We are all familiar with automotive manufacturing facilities. We think of assembly lines and aluminium chassis on a conveyor belt, or orange robots picking, assembling and welding components for vehicles. With more or less production workers in between, finished vehicles roll off the line every few hours. This phase of production is a critical point for cybersecurity, which we will explore in more detail in this article.
Paul Rusch
Henry Ford, who is still regarded as the pioneer of assembly line production, would have been pleased with the development of industrial robots in vehicle production: in 2021, there were 1,500 industrial robots for every 10,000 automotive workers in Germany, and twice as many in South Korea. Worldwide, there are now more than one million industrial robots in use in the automotive industry, almost half of them in China alone.
The ever-increasing use of industrial robots in the automotive industry is not only related to efficiency and the increasing digitalisation of vehicles, or the software-defined vehicle. Industrial automation robots on assembly lines are taking on a range of highly complex tasks that go far beyond purely mechanical operations and motion sequences. Critical tasks such as flashing software onto vehicles’ electronic control units (ECUs), testing electrical systems and performing a variety of quality checks using sophisticated sensors and artificial intelligence ensure that vehicles and their components are built and assembled correctly.
This is an indication of the critical role that industrial robots and automation play in vehicle production.
Targeted cyber attacks on automotive manufacturing
With the growth and rapid technological advancement of automotive manufacturing facilities, the attack surface and potential vulnerabilities and security gaps are also growing. In 2020, it was possible to paralyse Honda’s global operations and production in the UK, North America, Turkey, Japan and Italy, forcing production staff to go home. The attack was attributed to the industrial control system malware Ekans, which was able to spread throughout the production network, encrypting and completely blocking Windows-based IT systems.
The globally interconnected automotive industry is a popular target, but of course it is not the only industry that regularly faces cyber-attacks. It is legitimate to look at other sectors and their industrial assets to understand and anticipate risks.
In 2019, for example, Norwegian company Norsk Hydro, a Tier 2 supplier of aluminium to the automotive industry, fell victim to the LockerGoga ransomware, which managed to shut down all production equipment at its factories.
Questions about cybersecurity in automotive manufacturing
Therefore, it makes sense for those responsible for ensuring smooth, high-quality production processes to ask themselves the following questions, among others:
- What are the possible cyber-specific vulnerabilities and potential points of attack in the given systems and processes?
- How far can a cyber attack penetrate a production line?
- Can a back-end attack affect the electronic product or vehicle being manufactured, or discover or create a new vulnerability?
- What specific threats can arise from suppliers and partners, and how are they assessed and managed?
- What do threat monitoring and detection systems need to do?
- How does an emergency response system work?
- How can we improve our cybersecurity management system to reduce complex risks?
- What is the role of the production phase in the overall risk analysis practice?
Of course, the warning finger is not only pointed at production – where the real work is still being done. Although many of these issues were not even relevant a few years ago, but with the advances and introduction of intelligent and IIoT manufacturing systems, reliance on the internet and third-party cloud platforms has inevitably found its way into the production halls.
The interdependence between IT/OT convergence and the vehicles produced creates a new complexity when it comes to identifying cybersecurity risks.
Above all, all those involved in the value-added processes associated with the vehicles that will eventually transport people must always keep one question in mind: What happens when the information and operating technologies are no longer the primary target (e.g. of ransomware), but are only used by attackers as an intermediate target to ultimately compromise the end products for whose production the robot systems are responsible?
It is precisely this fundamental background that is already bringing production facilities and processes into the focus of cybersecurity regulation in the automotive industry.
Relevant regulations & standards for cyber secure vehicle manufacturing
In this context, the most important regulations and standards for the automotive industry continue to be UN Regulation No. 155, ISO/SAE 21434 and others such as the European Cybersecurity Reliance Act, in addition to other similar national and industry-specific regulations that are not automotive or vehicle-specific.
Let’s take a closer look at Clause 12 of ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering. It states that an established production control plan is required to effectively communicate the cybersecurity requirements of a vehicle and its components as early as the development phase, in order to systematically prevent the occurrence of vulnerabilities or cyber risks during the critical production phase.
ISA/IEC 62443 also deserves special attention from a production perspective. It contains a set of cybersecurity standards for industrial automation and control. Similar to ISO/SAE 21434, a cybersecurity management system defines organizational standards and holistic approaches for managing system and component risks.
Cybersecurity in automotive manufacturing: Are production systems and automotive products in a blind spot?
Modern ECU flash programming systems are typically found on automotive production lines. These systems are used to replace suppliers’ initial cryptographic keys and install several gigabytes of OEM software as part of end-of-line programming. They are typically fully integrated into the existing IT system landscape via Ethernet network architectures.
In other words, we are talking about highly security-critical processes: Because of the cryptographic material, ISO/SAE 21434 indirectly refers to the high security risks associated with Public Key Infrastructures (PKI), with attacks such as the compromise of the private key or the establishment of fraudulent Root Certificate Authorities.
