ENX VCS versus ISO 21434: Vehicle Cyber Security Audit

• The importance of the new regulations for cyber security in the automotive industry
• What problems do the new regulations address?
• ISO/SAE 21434 certification as a solution?
• Requirements for CSMS audits according to ISO/PAS 5112
• Why the VCS audit was developed by ENX
• Advantages of ENX VCS
• Conclusion: ENX VCS is a sensible way to set the course
• DQS: your reliable partner for certification

The importance of the new regulations for cyber security in the automotive industry

With the new automotive cyber security regulations, binding requirements will apply to all newly manufactured vehicles from July 2024. If the requirements are not implemented, the respective model series will not receive type approval. Holistic cyber security, as intended by the authorities with the mandatory implementation of a Cyber Security Management System (CSMS), encompasses all vehicle components.

Most of the components installed in vehicles originate from the automotive manufacturers' supply chain. UN R 155 makes these manufacturers responsible for the cyber security of the components they supply. However, they can only influence the cybersecurity of the components through their contractual agreements with the suppliers. As part of their risk management, vehicle manufacturers are therefore dependent on clear contracts and meaningful audits of their suppliers in order to guarantee and maintain the necessary cybersecurity in the long term.

What problems do the new regulations address?

The introduction of UN R 155 (and UN R 156, which focuses on software updates) by the legislator draws attention to several complex issues that exist in relation to software-controlled components of road vehicles and cybersecurity:

• How can it be ensured that software for operating such components is designed, developed, and implemented securely?
• How is a component equipped with only the intended software version in the production process, and how are the relevant production systems required to equip the components with software protection?
• How can it be monitored that security events in the components are recorded and threats can be effectively remedied by updates even after ten years?

ISO 21434 certification as a solution?

To answer these questions, UN R 155 mentions establishing a cyber security management system (CSMS) in accordance with ISO/SAE 21434 at vehicle manufacturers. A management system is a set of processes and procedures used to manage and control a company or organization effectively.
For the purposes of the standard, the term "cyber security" in the automotive industry refers specifically to the protection of computer systems, networks, and their data in road vehicles. This includes measures and strategies to ensure the security and integrity of digital systems used in vehicles.

To ensure cybersecurity, the standard specifies processes and procedures for a CSMS in security design, product development, product maintenance, risk detection, hazard prevention, product disposal, and the associated continuous processes. Thus, the standard provides a comprehensive architectural model of a CSMS, including a process model for assessing risks in cybersecurity, which is referred to as Threat and Risk Analysis (TARA).

Below, you can find out what arguments oppose a pure ISO/SAE 21434 certification to fulfill the requirements of UN R 155.

Requirements for audits using ISO/PAS 5112

ISO/SAE 21434 leaves much room for interpretation regarding how to audit a CSMS. As each audit provider creates its own audit program for the ISO 21434 standard under the regulations of its accreditation body, ISO/PAS 5112 made it necessary to standardize the auditing process for an organization's cyber security and CSMS.

ISO/PAS 5112 contains general guidelines for managing an audit program and provides organizations with the necessary information on planning and implementing an audit. It also defines the competencies of CSMS auditors and explains how the implementation of the standard can be verified.

Why the VCS audit was developed by ENX

Despite these efforts to improve standardization, the resulting cybersecurity audit programs in the automotive industry still vary widely.

Against the background of deeply integrated supply chains with multiple contractual partners, the non-comparable audit programs pose a major problem for vehicle manufacturers. Manufacturers need to be able to rely on the results of supplier audits of the cyber security management system (CSMS) for their risk management.

