IT security: How trust works in the automotive industry
Does my supplier or service provider have IT security under control? This is a justified question in the highly connected automotive industry. It is no longer possible to work without cloud and external access. TISAX (Trusted Information Security Assessment Exchange) creates IT security trust within the industry. TISAX-compliant companies meet the necessary IT security requirements. This also includes secure cloud services for the entire industry such as Microsoft Azure, Office 365 and Dynamics 365.
Connected and autonomous vehicles, cloud-based services and mobile workplaces, digital communication between OEM and supplier: IT systems are indispensable in the automotive industry, and challenges related to autonomous driving can hardly be overcome without cloud support.
In order to secure the constantly increasing connectivity, the VDA (German Association of the Automotive Industry) and the Governance Organization ENX Association with TISAX developed a standard that evaluates IT security measures across companies. TISAX was derived from ISO 27001 and adapted to the specifics of the industry. For example, TISAX optionally covers the protection of prototypes (physical and digital), the cooperation with third-parties or the handling of security margins.
On November 14, 2018, independent testers completed the TISAX Assessment for data centres and operations centres handling the cloud services Azure, Office 365 and Dynamics 365. The result: Companies in the automotive sector can trust these cloud services without additional certifications and thus manage their tasks more efficiently. In addition, automobile manufacturers can confidently exchange data with suppliers who offer their employees modern workstations based on Office 365 cloud services. Continental, for example, already relies on Office 365.
For Microsoft, meeting the standard was a given. After all, Microsoft’s cloud services have always met a wide range of international and industry-specific requirements, including the General Data Protection Regulation (GDPR), ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2 and country-specific standards such as Australia IRAP, UK G-Cloud and Singapore MTCS. A complete listing can be found in Microsoft Trustcenter.
Here is the scope of the TISAX Assessment:
- Cloud data centres in Northern Europe (Dublin region, Ireland) and Western Europe (Amsterdam region, Netherlands) were assessed by the Assessment Level (AL) “3” standards. AL3 refers to data with a very high need for protection, such as data classified as ‘strictly confidential’ or ‘secret’. This means, for example, that resource intensive applications such as crash test and flow simulations as well as the AI (artificial intelligence) systems required for the development of autonomous vehicles can run in the almost infinitely powerful cloud.
- In addition to the above-mentioned data centres, selected cloud data centres in France, the United Kingdom, the United States, Canada, Korea, Japan, Australia, and selected regions in Asia have been assessed with Level “2”. AL2 refers to data with a high need for protection, such as data classified as ‘confidential’.
Thanks to compliance with TISAX specifications, automobile manufacturers can also rely on Azure to network their vehicles and, thus, become part of the Internet of Things. As an example, there are VW Automotive Cloud, BMW Connected Drive or the fleet management at Daimler Trucks North America.
The catalogue of underlying TISAX requirements can be found at the VDA website. Registered industry representatives can find details on the conformity of Microsoft offers on the governance organization’s portal ENX Association. Microsoft has the participant ID PGKYK0. Information on Scope “Microsoft Corp. EU – AL3” can be found under the Scope-ID SY869K, and the information on Scope “Microsoft Corp. WORLD – AL2” under the Scope-ID S08NT9.
