In recent years, there has been an increase in the number of attacks on IT security in the manufacturing industry. It is precisely in this sector that companies’ networks are spied on particularly frequently and are therefore more susceptible to cyber attacks and cybercrime. This is now to be counteracted.
The IATF has recently published CB Communiqué 2019-009, in which additional sanctioned interpretations (SIs for short) of the IATF 16949 standard were announced. These significantly amend/supplement the existing requirements of the IATF 16949 standard in chapters 6.1.2.3 & 7.1.3.1 with regard to the production infrastructure and emergency management. As a result, non-compliance with the new cybersecurity requirements can now be defined as a deviation in audits.
But back to the actual content of the new requirements: What has been changed/extended and what needs to be considered now?
Specifically, the requirements of the existing areas of cybersecurity and cybersecurity have been expanded in terms of production security:
Additions to the emergency plan
With immediate effect, companies must implement emergency plans for cyber attacks on information technology systems.
The reason given for this extension was that companies have to deal with the possibility of a cyberattack that could affect the company’s production and logistics operations. Companies must ensure that they are prepared for a cyber attack.
Companies must also introduce periodic reviews of the effectiveness of emergency plans (e.g. through simulations). Cybersecurity testing can include a simulation of a cyberattack, regular monitoring for specific threats, identification of dependencies and prioritization of vulnerabilities.
As cyber security has become a growing risk to the sustainability of manufacturing in all production facilities, including the automotive industry, these emergency tests have been identified as an area in need of clarification. Cybersecurity tests can be carried out internally by the company or outsourced externally.
Additions in the area of plant, resource and equipment planning
The company must take a multidisciplinary approach that includes risk identification and mitigation methods to develop and improve plans for facilities, plant and equipment. When designing plant layouts, the company is to implement cyber protection for devices and systems to support production.
Since cyber security is not limited to support functions and office areas with computers, but also manufacturing uses computerized controls and equipment that are vulnerable to cyber attacks, this addition has been deemed necessary by the IATF. This addition drives the implementation of the necessary protective measures to ensure continued operation and production in accordance with customer requirements.
Possibilities of implementation
There are sensible measures available to you to prevent the non-compliance mentioned at the beginning and thus the possible deviation in audits and certifications.
Certification in accordance with TISAX or ISO 27001 is an effective way of mapping cybersecurity issues in relation to the production infrastructure and guaranteeing the corresponding security without having to set up a parallel system and thus avoidable redundancy.
And even without the certification of the above-mentioned standards, it is possible to implement the above-mentioned requirements in your company in a pragmatic, effective and targeted manner.
Our OPTIQUM experts will be happy to advise you at any time and help you with the implementation.
The International Automotive Task Force, or IATF for short, is a working group made up of representatives from mostly North American and European automotive manufacturers and associations and is concerned with the harmonization of standards and norms to improve product quality for automotive customers.
The automotive industry quality management system standard defined by the IATF, “IATF 16949”, together with the corresponding customer-specific requirements of the automotive industry and the requirements of ISO 9001:2015 and ISO 9000:2015, defines the basic requirements for quality management systems for series and spare parts production in the automotive industry.
A cyber attack is an attempt to gain illegal access to a computer or computer system in order to cause damage. A cyberattack is often a deliberate exploitation of weaknesses in the security of computer systems or networks to gain access to data, change computer code, logic or data. These measures can have harmful consequences that can jeopardize confidential data and lead to cybercrime. For example, information and identity theft, automation-related business interruptions, encryption of business-critical data or illegal remote control of systems or data.
Cyberattacks and cybercrime are not always the result of a sophisticated series of password guessing actions using powerful computer programs carried out by teams of people in a remote location. These are often actions that are aimed at
- Convince individuals to give out sensitive or private information through email notes (typically phishing)
- Protected phone calls where the caller poses as a trusted person or government official to obtain personal information
- Visual reading of entered passwords
- Infecting popular websites with malware
- Text messages with links to websites that install malware
- USB sticks on desks that appear to be legitimate and are connected to PCs
- Theft of discarded materials containing confidential computer information, etc.
Furthermore, after gaining access to a company’s system, a cybercriminal could encrypt the company’s critical data and demand a ransom to decrypt the data.
The GDPR (General Data Protection Regulation) in Europe or similar requirements in other regions also stipulate that companies are responsible for ensuring that the personal data stored by the company is protected and secured at all times, which underlines the importance of preparation in the event of cyber attacks.