The Multi-Layer Complexity of Cybersecurity for The Automotive Supply Chain

Thousands and thousands of components go into the assembly of contemporary vehicles. It is impossible for any original equipment manufacturer (OEM) to produce all these components themselves. The demand for just-in-time delivery and customization for all these parts has created a huge, unusually integrated supply chain.

If even one supplier experiences a cybersecurity breach, the impact can be exponentially damaging for the automotive industry. The weeks of plant downtime not only cause huge production losses for that supplier, but it also creates a ripple effect impacting production and supplier relations further down the chain. Not to mention, the entire supply chain could be exposed to a devastating cyberattack. Most important of all is the potential to jeopardize human safety.

Unfortunately, there are gaps in operational technology (OT) cybersecurity that are growing more common in the manufacturing process of the automotive supply chain. The introduction of increasingly innovative and powerful systems in the plants, as well as more connectivity across and beyond the vehicles themselves, is widening the gaps.

Plant and security managers are often stunned to discover the range of vulnerabilities that exist under their watch. What actionable steps can they take to make definitive and quick progress in closing the gaps and ensuring protection from supply chain threats?

Automotive manufacturers cannot afford to be merely responsive to cybersecurity events or new regulations that come their way. They need a proactive and practical approach forward to ensure uninterrupted operations and revenues.

Surprisingly Common Security Gaps

The OT environments for most companies in the supply chain are complex and untouchable with a mentality of “if it isn’t broken, don’t fix it.” Many of today’s automotive plants contain a variety of hardware and software systems with widely differing ages, operating systems (OSs), and capabilities.

For example, some of the robotic technologies that are being installed in the plants are among the most modern and innovative industrial control systems (ICSs) found in any manufacturing sector globally. They rely on new OSs, which require different patching and firmware levels.

Step over to the next production line in the same plant, and it’s common to find assets that are decades old. While such a legacy system could be critical for the manufacturing process, it might still be running an old OS that is no longer being updated or patched by its vendor.

Responsibility for OT maintenance and cybersecurity in the manufacturing process of the automotive supply chain usually falls to traditional information technology (IT) network or OS support. As a result, there is often literally no one who is directly responsible for what is getting plugged into the OT network on the floor. Furthermore, because there is not often a strong relationship between the different worlds, very minimal OT knowledge resides on the IT side of expertise, or vice versa.

The automotive manufacturer is often under the dangerous misperception that both its IT and OT networks are being secured—when, in fact, the company does not have nearly the visibility to protect its own OT processes, much less those of its connected vendors and partners. Indeed, it is usually an OEM’s Tier 1 and Tier 2 suppliers whom cyber attackers target in the automotive industry.

Actionable Steps to Seize Control

How can an automotive manufacturer gain visibility across its OT landscape and begin to put in place practical and effective processes? The good news is that there are key strides that can be made in short order to get out in front of the evolving challenges that they will face in the months and years ahead:

• Walk the plant floor and open the cabinets—The first step is often the most eye-opening. Plant personnel and support vendors will do what they need to do in order to get a system up, running and connected, including remote access points. Often, in the wake of that process, there are wide-open, unsecured internet connections left behind into the manufacturer’s network.
• Shore up and lock down—It is crucial to adopt a solid security practice around the maintenance routine across the asset lifecycle of existing equipment and to make sure that there are safe mechanisms for secure file transfer. When they do not have remote access, vendors often bring in unsecure USB sticks to load code or software patches on their equipment. Tightening perimeter security and, as necessary, locking down OT endpoints is a key second step.
• Prioritize the most vulnerable and meaningful gaps—The OT networks in the automotive supply chain are typically flat. A cyber attack on one system often can impact other plants and systems across the network of suppliers and partners. Automotive manufacturers must assess the potential harm of various threats—i.e., if Machine X goes down or Process Y fails, what is the risk of a downward cycle?—and prioritize actions such as network segmentation that would do the most to mitigate damage across the supply chain.

The question is not whether it’s necessary to strengthen OT cybersecurity in automotive manufacturing—rather, it’s how and where to get started. Plant and security managers cannot afford to be stymied by the complexity and scope of the clear challenges facing them and wait for new events or regulations to force their hands. There are practical, low-risk steps to be taken today in getting started, and they can enable automotive manufacturers to very quickly realize value in an investment in OT cybersecurity.

About the Author

As Technical Director, Americas at TXOne Networks, Austen Byers leads the company’s efforts in providing design, architecture, and engineering technical direction and leadership.

Austen is a sought-after thought leader in operational technology (OT) cybersecurity with more than 10 years in the cybersecurity space. He has spoken at numerous industry events as a subject-matter expert to provide insight into the state of industrial cybersecurity, the intricacies of OT breaches, and providing strategies to help organizations keep their assets and environments safe.

Austen can be reached at [email protected] and https://www.txone.com/.