Upstream & SBD Discuss Regulatory Tips for Tier-1 and 2 Suppliers

Transcript

– Hi Jeffrey and welcome to Upstream’s Tech Talk Series. I’m Fay from Upstream Security, which offers a first cloud-based cybersecurity solution. That’s purpose built to connect protected vehicles and smart mobility services from cyber threats and misuse through the use of data. I’ll be the host of this Tech Talk and handing it over to you to introduce yourself

– First Fay, thank you so much to you and the Upstream team for having me this morning. My name is Jeffrey Hannah. I direct the North America office of a company called SBD Automotive. SBD is a global automotive technology research company. We cover connected cars, autonomous vehicles and of course, Automotive cybersecurity.

– So you had said that you’re a research company and I know that in addition to that you do consulting and assessment options for connected vehicle manufacturers and suppliers. I wanna go ahead and focus a little bit in on those suppliers of tier one and tier two automotive suppliers, you know with these new regulations that are coming up and the standards that are being placed. What are some complications or complexities that you see suppliers are facing when it comes to complying with these regulations or becoming OEM ready in relation to these regulations?

– Absolutely Fay. And that’s a great question. I think from a complexity standpoint everything’s fairly new when it comes to regulation. So for the history of automotive cybersecurity a lot of OEMs and suppliers were just thinking about how good is good enough. Now we’ve got new regulations, new standards including the UN WP 29 guidelines, as well as ISO SAE two one four three four, which are formal frameworks. What that means for both OEMs and suppliers is really that starting in 2021 in order to sell new vehicle types in global markets like South Korea, Japan, Europe both the OEMs have to be ready and similarly, the supply chain has to be ready. So where does that create complexity? One, just understanding the regulations at SBD Automotive we’ve really dissected them, created checklist and things. So one as a supplier, you need to be ready. And what I mean by ready is understand what you need to do. And secondly, it really means a change to terms and conditions. So as part of WP 29, OEMs have to sign what’s called basing an interface supplier agreement with their supply chain. So as OEMs develop things like threat models across these 32 types of threats, they’re basically signing up and saying, there’s supply chain has to be ready. So suppliers have to know what their regulations are and how those are gonna trickle down. And then finally complexities around what that means in terms of costs. So as new vulnerabilities come up through the supply chain life cycle who really pays for things like updates and changes to software, and then as well as adding in cybersecurity controls to make sure Automotive OEMs are secure right out of the gate. So there’s probably hundreds of others but those are a few of the main ones.

– Yeah, that seems, I mean, pretty big. Those are, those are lot of big steps that suppliers need to kind of take upon themselves right now. What are some tips that you might have for them to even start that process? You know, where do they, where do they begin? What are some of the things that you say, listen this is something you really need to get going and do. And this is ways to succeed within that space of compliance.

– Absolutely. And I think I’ll break it down to three parts. One, they have to have awareness internally, secondly about performing a really a gap analysis. And then thirdly, working with OEMs on different POCs and really actually meeting the requirements. So on the awareness side, we talked about getting smart on things like the regulations. Secondly, they need to communicate that to OEM customers. So what I mean by that is they need to really prove that they’re ready, that they understand and that could take the form of marketing materials having senior leaders educated when they meet with OEMs and really in our work with OEMs if you’re not cybersecurity ready on the suppliers side you may lose a commercial opportunity. So you need to walk in the door first and foremost of having that awareness and being ready. The second one is really all those commercial aspects. So when the OEMs conduct these threat assessments and vulnerability analysis we’ve really highlighted that the supply chain can be a major one that they are concerned about. So what that means is changes to things like MSCs, these interface agreements and things to really sort that out. And what that means is that each supplier will have to have a RASIC and secondly also create things like different threat assessments and threat models. One of the things we’ve heard from a lot of OEMs is that a lot of suppliers like to hold those things hold them back from the OEM. So it’s kind of a black box. And I think that in my opinion that needs to go away because the OEM with the new regulations is really responsible from top to bottom and they really can’t fly blind. So in the past, I think it’s been on cave for suppliers to differentiate on cybersecurity. I think they need to be much more open and explain what the model is, what testing they’ve done and really provide that data and information to the OEM so that they’re comfortable. And then finally creating things like reports on a regular basis and sharing vulnerabilities back. So I think we all understand it, Automotive cybersecurity that you’re never gonna get it right out of the game. Things are gonna change with things like over their updates, companies like yours at Upstream are looking at things like Security Operations centers and highlighting new data and vulnerabilities. And really it’s up to suppliers to proactively raise their hand and say, “Hey, this a vulnerability we’ve spotted. “And I want you to make, I want you “as OEM customer to be aware of that “”and then work jointly together on how we’re gonna fix it.”

