CSIR process. For this purpose,
automotive cybersecurity events in the the company should take the necessary
vehicles and on the servers, to evaluate preparatory steps.
them initially and, if necessary, to initiate the

82
Tasks Define and implement requirements for logging and monitoring of
automotive cybersecurity events
Ensure that IT Operations staff is automatically alerted to automotive
cybersecurity events
Build up and expand expertise in assessing automotive cybersecurity
events

83
Recommendations to IT Operations

Ensure efficient deployment

IT Operations should enable efficient


deployment of countermeasures to address
automotive cybersecurity incidents by
implementing the necessary technical and
organizational requirements.

84
Tasks Ensure efficient verification of acceptance criteria

Ensure efficient deployment of security patches

Ensure efficient installation of security patches on the servers


Ensure efficient distribution of security patches to customers and
dealers

85
86
Evaluation of the Automotive CSIR Capability

Overview over Questions 88

Capability to Detect & Register 90

Capability to Assess & Classify 100

Capability to Decide & Response 108

Capability to Learn & Optimize 116

87
Overview over Questions
The assessment of the Automotive CSIR
capability consists of the following questions:
Detect & Register Assess & Classify
To what extent can cybersecurity events and To what extent are cybersecurity incidents
cybersecurity incidents targeting vehicles technically analyzed and assessed?
and vehicle-related software and digital
services be monitored and detected?
To what extent are reports of vulnerabilities To what extent are the business, safety, legal
and threats monitored and evaluated? and operational impacts of cybersecurity
incidents assessed and classified?

To what extent can cybersecurity events, To what extent are internal stakeholders
cybersecurity incidents, vulnerabilities appropriately informed about cybersecurity
and threats be reported? incidents?

To what extent are reports of cybersecurity


events, cybersecurity incidents,
vulnerabilities and threats correctly
forwarded to the responsible internal unit(s)?

88
Decide & Response Learn & Optimize

To what extent can immediate To what extent are the findings and
countermeasures be carried out experiences from incident resolution
in case of an emergency? used to optimize new products?

To what extent can affected customers, To what extent are the findings and
authorities and other stakeholders be experiences from incident resolution used
properly informed and given instructions? to fine tune existing cybersecurity policies?

To what extent are sustained


countermeasures carried out,
controlled and verified?

To what extent is evidence of the origins,


causes and effects of cybersecurity
incidents preserved?

89
Capability to Detect & Register
(1/4)

To what extent can Objective


cybersecurity events and Monitoring and analysis of IT and product-
cybersecurity incidents related log and interaction data may show
intrusion attempts, anomalies and suspicious
targeting vehicles and
network traffic and thus help to identify
vehicle-related software cybersecurity incidents and vulnerabilities.
and digital services be
monitored and detected
(e.g., by log files, alerts,
etc.)?

90
Requirements This should include:
This must include: • Use of tools for cybersecurity event
• Awareness by organizational units other monitoring of vehicle systems and services
than dedicated incident response teams (intrusion detection systems, product
of the need to be on the lookout for monitoring).
cybersecurity events.
• Classification of products for cybersecurity
• Monitoring of cybersecurity events in our reasons, in order to determine the type and
own products and services. scope of the monitoring.

• Use of tools for cybersecurity event • Defined processes, roles and responsibilities
monitoring (e.g., SIEM tools) of backend for the monitoring of cybersecurity events
systems. in vehicle systems and services (intrusion
detection systems, product monitoring).

91
Capability to Detect & Register
(2/4)

To what extent are reports Objective


of vulnerabilities and Monitoring and analysis of public information
threats monitored and pools may provide information on new attack
capabilities, threats, recently discovered
evaluated (e.g., security
vulnerabilities and cybersecurity incidents,
conferences, darknet, thus helping to identify vulnerabilities in
scientific publications)? our own products and services, as well as
assessing the current threat landscape.

92
Requirements • Continuous analysis of publicly available
This must include: information (e.g., in the press and other
• Continuously monitoring suppliers’ media on cybersecurity incidents) about
cybersecurity bulletins and public emerging new threats and new vulnerabilities
information pools on threats, vulnerabilities that may relate to the organization’s services
and cybersecurity incidents that are related and products.
to our own products and services.
• Defined processes, roles and responsibilities
This should include: for the monitoring of suppliers’ cybersecurity
• Use of dedicated threat intelligence services bulletins and public information pools.
and tools that actively feed these kinds of
information into the organization.

