Cyber Security Management Systeme (CSMS)

As a consequence, the call for uniform standards is becoming increasingly louder. The EU Cybersecurity Act initiated in 2019 focused on cybersecurity management systems and Software Management Update Systems in a UNECE working group. This working group is concerned with the global harmonization of vehicle regulations.

One result of this: In collaboration with the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE), the UNECE is creating a certification for Cybersecurity Management Systems (CSMS). The ISO/SAE 21434 standard is currently in "approval status" and is expected to apply to newly registered vehicle types from mid-2022 and to all newly produced vehicles from 2024. The goal is to specify a structured process for CSMS at automakers and in-vehicle cybersecurity that reduces the success rate of hacking attacks and establishes a standard against cyber threats in the automotive industry. The requirement for cybersecurity thus increases from individual features to entire management systems – ergo from project to organizational level. This standard does not specify cybersecurity technologies or concrete methods. Instead, it suggests an approach for prioritizing cybersecurity activities and the recording of measures.

The principles laid down in UN Regulation 155 and the ISO/SAE 21434 standard apply in Germany as a prerequisite for type approval (homologation) by the Federal Motor Transport Authority (Kraftfahrtbundesamt) and by the corresponding bodies in all UNECE member states and recognizing third countries.

Four areas are described in the ISO/SAE 21434 standard:

• The management of cyber risks from the vehicle and its environment
• The inherent safeguarding of a vehicle and its value chain
• Establishing a cybersecurity incident response system to identify and address cybersecurity incidents
• Remote software updates for an up-to-date software status

In practice, this means that a management system for cybersecurity and remote software updates certified by independent auditors is a prerequisite for the approval of new vehicle types. Certification is relevant for OEMs and suppliers alike. The standard differentiates between a CSMS for the organization and the application of the CSMS at product level. In terms of content, companies can use the sections of the standard as a guide when creating a CSMS in the future: These address the creation of a (1) CSMS concept, its (2) management, (3) risk determination methods, the integration of cybersecurity aspects in (4) product development, and (5) production, operation, and maintenance.

Accordingly, a cybersecurity management system comprises various processes at organizational and project level. In detail, it is about the identification, assessment and treatment of cyber risks in an appropriate timeframe over the entire lifecycle of a vehicle. Ultimately, the entire CSMS must be validated alongside a SUMS by an independent third party for type approval clearance. The implementation of UN Regulation 155 covers several areas – from the concept phase, product development, cybersecurity systems management, risk determination methods, production, operation and maintenance, and supporting processes.

msg has in-depth IT and industry expertise. Experts in the areas of cybersecurity and software update management systems as well as electrics/electronics support our customers in identifying relevant regulations, in evaluating company-specific processes and homologation procedures up to obtaining type approval. Consulting, conception, functional specification up to the implementation of IT systems – we are ready to help.