Achieving Automated TISAX Compliance and Audit Preparedness
Digital attackers are increasingly targeting the automotive industry. In its 2020 Automotive Cybersecurity Report, for instance, Upstream found that the number of annual automotive cybersecurity incidents had increased by 605% since 2016, with the number of incidents has doubled in 2019 alone.
More than half (57%) of those security incidents involved cybercriminals who attempted to disrupt businesses, steal property and demand ransoms by targeting keyless entry systems, backend servers and mobile apps. Together, those attacks compromised companies in every stage of the automotive supply chain including original equipment manufacturers (OEMs), fleets, telematics and after-market service providers.
The Changing Automotive Security Landscape
International institutions are taking steps to help automotive organizations to defend themselves against black hat hackers and other digital threats. On June 23, for instance, the United Nations Economic Commission for Europe (UNECE) World Forum for Harmonization of Vehicle Regulations adopted two new regulations designed to help organizations confront the cybersecurity threats confronting connected cars.
Those regulations, which entered into effect in January 2021, provide organizations in the automotive sector with a framework for identifying digital security risks, regularly update risk assessments and respond to digital attacks, along with implementing other processes.
Automotive digital security is also on the minds of individual nation-states. An example of this the Trusted Information Security Assessment Exchange (TISAX). Since 2017, TISAX has acted as an assessment and exchange mechanism through which organizations can submit to audits in compliance with the information security requirements catalogue developed by German automotive group Verband Deutscher Automobilindustire (VDA).
That catalogue, known as the VDA Information Security Assessment (VDA ISA), applies to companies that touch any point of the German automotive supply chain. Its industry-wide enforcement applies to auto manufacturers and OEMs, but it reaches further than that to encompass partners and suppliers, as well.
Even if companies aren’t based in Germany and produce only a single microchip that will ultimately end up in a German vehicle, their network still falls under the purview of those requirements, so they need to use TISAX to complete an information security assessment.
Why a Pre-Audit Sprint Isn’t the Way to TISAX Compliance
Supply chain managers who are responsible for controlling the digital environment of the supply chain know they need to produce evidence of TISAX compliance for their OEM in the form of an audit certificate. If a satisfactory audit certificate can’t be provided, supply chain managers can lose access to their OEM’s technology environments, hindering their ability to conduct business as usual. So naturally, companies are willing to pour significant resources into audit preparation in order to reach their targets.
But taking this kind of approach to audit preparation comes with its drawbacks, as well. Audit preparation for pertinent companies can take IT teams away from their regular work for weeks and even months at a time. Focused on producing evidence of TISAX compliance across the network, these pre-audit sprints not only drain time and resources, but they also produce compliance levels only for a specific point in time.
Automating TISAX with Tripwire Enterprise
Instead of throwing all you have at cultivating short-term compliance, teams can use Tripwire® Enterprise in order to maintain truly continuous compliance and stay audit-ready year-round. Tripwire Enterprise is a security configuration management (SCM) suite that provides fully integrated solutions for policy, file integrity and remediation management. Once Tripwire Enterprise is installed in an environment, it uses the TISAX policy against a current configuration state and automatically alerts on non-compliant assets with instructions for remediation. It provides continuous—rather than point-in-time—compliance.
Provided below are some additional benefits on how Tripwire Enterprise can help organizations to achieve and maintain TISAX compliance:
- Speed up audits and reduce audit preparation
- Be 24/7 complaint and improve cybersecurity
- Use cybersecurity resources more efficiently
- Use compliance as an easy-to-measure KPI
- Track compliance and configuration drift
- Get clear, automated change documentation
Organizations can use Tripwire Enterprise to monitor for multiple compliance policies at once. For example, they may need to apply policies for TISAX, ISO27001 and IEC62443 in tandem. Tripwire Enterprise provides access to the broadest available library of platform and policy combinations to ensure compliance is enforced comprehensively across the whole environment. For easier implementation and deep visibility into the compliance state of operational technology (OT) environments, Tripwire Enterprise also integrates into Tripwire Industrial Visibility.
Why is SCM Critical for Continuous Compliance?
Monitoring the configuration state within a network is a twofold beneficial process: it ensures continuous compliance with compliance standards like TISAX, but it also staves off potential cyberattacks and breaches by keeping configurations secure. When done right, SCM automatically monitors the configurations of organizations devices against a known baseline and issues an alert when there’s configuration drift. Those instances of drift could trace back to malicious actors who are attempting modifying network devices as part of their attack chain.
With SCM, security teams can act upon that information to investigate configuration changes quickly. This security control can therefore do much more than just help professionals return their employer’s device configurations to the desired state. Indeed, it can help them to spot a potential security issue and take remediation steps before it balloons into a security incident.
Summary
Tripwire’s SCM suite, Tripwire Enterprise, contains a pre-built policy for TISAX that organizations can leverage for continuous compliance and audit-preparedness, enforce multiple compliance policies across their environment and take advantage of the cybersecutity benefits that arise from TISAX compliance.
For more information on how Tripwire can help your organization with your TISAX compliance obligations, click here.