93
Capability to Detect & Register
(3/4)

To what extent can Objective


cybersecurity events, An organization must provide contact
cybersecurity incidents, points so that external reporters can report
cybersecurity events, cybersecurity incidents,
vulnerabilities and threats
vulnerabilities and threats that concern or are
be reported (e.g., by related to the products and services of the
customers, suppliers, organization. These reports must be registered
authorities, external and processed to ensure the proper resolution
cybersecurity experts, of vulnerabilities and cybersecurity incidents.
etc.)?

94
Requirements This should include:
This must include: Defined processes, roles and responsibilities
• Contact details and/or methods for reporting to receive and register reported cybersecurity
cybersecurity events, cybersecurity incidents, events, cybersecurity incidents, vulnerabilities
vulnerabilities and threats that are available and threats.
to external stakeholders (such as partners,
• The education of employees in the internal
customers and authorities).
organization about automotive cybersecurity.
• An internal organization that accepts and
• Protecting the confidentiality and integrity
registers reported cybersecurity events,
of reports.
cybersecurity incidents, vulnerabilities
and threats. Additionally in case of high protection needs:
• Contact points with 24/7 availability.
• Active management of reports of
cybersecurity events, cybersecurity incidents,
vulnerabilities and threats.
95
Capability to Detect & Register
(4/4)

To what extent are reports Objective


of cybersecurity events, The proper assignment of reports of
cybersecurity incidents, cybersecurity events, cybersecurity incidents,
vulnerabilities and threats to internal entities
vulnerabilities and threats
that can validate, assess and, if required,
correctly forwarded to respond to these reports and ensure that they
the responsible internal are handled properly and in a timely manner by
unit(s)? the appropriate personnel in the correct order.

Requirements
This must include:
• The active assignment of reports of
cybersecurity events, cybersecurity incidents,
vulnerabilities and threats to internal

96
entities that can further validate, assess • Labelling of reports when they are related to
and, if required, respond to the reported cybersecurity.
cybersecurity events, cybersecurity incidents,
vulnerabilities and threats. • Distribution of the definitions and policies
related to automotive cybersecurity incident
• Awareness among service desk staff response among service desk staff and other
that critical systems may generate units.
considerable damage in the event of ongoing
vulnerabilities or cybersecurity incidents. • Defined processes, roles and responsibilities
to assess and classify reports of cybersecurity
• Service desk checklists to support events, cybersecurity incidents, vulnerabilities
the identification of product-related and threats.
cybersecurity events, cybersecurity incidents,
vulnerabilities and threats.

97
Capability to Detect & Register
(4/4 cont.)

This should include: Additionally in case of high protection needs:


• Use of a ticket system that allows for • A dedicated automotive cybersecurity
assigning and managing responsibilities for incident response team that is responsible
cybersecurity events, cybersecurity incidents, for coordinating the product cybersecurity
vulnerabilities and threats. incident response and the addressing
vulnerability issues for products in the field.
This may include:
• Definition and distribution of dedicated
escalation paths for reports of cybersecurity
events, cybersecurity incidents,
vulnerabilities and threats so that they can
be handled differently from classical service
requests and service disruptions.

98
99
Capability to Access & Classify
(1/3)

To what extent are Objective


cybersecurity incidents The analysis, validation and classification of
technically analyzed and reports of cybersecurity events, cybersecurity
incidents, vulnerabilities and threats must
assessed (in regard to their
be performed by competent personnel. The
cause, technical impact, analysis of the reports allows us to gain a
etc.)? technical understanding of their validity and
criticality, the causes related to them and their
technical impact. Validation and classification
lead to a decision about whether reports of
cybersecurity events, cybersecurity incidents,
vulnerabilities and threats require an explicit

100
response, and thus whether they will be further Requirements
addressed within the cybersecurity incident This must include:
response process as a cybersecurity incident. • Classification of reports of cybersecurity
Cybersecurity incidents must be properly events, cybersecurity incidents,
prioritized so that effective countermeasures vulnerabilities and threats in respect to their
and immediate actions can be promptly and validity and criticality, as a basis for further
appropriately initiated in accordance with the investigation and treatment.
criticality of the security incident. The early
and proper analysis and preservation of the –A
 classification scheme to support
causes of the incident (forensics) can help to decision-making about trustworthiness and
answer liability questions which may arise in criticality, vulnerability and cybersecurity
the aftermath of a cybersecurity incident. incident reports.

