*By Carlos Borella
The COVID-19 pandemic contributed to the explosion of cyber security cases and incidents in Brazil and around the world. We will not cite the incidents, as the focus of this article will be to discuss the initiatives developed to raise the level of information security maturity of the most diverse ecosystems and fields of activity, from financial, electrical, telecommunications, historically highly regulated, to more recently the automotive industry.
To better understand this last ecosystem, we need to mention the IATF 16949.
But what is the IATF 16949?
It is a global quality management system standard that incorporates the structure and requirements of the ISO 9001 quality standard, with additional requirements from the automotive industry. This was developed by the International Automotive Task Force (IATF), with the support of the AIAG and requires certification by an external auditor (accredited certification body, similar to the processes of SGS (ISO20,000), SGSI (ISO27001), among others) .
Although IATF 16949 was initially conceived with a focus on quality, with the evolution of systems, interconnection of environments and the constant concern with digital threats, naturally the topic of cyber security became essential for this standard, as a possible disruption can impact the entire ecosystem.
In this sense, IATF 16949 included the topic of cyber security in two domains (or chapters), the first Business Continuity and the second Risk Management, with a focus on the planning and architecture of manufacturing facilities and systems.
For the Business Continuity issue, the objective is that organizations that are part of the ecosystem have a response plan and, consequently, operational continuity, if their manufacturing or logistics operations are interrupted by a cyber attack, including ransomware scenarios . Also in relation to Business Continuity, periodic tests of the contingency plan must be carried out to ensure its effectiveness and may include a simulation of a cyber attack, regular monitoring for specific threats, identification and prioritization of vulnerabilities.
Risk Management highlights the importance of implementing security controls, not only in corporate environments, but also in manufacturing and production sectors, where the existence of systems that coordinate and operate the automation environment are already a reality and have each interdependence with corporate systems, for example, ERPs, Logistics Systems, among others.
It is noteworthy that IATF 16949, as a standard, mentions the need for controls and protections, but directs or details their implementations. Briefly presents “what” to apply, but not “how” to apply. Thus, the use of references and good cyber security practices, such as: NIST, SANS, among others, should continue to be used.
Finally, it is important to highlight that the security strategy already established by the organization should only be revised, so that cyber security initiatives converge to cover and mitigate the risks that, if materialized, could impact its operations.
Reference: IATF-16949-SIs_Oct2019.pdf (iatfglobaloversight.org)
— Carlos Borella is CEO and Cyber Security Lead Partner at [SAFEWAY]
About Safeway:
THE SAFEWAY is an Information Security company, recognized by its clients for offering high added value solutions, through Information Security projects that fully meet the needs of the business. In these years of experience, we have proudly accumulated several successful projects that have given us credibility and prominence among our clients, which largely constitute the 100 largest companies in Brazil.
Today through more than 23 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.
Let's make the world a safer place to live and do business!