– Now, Jeffrey, it seems like there’s a lot to accomplish. How do you work with OEMs tier one and teach your suppliers to, you know lead to that cybersecurity ready state? You know, what is your business model?

– Yeah, great question Fay. So at SBD Automotive, we publish dozens of reports a year covering connected vehicle automotive cybersecurity our clients buy those. And I would say they’re extremely actionable. We’re a little bit unique from other research firms in the sense that we provide things like penetration testing and threat modeling. So a lot of our clients on the OEM or supplier’s side will retain us to make sure their cybersecurity stable really read out of the gate. And really what I mean by that is they could give us a module, an app a cloud-based solution. We can really test that and really spot those vulnerabilities and gaps before they go to market. And at the risk of making potentially a major mistake. We’ve also been very successful with both tier ones and tier twos and helping them document everything they’ve done in cybersecurity so they can meet the OEM guidelines. So what we’re seeing on the automotive OEM side is really almost a thick set of requirements that both tier tier ones and tier twos have to meet. And we’ve created our own checklists at SBD Automotive to walk our clients right down that list and making sure they’re cybersecurity ready and and can get that certification from the OEM.

– Now it seems like there’s a lot of room for collaboration. How do you work with cybersecurity vendors like Upstream in order to help you accomplish those things that you hope to accomplish with the OEMs and the suppliers?

– Absolutely. One of the challenges we’re seeing on the OEM side is really small teams. So we work closely with companies like Upstream and others to really raise that awareness of what basically technical solutions are out there and what a supply base can bring to the table. So through our research, we help OEMs and suppliers look at different standards that are emerging, different technologies to solve key challenges. So even today, what I hope in OEM will get out of this is really understanding what key partners can bring to the table, where they can fill gaps and where they need to go into the future. So I think cross industry there’s just an educational and really training gap. And we’re closely with, with our partners like Upstream to really raise that level of awareness of what solutions are out there and how those solutions can solve key cybersecurity challenges.

– But it comes to this space of research. Something really important for OEMs and tier one at your Sue’s suppliers to recognize and to understand is the risks that they’re facing. The incidents that have happened in the past the vulnerabilities that, you know, may have already be exposed. And that’s something that’s really important. Where do you see that playing a role when it comes to your involvement with these OEM tier ones that, that that live threat feed and that the importance of having a threat feed when it comes to understanding your risk and the cyber threats that you’re facing

– And Fay that’s incredibly important. So at, at SBD our model, for example when we test a cybersecurity system on day one we have a threat database, we go through that but we realize that the world changes, right? The criminals change, the threats change, and you really do need to have a threat database that changes over time. So there’s a lot of great sharing we’re seeing across the industry, whether it’s Auto Isak or Eight KYC or other organizations in terms of sharing things like threat, a threat intelligence but solutions from companies like Upstream do an amazing job of creating really a live threat database and updating over time. So I think some of those threats can be learned from Automotive. Other threats can come from parallel industries like Consumer Electronics and it’s important as cars stay connected, that threat intelligence has to stay current over the lifetime of the vehicles. So that is a great value add Fay.

– Great. Well, I wanna thank you for joining us. We’re kinda getting short on time. Anything else you wanna add at last or any any last will testaments for our viewers here?

– No, I think that was great. I think as we think about regulations overall it does seem overwhelming, but you have to start somewhere right? So please feel free to reach out to me, Upstream or SBD Automotive. We’ll, we’ll get you on the right path. Thank you so much, Fay

– Thank you so much. Thanks for joining us today.

– Really appreciated.

– Pleasure.