Recent world events in Ukraine have once again focused the business on the potential impact of cyber-attacks as a means of disrupting business. This trend is particularly troubling for the automotive supply chain because the symbiotic nature of these relationships means one attack could ultimately interrupt product shipments for many companies. Looking across the supply chain, varying degrees of cyber security practices are employed that range from zero to advanced. This wide variation and lack of adherence to unified security practices leaves the automotive supply chain at risk.
In essence, the weakest link creates the most significant exposure for all, and a prevailing challenge is the creating a unified standard for cyber security. European automotive companies have played a leading role by developing and enforcing TISAX as a defined framework for implementing cyber security controls across the supply chain. In North America, the story is a bit different as each OEM uses different supplier risk management frameworks. Since most suppliers work with multiple OEMs, they must adopt a different set of requirements for each OEM. Imagine the industry challenges if every OEM had a different version of manufacturing quality standards instead of ISO 9001.
A lack of standardization and potential for implementing multiple security frameworks has caused many suppliers to spend an increasing amount of time responding to many different questionnaires. While it is positive that the industry is increasingly focused on maturing all suppliers in the ecosystem, the increasing number of frameworks has the potential to cause teams to divert attention away from running day to day security operations and onto responding to questionnaires. The trusted interconnectivity among automotive suppliers means that one data breach has the potential of impacting many. Like any other form of business, cybercrime is predicated on maximizing return on invested resources. The necessity for a quick recovery or monetization of time means that a resistance threshold will rebuff financially motivated individuals. An organization that doesn’t embrace even basic security practices presents a weak link with the potential to impact many firms.
But it’s not all bad news, as suppliers take proactive steps to help others evaluate and implement baseline safeguards. American Axle Manufacturing is joining the community in helping develop a cyber risk management program for suppliers to encourage and support increased security. The focus is on improving coverage across the board for suppliers large and small. The initiative is collaborative and geared toward raising the bar on cyber security. Erik Wille, Chief Security Officer for American Axle, commented, “no company wants to find out in the news that its data was breached. This is the spirit upon which we are building the supplier program.” He continued by emphasizing the importance of the initiative to the overall health of the supply chain, “I wish it were simple to get everyone on the same page and to sing from the same hymnal, but we have to establish a mindset that cybersecurity is just a cost of doing business today. We see this as an opportunity to partner with our customers and suppliers to collectively combat the evolving risk of cyber security to business and the supply chain as a whole.”
Change is constant in business, and the automotive supply chain is no exception. The ongoing threat of business disruption coupled with increased pressure from automotive producers will necessitate the use of unified cyber security standards to strengthen the ecosystem. Adoption is in the early stages, but all should expect a rapid acceleration to reduce risk.