During the 2017 AIAG Supply Chain Summit, the formation of a new working group tasked with creating a set of information security standards was announced. These standards would be created for use by the OEM’s third-party suppliers and partners, and center around protecting OEM intellectual property during contract fulfillment. Five OEM’s participated in the working group, including GM, Ford, Fiat Chrysler, Honda and Toyota.
Although each of the OEM’s contributed experienced team members, such as CISO’s and supply chain management experts, little else has been disclosed regarding how the working group’s published standard will be distributed or managed. Other than an offhand mention of the new standard in a General Motors job posting, there isn’t much being said about this jointly developed information security standard.
There was one useful piece of information in the above job listing; the name of the standard. Expected to be formally announced at this year’s Supplier Summit, the standard will most likely be titled Third Party Information Security Requirements, or TPISR.
Basis for the TPISR Standard
Per the talking points of the AIAG’s presentation from the 2017 Supplier Summit, TPISR will be strongly influenced by at least two established standards organizations. The National Institute for Standards and Technology (NIST) has published their widely adopted Cybersecurity Framework (CSF), as well as a general-purpose standard for safeguarding controlled information (NIST Special Publication 800-171). The International Organization for Standardization (ISO) also offers their ISO/IEC 27001:2013 and ISO/IEC 27002:2013 security standards, which can be readily cross-referenced to NIST standards. These standards are expected to serve as the DNA for TPISR as a whole.
TPISR Standard Highlights
Based on the brief conversations we’ve had with members of the AIAG working group, as well as our general knowledge of the NIST and ISO standards influencing the upcoming AIAG standard, it’s likely that TPISR will feature some of the following security practices:
Information Security Program
Taking cues from numerous other information Security standards; TPISR will likely require that each third party supplier creates and maintains an information security program. This program will be managed by clearly identified individuals, who will ultimately be accountable for the program’s results. If an automotive supplier is already working on ISO 9001:2015 or AS9100D certification; it’s expected that these standards’ focus on risk management will serve as a foundation for TPISR’s required governance model.
Layered Access Controls
Under TPISR: OEM SECRET information will likely need to be kept in a separate environment, complete with its own logical access controls. In addition to this, the entire network will need to operate under enhanced guidelines for user accounts, password policies, and separation of duties. Organizations who don’t currently use VLANs for network segmentation, and who don’t design their systems around least access and least privilege, will have the most work to do.
Informed Risk Management
Beginning with proactive activities such as vulnerability scans, systems maintenance and security tools, and culminating in reactive capabilities such as incident response and security assessments, TPISR will require that each third party supplier manages the risks posed to OEM information.
IT Systems Built to Meet Industry Standards
With the introduction of TPISR, it won’t be enough for third party suppliers’ IT systems to simply “get the job done.” Instead, suppliers will need to seek out and adopt widely trusted standards for the configuration and use of IT systems such as servers, firewalls, antivirus, and business applications. As we’ve stated in this article: discussions of the TPISR standard point towards various NIST special publications and similar ISO standards as starting points for the trusted configuration of systems and software. Suppliers who can implement these established standards now will be well-positioned to adopt and meet the upcoming TPISR requirements.
A Holistic View of Business Interruptions and Continuity
While many of the information security standards for other regulated industries have focused on the ways an organization should safeguard their customers’ sensitive information, the AIAG requirements look beyond data loss. Since cyber threats can also involve disruptions to the normal flow of business, and threaten the availability of business systems and information, TPISR is expected to address the way suppliers handle these problems. As part of developing a full disaster recovery and business continuity approach, suppliers could be expected to implement communication plans, defined their maximum tolerable downtime, and test failover scenarios.
The introduction of TPISR will certainly change the landscape for automotive suppliers. The automotive supply chain has already become more involved in the creation and distribution of intellectual property, as prototyping and design activities are incorporated into third party services. With more and more OEM information living on third party systems, it was only a matter of time until OEM’s took steps to further secure their intellectual property.
This move by major auto brands resembles those taken by the U.S. government, Department of Defense, oil and gas, and commercial aircraft industries. In these verticals, the implementation of costly security methods has led to suppliers either leaving the market or facing consolidation. With more and more industries demanding information security throughout the supply chain, and based on the sheer size of the automotive industry, simply leaving the market may not be an option for many automotive suppliers. Gaining the trust of OEM’s, and demonstrating the ability to secure sensitive information will need to become part of each supplier’s competitive advantage.