Today's vehicles are computers on wheels; therefore, they are exposed to the risks of a cyberattack. New regulations emerged in July 2024 to ensure comprehensive automotive cyber security across the entire automotive industry supply chain. The ENX Association has published the new Vehicle Cyber Security Audit (VCSA) to support OEMs and suppliers in implementing the new requirements.
This article was first published in the German "QZ - Quality and Reliability" journal, vol. 69 (2024)
The digital transformation has made vehicles more efficient and safer. Through electronic control systems and constant networking, they have also become targets for cyber criminals. Critical systems could be attacked, with potentially fatal consequences. Despite strictest software developmentstandards, even in aviation, there is no guarantee of error-free software. However, software control allows a quick response to quality problems - updates can now be made over the air (OTA) virtually overnight.
In order to counter increasing cyber threats, the United Nations adopted UNECE R 155 and 156, which include the implementation of a Cyber Security Management System (CSMS) and a Software Updates Management System (SUMS) respectively. The regulations are intended to ensure cyber security throughout the entire life cycle of a model and along the entire supply chain. In the EU, the regulations have been mandatory for all newly manufactured vehicles since July 2024.
With ISO/SAE 21434 (Road Vehicles - Cybersecurity Engineering), an attempt was made in the course of the UN regulations to create a guideline and proof of conformity for compliance with the regulations. In practice, however, the respective audit programs of the testing service providers proved to be too different - despite the specifications of ISO/PAS 5112. Manufacturers therefore still lacked the opportunity to provide the legislator with reliable and comparable evidence of the compliance of their suppliers - who in turn had problems proving compliance with their contractual provisions on the basis of a comparable test basis.
This is why the ENX Association (an association of European automotive manufacturers, suppliers and associations) has designed the ENX VCS audit program. ENX VCS audits the implementation of a vehicle Cyber Security Management Systems (VCSMS) in accordance with ISO 21434 and ISO
5112. It's decisive advantage: the VCS audit is standardized worldwide and can be adapted more quickly to new challenges than an ISO standard. A group of international experts regularly reviews the audit program to keep it up to date.
Learn everything about the ENX VCS process and prequisites for your VCS label.
With the standardized ENX VCS audit, companies avoid unnecessary, not least financial, expenses that can arise from multi-plane audit processes and divergent audits. To ensure globally comparable processes across all audit providers, ENX also published specific Audit Provider Criteria & Assessment Require- ments (ACAR VCS) and a binding audit catalog for Vehicle Cyber Security Audits (VCSA) at the launch of the program. These define a series of mandatory competencies and a binding procedural model for VCS auditors - in addition to the organizational audit of the V-CSMS regulations, for example, a mandatory document and process audit - and the formation of a risk-oriented random sample of all cyber security- relevant projects. The engineering teams responsible for the projects in the sample are then interviewed by the auditors and experts. The team's work results are reviewed to ensure that the V-CSMS is actually used in practice. Once the successful test has been completed, the companies can apply to ENX for a corresponding VCS label and make it available to interested parties via the ENX exchange mechanism.
Structurally, the VCS audits with the ACAR VCS are based on the established automotive standard TISAX®. The two audit mechanisms complement each other: while TISAX® assesses information security in a company, the VCS label confirms the cyber security of vehicle components. Similar to TISAX®, the VCS audit takes into account the various roles of suppliers in the provision of cyber-relevant components. Each supplier must therefore only meet the requirements of the VCSA audit catalog that correspond to their actual, specific role. A distinction is made between different labels:
As part of the VCS audit, OEMs and suppliers can have their V-CSMS audited by approved audit providers and receive a VCS label from ENX that is valid for three years. The increased global comparability of the new labels strengthens confidence in the conformity of the V-CSMS with the UNECE R 155 cyber security specifications, enabling companies to clearly demonstrate their compliance to authorities and business partners and contribute to comprehensive automotive cyber security. It pays to act quickly here: During the introductory phase, registration for the ENX VCS audit is free of charge.
DQS was founded in 1985 as Germany's first certification body. Since then, we have been one of the world's leading audit and certification experts. The founding partners DGQ (Deutsche Gesellschaft für Qualität e. V.) and DIN (Deutsches Institut für Normung e. V.) are important partners for training and further education as well as standardization work.
We are actively involved in committees and bodies on behalf of our clients and contribute our expert knowledge to our audits. Our claim begins where audit checklists end. Take us at our word.
Our texts and brochures are written exclusively by our standards experts or long-standing auditors. If you have any questions about the text content or our services to our author, we look forward to hearing from you.
Source: www.qz-online.de (Germany's leading periodical for quality management).
Product Manager for TISAX® and VCS, Auditor for ISO/IEC 27001, Expert for Software Engineering with more than 30 years of experience, and Deputy Information Security Officer. Holger Schmeken holds a Master's in Business Informatics and has extended audit competence for Critical Infrastructures in Germany (KRITIS).