101
Capability to Access & Classify
(1/3 cont.)

–A
 technical and organizational means of –D
 edicated processes to analyze and assess
searching for reports that have similarities the root cause of cybersecurity incidents
(e.g., similar cybersecurity events,
cybersecurity incidents, vulnerabilities or –D
 edicated processes to analyze and assess
threats). the technical impacts of cybersecurity
incidents
• Defined processes, roles and responsibilities
concerning the making of decisions about • Defined processes, roles and responsibilities
whether reports of cybersecurity events, that establish contact channels to technical
cybersecurity incidents, vulnerabilities staff who can provide details about each of the
and threats need further treatment and organization’s relevant products and services.
for managing and coordinating the related
• Defined processes, roles and responsibilities
security incident response activities.
that establish the interaction between the
• Root cause analysis and impact analysis for automotive cybersecurity incident response
cybersecurity incidents team and the risk assessment units.

102
• Documentation (i.e., creation of an incident • Contact channels to responsible roles and
record) and prioritization of cybersecurity units in the supply chain.
incidents in terms of their criticality, as a
basis for treatment measures and immediate This may include:
actions. • Defined processes, roles and responsibilities
that enable the secure preservation of data
This should include: from suspicious systems in a verifiable
• Access to forensics services that allow for manner.
the systematic assessment of compromised
systems and safekeeping of clues, traces, Additionally in case of high protection needs:
logging data and other forms of evidence. • An automotive cybersecurity incident
response team with dedicated forensics
• Dedicated processes for technical know-how.
cybersecurity risk assessment and
management.

103
Capability to Access & Classify
(2/3)

To what extent are the Objective


business, safety, legal and The analysis of business, safety, legal and
operational impacts of operational impacts and risks supports the
definition of adequate countermeasures and may
cybersecurity incidents
initiate activities in supporting processes like
assessed and classified? public relations, legal, human resources, etc.

104
Requirements This should include:
This must include: •Involvement of the business, safety, legal
• Analysis and assessment of the business, and operational risk assessment and
safety, legal and operational risks of a management units.
cybersecurity incident.

105
Capability to Access & Classify
(3/3)

To what extent are Objective


internal stakeholders Internal stakeholders (e.g., management,
appropriately informed public relations, human resources and the
relevant technical departments) need to
about cybersecurity
be informed about the origin, effects and
incidents? progression of a cybersecurity incident, so
that they can be involved in the determination
of immediate actions and systematic
countermeasures.

106
Requirements This should include:
This must include: • The existence of pertinent and appropriate
• Distribution of information about the templates for reports that provide information
occurrence of cybersecurity incidents to suitable for internal stakeholders.
affected internal parties and stakeholders.

• Distribution of status information related to


the incident response to affected internal
stakeholders.

107
Capability to Decide & Response
(1/4)

To what extent Objective


can immediate Immediate actions are required to contain
countermeasures be damage and preserve evidence in cases in
which the threat is rapidly evolving.
carried out in case of
an emergency? Requirements
This must include:
• Defined processes, roles and responsibilities
for initiating and managing immediate
response actions.

108
This should include: Additionally in case of high protection needs:
• Dedicated policies for handling ongoing • 24/7 availability of personnel that are needed
cybersecurity incidents and severe to carry out immediate response actions
vulnerabilities in the field. (e.g., external communications, informing the
press, deactivating systems, ...).
• Direct contact to the responsible roles and
units in the supply chain.

109
Capability to Decide & Response
(2/4)

To what extent can Objective


affected customers, Users and other external stakeholders (e.g.,
authorities and other business partners, public authorities) need
to be involved in order to mitigate the impact
stakeholders be properly
of a cybersecurity incident and to fulfill legal
informed and given obligations.
instructions?
Requirements
This must include:
• Informing users and other stakeholders
about product or service failures as soon as
possible, if required.

110
• Policies to ensure that all affected or relevant • Policies to ensure that no unauthorized
external stakeholders are promptly informed person has access to information about the
about the occurrence of a cybersecurity cybersecurity incident.
incident and the mitigation and recovery
processes related to it. • Direct contact to the responsible roles and
units in the supply chain.
• Dedicated channels of communication to all
affected or relevant external stakeholders
who are required to be promptly informed
in case of a cybersecurity incident (e.g.,
an effective customer service system that
includes regular communications with
external stakeholders and users).