ENX has recognized this need and developed a solution in cooperation with the automotive industry by implementing a globally standardized audit program called ENX VCS (Vehicle Cyber Security). ENX has used its member network to adapt the audit program to the specific requirements of the industry

At the same time, ISO/SAE 21434 alone is not sufficient to meet all the regulatory requirements of UN R 155. Although UN R 155 refers to ISO/SAE 21434 as an example of the processes of a CSMS, it also requires that the capabilities of the CSMS must be maintained on an ongoing basis:

• UN R 155, Chapter 7.2.2.3: Cyber threats and vulnerabilities requiring a response by the vehicle manufacturer shall be addressed within a reasonable timeframe.
• UN R 155, Chapter 7.2.2.4: The vehicle manufacturer shall demonstrate that the procedures applied in its cybersecurity management system ensure that the monitoring referred to in paragraph 7.2.2.2 g) occurs regularly.

The abovementioned requirements can only be realistically fulfilled in the long term if an information security management system (ISMS) is operated alongside the CSMS, which permanently ensures information security throughout the company. For this reason, ENX VCS always requires that the development sites must also have passed a TISAX assessment. In this way, the audited supplier can sustainably demonstrate the fulfillment of its due diligence obligations through risk-conscious and risk-averse management.

Advantages of ENX VCS

1:1 implementation of ISO 21434 and ISO/PAS 5112

The good news first is that anyone who has been following ISO 21434 and ISO/PAS 5112 in terms of automotive cybersecurity is already on the right track. The requirements of the two standards are - mathematically speaking - a genuine subset of the VCS specifications. This means that all the requirements of the two ISO standards can be found 1:1 in ENX VCS Vehicle Cyber Security.

Compared to the ISO audits, however, ENX VCS enables a comparable procedure model. In order to ensure comparable processes globally across all audit providers, ENX also published specific "Audit Provider Criteria & Assessment Requirements" (ACAR VCS 1.0) and a binding VCSA audit catalog 1.0 at the launch of the program. These include, among other things:

• The organizational audit of the CSMS regulations (primarily document and process audits),
• The creation of a risk-oriented sample of projects that deal with the cyber security of components,
• The sample of projects is used to check whether the CSMS regulations are consistently applied in VCS projects. It includes, for example, interviews with team members of the engineering team and the review of their work results.

Standardized competencies

ACAR also defines globally standardized competence requirements and role descriptions for auditors and experts:

• VCS Lead Auditor
• VCS Expert

The knowledge of a VCS expert must always be represented in the VCS audit team. During the interview phase, the expert takes over the conversation with the engineering teams to make a professional assessment of the activities and work results possible.

Role-oriented auditing

In the tradition of TISAX®, ENX VCS also considers the various roles that suppliers can play in providing cyber security-relevant components in the form of a new system for VCS labels. In this way, a supplier only has to meet those requirements of the VCSA assessment catalog that are appropriate to its respective role:

• VCS Development
• VCS Production
• VCS Operations & Maintenance

Comparable efforts

The ENX VCS labels are valid for three years and do not require surveillance audits. In contrast, audits in accordance with ISO/SAE 21434 require a (re-)certification audit over three years and two annual surveillance audits with corresponding travel expenses.

Agility

In contrast to the ISO standard, ENX VCS also promises greater agility when adapting to new requirements. The ACAR regulations are usually subject to a mandatory revision once a year, which must be implemented by all VCS audit providers.

Conclusion: ENX VCS as a sensible way to set the course

In summary, the ENX VCS audit program enables a globally improved implementation of auditing in accordance with the requirements of ISO/SAE 21434 and ISO/PAS 5112. The increased global comparability of the new label ensures significantly increased confidence in the certification and in the implementation of the cyber security requirements of UN R 155.

DQS: your reliable partner for certification

As one of the most experienced German service providers for the certification of management systems, DQS has been working with ENX for many years and was also directly involved in developing the new audit program. During the long development period leading up to the program's publication, DQS gained valuable experience in a large number of trial audits and is, therefore, ideally prepared to audit your CSMS on the basis of the VCS specifications.

Take advantage of our experts' knowledge and learn all you need about ENX VCS and its significance for your company. With more than 35 years of experience and the know-how of 2,500 auditors worldwide, we are your competent certification partner and provide answers to all questions relating to data protection and information security.