Today, many automotive ECUs are developed according to open and standardised architectures such as AUTOSAR, which provides specifications for encryption and secure key architectures for automotive manufacturers and suppliers.
The problem is that the back-end systems of vehicle or component manufacturers unfortunately lack an adequate level of encryption standardisation.
There are many reasons for this, ranging from the more conventional objectives of classical information security in relation to business processes, to the lack of awareness and priority given to cybersecurity in product-related processes and systems, to the ongoing challenges and taboos, particularly in the automotive industry, regarding intellectual property and the continuing reluctance to share knowledge and information.
Are production processes a blank space in cybersecurity regulation?
The purpose of UN R155 is to create a regulatory framework that considers the entire lifecycle of a vehicle, from the first steps of development to decommissioning.
This sounds good on paper, but in practice it does not sufficiently address the holistic ecosystem of modern cybersecurity threats. This “exclusion” of a holistic view of the modern cybersecurity threat landscape, which includes IT, OT and much more, could have devastating consequences.
This is particularly true for back-end systems, which in this context includes the production facilities and systems mentioned above. Although the directive addresses remote updates of vehicles in the field and diagnostic systems, it must be assumed that vulnerabilities and attack vectors that can actually be exploited will continue to pose a threat in everyday life, even if an attempt is actually made to comply with UN R155.
Also from an audit point of view (see technical article UN R155 Audit: Checklist and tools for preparing for the CSMS audit), the security controls for production facilities only need to be assessed as “satisfactory” to protect the pre-defined security objectives of the vehicle.
However, if you trace the origins of the cybersecurity requirements for products, they are derived from a risk-based model that is known as Threat Assessment and Risk Analysis (TARA).
One of the central criticisms of the TARA methodology is that the output of the cybersecurity goals is based only on the subjectively developed risks that are accepted or known in the respective organization. (See also the excursus TARA in vehicle development: 5 weaknesses from a practitioners’ point of view).
With regard to the detailed analysis, identification and mitigation of cyber-specific risks and vulnerabilities in relation to operational production technologies, it can be assumed that the TARA methodology is not sufficiently structured here (in its practical application in vehicle development practice) to fully reflect the actual focus on production and the risks that arise there.
The above-mentioned Production Control Plan is also unidirectional (from development to production) and only vaguely addresses the joint identification and assignment of security mechanisms in production to security mechanisms in vehicle development.
To put it in a nutshell, it could be said that the ISO/SAE 21434 cybersecurity management work products, even if “properly executed”, may not adequately reflect the actual cybersecurity vulnerabilities and may still allow potential cyber attackers to gain the upper hand.
Step by step: Dynamic Cybersecurity Management as a driver for production security
It should be noted that the ongoing modernisation of production processes for vehicles and their components must and will continue to evolve in terms of cybersecurity. This is simply because the Cybersecurity Management System (CSMS) must be understood as a dynamic management system in which gaps are found and processes are improved.
The popular marketing slogan from the world of information security “It’s not a question of if, but rather when” can and should also be applied to production plants, manufacturing facilities and assembly line processes. In addition to the constant focus on optimising the efficiency of production processes, it is also essential to increase resilience and robustness.
Specifically: Tips and recommendations for a better production control plan according to ISO/SAE 21434
To be able to carry out continuous analysis and adjustments, which can also be seamlessly integrated into existing production processes, the right levers must be systematically set. This usually requires a combination of technological/methodological approaches, process design and, last but not least, the awareness and willingness to understand and address the relevant issues.
The following ideas are intended to show how the production control plan can be strengthened and raised to a higher level in accordance with ISO/SAE 21434:
- Understand the production control plan for cybersecurity in production as a joint work product, shared between product development and production stakeholders.
- Don’t wait until the end of development to start the production control plan. Start early and regularly review the security requirements, installation procedures and protection measures for components.
- Just as it is important for development teams to perform cybersecurity TARAs, it is also important for production stakeholders to perform an ISA/IEC 62443-3-2 System Security Risk Assessment.
- Ensure that the OT cybersecurity risk assessment includes the identification of production equipment, zones and lines for subsequent security levels, requirements and control placement.
- Validate and test production system security controls, if possible during simulated production processes.
- Ensure that relevant vulnerability assessments are reviewed by both product and production sites post-production to provide synchronised improvements for updates, configuration, changes or future series or re-use opportunities.
Yes, what happens (or doesn’t happen) in manufacturing and what is considered in the sometimes abstract realm of cybersecurity management often seem like separate worlds. And yet they are closely intertwined. The interplay between setting the course for cybersecurity, integrating IT and considering production processes requires the expertise and involvement of all parties. A collaborative approach is the key to efficient and future-proof production.
Sources:
Global Automotive Industry Employs One Million Robots
Accessed on: 02/01/2025
Honda’s global operations hit by cyber-attack
Accessed on: 02/01/2025
EKANS Ransomware: A Malware Targeting OT ICS Systems
Accessed on: 02/01/2025
LockerGoga
Accessed on: 02/01/2025