111
Capability to Decide & Response
(3/4)

To what extent Objective


are sustained The proper execution and verification of
countermeasures countermeasures to eliminate the cause
of a cybersecurity incident, mitigate its
carried out, controlled
consequences and initiate the associated
and verified? changes to the product or service is essential
to incident reaction and prevention.

Requirements
This must include:
• Policies to ensure that countermeasures are
properly defined and decided upon.

• Management structures to decide upon the


countermeasures to be taken.

112
• Organizational roles and units that can This should include:
execute and control countermeasures, with • A regularly maintained list of customizable
the aim of returning to an operational, safe countermeasures and standard responses.
and secure state in products and systems.
• Continuous monitoring of the status of
–A
 ppropriate testing, confirmation and efforts to address unresolved cybersecurity
assurance of the product’s and system’s incidents, so that additional countermeasures
integrity and stability before rollout. may be introduced as soon as possible if
threats are improperly addressed or if service
–A
 ppropriate assessment and validation of levels are likely to be breached.
countermeasure effectiveness with respect
to identified threats after rollout.

113
Capability to Decide & Response
(4/4)

To what extent is evidence Objective


of the origins, causes and After a cybersecurity incident has occurred,
effects of cybersecurity evidence must be handled with precision
and care to prevent it from being overwritten,
incidents preserved?
destroyed or otherwise corrupted, so as to
improve assessment outcomes and reduce the
potential for lawsuits or fines.

114
Requirements
This must include:
• Ensuring that countermeasures are executed
in their entirety and collecting, preserving
and archiving forensic evidence that may be
needed to reject legal claims.

• A technical infrastructure to preserve and


archive forensic evidence that may be needed
to reject legal claims.

• Policies to ensure that forensic evidence is


confidentially stored..

115
Capability to Learn & Optimize
(1/2)

To what extent are the Objective


findings and experiences Experiences and insights from the Automotive
from incident resolution Cybersecurity Incident Response process shall be
used to improve cybersecurity measures in new
used to optimize
products over the long term. To this end, these
new products? experiences and insights must be systematically
prepared, consolidated and disseminated to all
relevant organizational units.

Requirements
This must include:
• The identification of improvements that
would make the affected systems more
resilient against existing or future threats,
vulnerabilities and cybersecurity incidents,
or the same or similar ones.
116
• Providing information to development This should include:
units and development partners about • The identification of trends and patterns with
vulnerabilities and other technical causes respect to threats and vulnerabilities and the
of a cybersecurity incident. means to address and manage new patterns.

• Ensuring that development units and • The evaluation of cybersecurity incidents so


development partners sufficiently address that new threat information can be identified
these vulnerabilities. and the provision of this information to
technical development.
• Ensuring that similar vulnerabilities in different
software variants and versions are addressed. This may include:
• Participation in a community which
• Deriving long-term cybersecurity measures exchanges information on vulnerabilities,
from information about cybersecurity threats and cybersecurity incidents.
incidents and sending these measures to
technical development.

117
Capability to Learn & Optimize
(2/2)

To what extent are the Objective


findings and experiences Experiences and insights from the Automotive
from incident resolution Cybersecurity Incident Response process
shall be used to improve cybersecurity
used to fine tune existing
measures in the organization. To this end,
cybersecurity policies? these experiences and insights must be
systematically prepared, consolidated
and disseminated to all relevant
organizational units.

118
Requirements This should include:
This must include: • Deriving new patterns to be used for the
• The identification of gaps in personnel detection of cybersecurity incidents from
qualifications that could be resolved by most recent information about cybersecurity
training and education. incidents and the provision of this
information to the organizational units that
• A dedicated vulnerability management are responsible for incident detection.
process.

119
Authors Contact 
Gunnar Harde AQI Automotive Quality Institute GmbH
(AQI Automotive Quality Institute GmbH) Französische Str 13-14
10117 Berlin
Dr. Jürgen Großmann Germany
(Fraunhofer-Institut FOKUS)
[email protected]

www.aqigmbh.de

This publication is based on the expertise of the AQI and its scientific partners. It represents a
consolidated position on the topic under examination.

This work including all its parts is protected by copyright. Any use not expressly authorized by
copyright law requires prior permission.

You might also like