How TISAX-Compliant Access Management
Protects the Automotive Supply Chain
The automotive industry is undergoing dynamic – and sometimes disruptive – changes. In the course of digitalization, more and more software services, electronic control systems, and APIs are finding their way into vehicles. However, digital supply chains offer countless starting points for cyber-attacks. In 2017, the automotive industry developed the TISAX testing and exchange procedure – an internationally-recognized certificate that lets suppliers document their compliance with appropriate security standards, thus helping OEMs resist attacks. A central element of TISAX is a strong Privileged Access Management (PAM), which protects critical accounts and sets the course for a cyber-resilient supply chain.
In the future, autonomous vehicles and transport systems will shape cityscapes worldwide: Through intelligent consolidation of a wide variety of electronic systems, cars will be able to communicate with each other, make independent decisions, and react appropriately to dangerous situations. The innovation potential of this technology is practically limitless – as is the potential damage if corresponding IT systems are compromised.
In view of the enormous risk presented by potential cyberattacks, the automotive industry launched TISAX in 2017. This certificate, awarded by the French Governance organization ENX Association, defines minimum standards for secure information processing, prototype protection, and data protection in automotive companies. This enables the industry to check the maturity level of information security at potential partners, service providers, and suppliers.
No unauthorized access to privileged accounts
A central aspect here is the secure handling of identities and access: In the closely interlinked supply chains of the automotive industry, the integration of external partners into the company’s own systems or processes is common practice. At the same time, this represents a risk factor that must be closely monitored. After all, every connected partner needs specific digital identities, often with far-reaching access rights, for their collaborative work. And these identities are tremendously attractive to attackers.
In addition to partner accounts, the number of privileged employee, machine, and customer accounts is also growing rapidly. Thus, consistent identity management and a systematic strategy for managing access to these accounts is essential throughout the automotive industry.
Minimum rights for a limited period
Privileged Access Management (PAM) is based on the “least privilege” principle, which ensures that authenticated identities are always granted only a minimum of rights. These should be just sufficient to perform the assigned task and should be granted for a limited period – not permanently. This way, companies lay a solid foundation to prevent dangerous lateral movements in the network, and significantly reduce the attack surface.
Cutting-edge PAM strategies
However, the way companies approach PAM has changed significantly in recent years: Today, automated next-generation solutions are increasingly taking the place of selective, manually-managed projects. Designed holistically and programmatically, these PAM initiatives successively expand the robust foundation of the “least privilege” principle to include additional components: Centralized password management, session management with flexible authentication options, comprehensive monitoring, and privileged access governance.
The access requirements for the most critical Tier0 or Tier1 resources – such as the domain controller – should be even more stringent. Privileged access to these “crown jewels” must ideally occur in an isolated environment and be protected by robust multi-factor authentication. The same applies to SaaS admin IDs and privileged business users.
Focus on password management
Password management is a key component of any PAM strategy: 80 percent of cyberattacks use stolen credentials. Thus, every automotive company and supplier should implement automatic password changes for network accounts, and store critical access data in secure vaults. This is especially true for infrastructure accounts, DevOps credentials, and SSH key pairs. Ideally, cyber-resilience should also be regularly boosted in red-team exercises, and flanked by comprehensive auditing and reporting measures.
Choosing and integrating the right solution
A broad range of mature PAM solutions are currently available, and selecting the right vendor depends on several factors: The architecture of the existing network, for example, is of decisive importance – cloud-native, hybrid, or on-premises? Legacy or greenfield? Based on this initial assessment, it is then necessary to select the solution that best fits into the existing technology stack and optimally meets stakeholders’ requirements.
Security teams that are unfamiliar with PAM are usually overwhelmed by this decision-making process. Here, experienced, vendor-agnostic consultants and system integrators come into play. Drawing on in-depth market knowledge and many years of project experience, they help the internal team to evaluate the wide range of products and to find a suitable solution. In addition, they work with the customer to develop a long-term, sustainable strategic vision – laying the foundation for a resilient solution that meets all the requirements for TISAX-compliant information security.
Privileged Access Management with iC Consult
As an acknowledged specialist in all matters of Identity & Access Management, iC Consult has already implemented many demanding projects for well-known customers in the automotive industry – from BMW to Mercedes to Porsche. The consulting company is certified according to TISAX as well as ISO 9001 (quality management) and ISO 27001 (information security) and thus stands for highest professional competence and sustainable solutions.
How we can best support you in your PAM projects? Let’s get started with a free pre-workshop! This will give you a comprehensive overview of the current maturity level of your IAM infrastructure and define your company’s PAM requirements. The pre-workshop includes the definition of key priorities and business goals as well as – in the case of legacy scenarios – a detailed gap analysis.
Following the workshop, you can then choose from three flexible packages for PAM implementation. All three include high-level recommendations for your individual project, a readiness assessment, a PAM roadmap including transformation and schedule, a TCO calculation for three to five years, implementation plans, and individual workshops. Alternatively, you can opt for a customized solution in which we adapt each step to your company’s requirements.
Sound interesting? Get in touch! Our PAM team is happy to answer all queries: firstname.lastname@example.org or ic-consult.com/de/pam-journey/
TISAX – a project kicked off by the automotive industry in 2017 – is an audit and exchange process to assess the cybersecurity maturity of partners and suppliers and ensure compliance with mandatory minimum standards across the supply chain. The assessment questionnaire is modeled on ISO 27001. More and more automakers and OEMs are now making TISAX certification a prerequisite – so the topic is high on suppliers’ agendas.
Ready to start your IAM project?
Our experts look forward to talking with you.