Information security inside companies

Business processes depend mainly on information and information systems as well as their secure processing. Information security is more than just securing the technical infrastructure – it also means securing the entire information flow. This is a central task for corporate management.

The networking and globalization of the digital future within the automotive industry has numerous advantages, yet the internal and external risks for companies are also increasing. To counter these, suitable protective measures must be introduced. The digitalization of business processes across company boundaries therefore requires a comparable level of information security for all those involved, one which is guaranteed along the entire value chain.

Experts from the automotive industry work together in the VDA's Information Security working group to develop common standards and appropriate protective measures. One major result of this cooperation is an industry standard for information security assessments, the VDA Information Security Assessment (ISA) catalog.

The VDA recommends that companies involved in the automotive industry's value chain establish information security based on this VDA ISA.

Further details of the recommendations regarding information security are available here:

 

The EU NIS-2 Directive (Security of network and information systems Directive) came into effect on the 16th of January 2023. In July 2023, the Federal Ministry of the Interior and for Home Affairs published its first draft bill, the NIS-2 Implementation and Cyber Security Strengthening Act (Nis-2UmsuCG). On 24.07.2024, the German Federal Cabinet adopted the NISUmsuCG without debate. The NIS 2 Directive will be incorporated into national law on October 24, 2024. The scope of the directive goes far beyond the previously regulated critical infrastructure organizations and now regulates companies within the supply chain of the automotive industry.

The respective European law prescribes risk management with corresponding reporting obligations, the requirement to register with the BSI (and in some cases with the BBK), to provide evidence of the corresponding management set up, and the duty to provide information in case of a significant security incident. Nevertheless, the automatic provision of relevant information by government agencies to the companies is an important measure, benefitting the entities concerned.

According to VDA, a regulatory framework in the sake of cybersecurity is good, but requires a holistic approach, for example, through strong cooperation between industry and the government and efficient processes. Central communication interfaces, e.g., organizational accounts and joint reports, tie in here, reduce the bureaucratic effort (due to the once-only reporting principle) and collect all relevant information in one digital platform. Likewise, the overburdened, yet important SMEs could considerably gain efficiency here. At the same time, state players should only gain access to information on a need-to-know basis. The VDA statement “Association participation in the implementation of the NIS 2 Directive” from May 2024 addresses the corresponding draft bill and provides detailed policy recommendations in favor of a competitive, safe automotive industry.

VDA-ISA Catalog Version 6.0, valid as of April 1, 2024 Information and cybersecurity are more important than ever. This is especially true for the automotive industry, particularly concerning the significance of the supply chain.
Suppliers and service providers are deeply involved in both the product development and production processes. As part of product development, suppliers and service providers receive sensitive and confidential information. Therefore, they must demonstrate compliance with information security requirements, particularly with regard to confidentiality.
As suppliers of production materials and serialized parts, the smooth production of vehicles depends on you. Such suppliers and service providers must possess an appropriate level of resilience against disruptions, both in the cyber realm and physical security.
Experts from vehicle manufacturers, as well as suppliers and service providers, have collaborated within VDA and ENX to jointly develop a standard with adequate protective measures. Two significant outcomes of this collaboration are the industry standard for information security assessments, the VDA Information Security Assessment (VDA-ISA) Catalog, and the ENX audit and exchange mechanism Trusted Information Security Assessment Exchange (ENX TISAX).
VDA recommends that companies involved in the automotive industry's value chain establish information security based on the current VDA-ISA Catalog. To ensure a high-security standard as the basis for the Information Security Management System (ISMS) in the automotive industry, the VDA catalog has been revised.
In the future, suppliers and service providers in the automotive industry can demonstrate their compliance with cybersecurity and information security requirements in the availability area, in addition to the confidentiality label. The "availability" label has been newly incorporated into the VDA-ISA Catalog 6.0, and this catalog will come into effect on April 1, 2024.
With these two standards, VDA-ISA and ENX TISAX, the automotive industry already has recognized state-of-the-art standards. These two standards also serve as a significant foundation in the industry for compliance with legal regulations, such as the NIS 2 regulation of the European Union and other EU directives, as well as their national implementations in EU member states.
Detailed and technical information on the changes in VDA-ISA 6 and the ENX TISAX labels, as well as the specific implications for TISAX audits, can be found at https://enx.com/de-DE/news/.

Additional requirements must be fulfilled when dealing with prototypes. Prototypes here means vehicles, components, and parts that are classified for non-disclosure and have yet to be presented to the public by an automobile manufacturer and/or published in a suitable form.

The objective of prototype protection is to establish appropriate measures and to regularly review their effectiveness.

The following document lists the minimum requirements for prototype protection. The requirements are also part of the VDA ISA catalog.

A catalog of minimum requirements for prototype protection is available in both English and German.

A project group of the VDA working group on Information Security has created a white paper on "Information Security Risk Management".

The aim of this white paper is to sensitize companies in the automotive industry to risk-oriented information security management and to enable them to establish effective risk management. Furthermore, the white paper is intended to support companies in the preparation or execution of a TISAX assessment to fulfill the requirements of the corresponding control of the VDA ISA in its current version 5.0.

The essential process stages of information security risk management are presented in compact form, while the concrete steps of assessing, treating, and monitoring information security risks are described in detail.

At the same time, all process steps are illustrated using two consistent examples, contributing to a better understanding of the topic.

The VDA recommends its member companies to use the white paper as a guide.

One fundamental element in achieving a needs-oriented level of information security is the classification of information. A comparison within the automotive industry revealed differences between companies regarding both the number and the designation of the classification levels. 

The VDA's Information Security working group has developed a standardized scheme for classifying information, which is published as a white paper. In conjunction with the requirements of the VDA ISA, it helps to avoid misunderstandings and risks when exchanging information and thus allows the appropriate handling of such.

The VDA recommends its member companies use this white paper for orientation and to implement the scheme for information classification so described within their companies.