São Paulo/SP – July 29, 2022. The automotive industry has been working on initiatives to raise the Information Security maturity level of its ecosystem.
*By Carlos Borella
It is evident that the last few years have brought an explosion of information security cases and incidents in Brazil and around the world. This year 2022 is being marked by some cases that generated great impacts, not only the companies targeted by the incidents, but also the production chain (customers and suppliers) of the automotive industry. In this sense, the automotive industry has been working on initiatives to raise the Information Security maturity level of its ecosystem.
Data presented in the Global Threat Report[1] – 2022 released by CrowdStrike, reinforces this concern of the sector, since the number of data leaks practically doubled, comparing the years 2020 and 2021 and considering the Industry and Engineering sector, being the sector that showed the greatest increase in the period.
The topic of Information Security is not new to the automotive industry, for that it is enough to mention the global standard IATF 16949, which, although it was initially conceived with a focus on quality, with the evolution of systems, interconnection of environments and the constant concern with digital threats, addressed the topic of security in two domains (or chapters), the first Business Continuity and the second Risk Management, focusing on the planning and architecture of manufacturing facilities and systems.
But what is TISAX[2]? TISAX (Trusted Information Security Assessment Exchange) is an ISA standard (currently version 2.4, published April 2022) that was developed in partnership by the German Automotive Industry Associations (VDA) and the European Network Exchange (ENX) . The TISAX assessment is based on the test catalog – VDA Information Security Assessment (VDA ISA), which was based on ISO/IEC 27001 and ISO/IEC 27002 standards, with adaptations and specifics of the automotive sector, including, for example: prototype protection, in your evaluation catalog.
The process for obtaining the TISAX seal generally involves three phases: registration with the ENX association; self-assessment (assessment and preparation); and external auditor (selection, contracting and independent audit process). And the ISA test catalog is divided into three broad assessment categories: information security (41 controls), prototype protection (22 controls), and[3] data (04 controls) (marked by article 28 of the GDPR).
The effort to adapt and obtain the TISAX seal is directly linked to the scope and type of information handled by the company and, mainly, the possible impacts caused to the ecosystem (automotive industry), if a cyber risk materializes. When the TISAX seal is obtained, it is valid for 03 (three) years, and must be renewed after this period, through a new environmental certification/audit process.
It is worth mentioning that TISAX, like IATF 16949, mentions the need for controls and protections, but does not direct or detail their implementations. Briefly, it presents “what” to apply, but not “how” to apply. Thus, the use of cybersecurity references and best practices, such as: NIST, SANS, ISA 62443 (ISA99), among others, should continue to be used.
Carlos Borella, CEO of Safeway Consultoria, states that, “Because TISAX was based on ISO 27001, it has in its structure controls many already known requirements, with regard to Information Security, since the ISO standard is largely used. In this sense, if the company has an already established security and governance strategy, for example, to meet a Management System, it is important that it revises and incorporates TISAX into its system. Additionally, this action will allow information security initiatives to converge and thus avoid overlapping controls for the coverage and mitigation of risks already mapped”.
[1] 2022 Global Threat Report (crowdstrike.com)
[2] TISAX Participant Handbook (enx.com)
[3] In some cases, this category is classified as not applicable, since the activity, resources and processes audited within the scope of TISAX's certification do not collect personal data.
— Carlos Borella is CEO and Cyber Security Lead Partner at [SAFEWAY]
How can we help?
THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.
today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.
In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law Suit, People and Technology.
through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!
