Mitigating Third-Party Risks in the Automotive Supply Chain

With an average of 30,000 different parts required to build a single vehicle, you can imagine the complex processes and supply chain coordination necessary to manufacture automobiles on a global scale. These supply chains, with countless third-party manufacturers and service providers, constitute a significant source of risk for automobile manufacturers. And vulnerabilities in the industry will only continue to grow with the increasing integration of technology into vehicles.

Automotive companies and manufacturers throughout the automotive supply chain must therefore be vigilant of mounting cyber and business risks. Using The Trusted Information Security Assessment Exchange (TISAX) framework, along with further suggestions from Prevalent, companies can be better positioned to mitigate the vulnerabilities present within the automotive supply chain. In this blog I will review specific automotive supply chain risks, identify how TISAX can help provide a framework to address those risks, and then discuss how Prevalent can help.

The Automotive Supply Chain

The automotive supply chain, which includes the production and transportation of different automobile parts and components, is necessary for both financial and regulatory reasons. Producing all the necessary components for an automobile would be too costly for one company to incur. On the regulatory side, several laws exist (e.g., Michigan House Bill 5606 (2014)) that prevent automotive manufacturers from selling directly to consumers.

Recent technological disruptions have led automotive manufacturers to re-think and restructure the supply chain. For example, vehicle optimization has led manufacturers to use data collected from tracking devices to optimize performance. The resulting changes to vehicles often necessitate changes in the supply chain – increasing reliance on non-OEM (original equipment manufacturer) systems and opening more room for potential risk.

Cyber Vulnerabilities

Like all modern industries, the automotive industry is not immune to cyber security threats. According to a recent study conducted by Synopsys and SAE International, 30% of organizations in the auto industry do not have an established cyber security team, and only 63% test the technology that they produce for security vulnerabilities. In July of 2018, a data breach hit several automotive manufacturers, including General Motors, Tesla, Toyota and Ford. Over 47,000 files were stolen in the breach, including blueprints, non-disclosure agreements, and other sensitive trade secrets. The breach occurred via a third-party vendor, Level One Robotics, a company that specializes in the automation process for automotive suppliers and manufacturers.

TISAX

One way in which risk in the automotive supply chain can potentially be mitigated is through the Trusted Information Security Assessment Exchange (TISAX). TISAX, first developed by the German Automotive Industry Association (Verband der Automobilindustrie), allows for information security audits on manufacturers and suppliers in the automotive industry. TISAX provides manufacturers with the information necessary to make informed decisions in the manufacturing and distribution process while managing risk accordingly. TISAX continues to build its “community” within the automotive supply chain in the hopes of allowing all those in the community to work seamlessly with complete trust. Having TISAX certification as a requirement has proven effective in managing risk since being implemented in Germany in 2018.

How Can Prevalent Help?

Due to the complexity and constant changes in the automotive supply chain, continuously monitoring the various manufacturers involved is essential to managing and mitigating risk. After all, a defect in the supply chain could result in a brand, financial, regulatory and/or cyber risk. Mitigating supply chain risks should include the following steps:

1. Standardizing on a questionnaire-based assessment with a common framework of supplier-provided evidence and due diligence.
2. Collecting responses and evidence from suppliers in a central platform that enables manufacturers to quickly identify risks across their supplier ecosystem or at the supplier-level.
3. Leveraging a shared network of standardized, validated supplier questionnaires to speed up the risk identification and mitigation process.
4. Continuously monitoring the cyber health of supplier networks from a hacker’s point of view to provide visibility and remediation guidance on gaps that could lead to unwanted access, and to layer on to the results of the questionnaire-based assessment for a more complete picture of supplier risks.
5. Integrating business risk intelligence – such as supplier financial data (where available), major news events, lawsuits or recalls – that can be a preview into potential future cyber risks.
6. Enabling remediation with specific guidance to mitigate risks.
7. Reporting by regulatory or compliance framework (such as ISO 27001, etc.) to transparently share with members of the supply chain.

Prevalent delivers a unified platform built from the ground-up to assess and monitor third-parties and provide remediative guidance to reduce risk. Working alongside audits like TISAX, Prevalent can provide a holistic view of third-party risk within the automotive industry. For more information on how Prevalent can help, contact us for a demo today.