Responding to policy trends with encryption investments that bring organization-wide returns
The EU’s General Safety Regulation II (GSRII) and a handful of adjacent regulations unofficially assign a new identity to manufacturers in the automotive industry: data processors. In addition to handling traditional engineering, manufacturing and supply chain responsibilities, these organizations have no choice but to move cybersecurity higher up the priority list. For those with access to the right expertise, solutions and strategies, the return on that investment can elevate their entire business.
If GSRII is any reflection of automobiles today and tomorrow, then vehicles are truly the sum of their parts…the sum of their systems, that is.
GSRII unhesitatingly views vehicles as smart constellations of connected systems. It outlines expectations for mainstream automated and driverless vehicles—first, by multiplying the number of systems required: intelligent speed assistance, driver drowsiness and attention warnings, advanced driver distraction warnings and event data recording.
The list continues: lane departure warning systems, driver availability monitoring systems, systems for sharing safety information with other drivers, systems to replace driver control, frontal protection systems… These systems come with their own set of specifications related to anonymization, error rates, reporting, overrides and more.
What regulators want: demonstrable processes
The invasiveness of these systems compounds the importance of cybersecurity, as seen in GSR’s top three priorities:
- Maturity of technology
- Data recording
- Cybersecurity measures
While the automotive arena faces differing regulations across markets, many share similar visions with regard to said “cybersecurity measures.” Regulators often display common tendencies:
- Viewing vehicles as a constellation of connected smart systems
- Treating manufacturers as data processors
- Expecting comprehensive, demonstrable cybersecurity processes
On that last point, regulators expect to see demonstratable, informed processes, including data security mitigations, encryption key management practices, emergency response plans and action plans in the case of a breach. In general, they want manufacturers to be able to prove that they have a solid system in place that addresses core capabilities:
- Assess risk
- Monitor threats
- Mitigate risk
- Prepare for emergencies
- Respond to attacks
Cybersecurity investment for business-wide returns
Complying with industry regulations requires proactive decisions and planning by organizations. Significant investment in cybersecurity, even with regulations as added encouragement, proves to be a tough sell. Instead, organizations should view cybersecurity upgrades as upgrades to the entire business:
- Reducing redundancies
- Cutting costs
- Improving efficiency
- Supporting resilience
- Driving innovation
In the experience of Keys&More, a KMS and PKI technology partner powered by government-owned-innovator INCERT, organizations enjoy these broad benefits and more by unifying their encryption practices in one place.
The journey toward achieving regulatory mitigations brings opportunities to gain competitiveness and profitability. But this hinges on partnering with experienced cryptographic experts like Keys&More for the development of solutions and strategies. Cybersecurity today is all about secure data management, with encryption as the mechanism.
Understanding data security tools: tokenization, encryption, key management & PKI
Today’s automotive manufacturers are also data processors: GSRII expects automobiles to gather certain data; systems interact by sharing data; etc. Not only should they be equipped to securely store data but securely exchange data, for example with other OEMs and supply chain collaborators.
This is done via encryption: encryption and decryption, made possible thanks to public and private (secret) keys—one to encrypt and the other to decrypt. The success of encryption presumes that keys are secured by a key management system (KMS). Without secure keys, encryption falls apart.
So, a fundamental building block of cybersecurity is encryption key management, often supported by similar technologies, like tokenization and PKI technology. When compiling a data strategy, how do they all fit together? Here’s an overview:
- Tokenization: The process of replacing sensitive data with non-sensitive tokens that can be shared in its place without compromising the original source
- Encryption: The process of converting the data itself into code before sending it
- PKI: Public Key Infrastructure encompasses the technologies behind encrypting and managing public keys, particularly in enabling digital signatures and authentication
These technologies generally work in unison. For example, data may be tokenized and shared, but the source data could still be secured by encryption and PKI technology.
Organizations typically use tokenization to protect individual pieces of data, like a credit card number. Because tokens cannot be reverse engineered back into the original data, businesses can potentially reduce risk and regulatory demands. It remains to be seen what advantages tokenization and blockchain might unlock for manufacturing, namely supply chain traceability. Encryption, on the other hand, is the lifeblood of secure, software-defined vehicles.
Unified KMS as an evolutive compliance mechanism
For data on the move—travelling down supply chains, across connected devices or over the air, such as OTA software updates—unified encryption key management underpins the gold standard in cybersecurity.
As regulations morph and multiply, they demand internal changes across all organizations. Implementing a custom, unified key management system as part of a cybersecurity overhaul helps these businesses prepare for evolving unknowns, such as new algorithms.
In encryption, processes matter as much as technology, if not more. As an innovation partner, Keys&More gives organizations the guidance and customized solutions to safeguard their data by taking control of their risk, mitigations, monitoring and interventions.
Centralized oversight is a prerequisite for sweeping internal changes to cybersecurity systems and processes. Establishing a unified system is the first step to large-scale agility and resilience against the unknown.