VDA-ISA and TISAX: Why system hardening is becoming a “must have” in the automotive industry

Automotive suppliers and manufacturers must follow sector-specific industry standards such as VDA-ISA and TISAX to secure their IT systems. That is why system hardening is taking on an increasingly important role.

What is TISAX?

The acronym TISAX stands for Trusted Information Security Assessment Exchange. This is a testing and exchange mechanism designed to improve and guarantee information security in the automotive industry. Among other things, it enables sensitive data such as business secrets to be better protected.

TISAX was developed by the ENX Association. “ENX Association is an organization consisting of automobile manufacturers, suppliers and four national automotive associations. The aim is to enable and simplify secure and trustworthy collaboration over industrial value-added networks”, the organization says about itself.

What does VDA-ISA stand for?

TISAX is based on VDA ISA. ISA is the abbreviation for Information Security Assessments. This standard is published by the German Association of the Automotive Industry (VDA). The VDA ISA catalogue 5.1 is currently valid; the VDA ISA catalogue 6.0 will be valid from 1 April 2024.

The basis for VDA-ISA and thus TISAX is for example the Europe-wide GDPR (General Data Protection Regulation), the German IT-SiG 2.0 (Second Act to Increase the Security of Information Technology Systems) and ISO/IEC 27001.

What changes does VDA ISA 6 bring?

VDA ISA 6.0 uses ISO 27001:2022 (which is the final version of ISO 27001 from October 2022) as a reference point. Some of the existing controls, namely 3.1.2 and 1.6.1, are removed. Instead, several new control questions are introduced that deal with the topics “Incident Management” and “Crisis Management” in more detail.

The topic “Backup & Recovery” is to receive its own specific control questions in area 5 in order to devote more attention to this important aspect of information security. And the “Data Protection” module will undergo a comprehensive revision in VDA ISA 6.0. In this way, those responsible ensure that the current data protection requirements and data protection guidelines are adequately taken into account.

The importance of Operation Technology (OT) is also emphasised more in the latest VDA ISA catalogue. Among other things, there is an adaptation and alignment with the IEC 62443 standard, which means that assets such as machines in the production area are an integral part of the standard.

What do VDA-ISA and TISAX have to say about system hardening?

If you download the VDA-ISA catalog version 5.1, you will find this recommendation, among others, under “ISA 5.2.3” (title: “To what extent are IT systems protected against malware?”) in the target requirements:

“For IT systems operated without the use of malware protection software, alternative measures (e.g. special resilience measures, few services, no active users, network isolation) are implemented.”

This means that automotive suppliers, service providers and manufacturers are advised to introduce system hardening. This involves the secure configuration of IT systems, which should significantly reduce the attack surfaces for malware.

Where does this recommendation come from?

In the field of IT security, the maxime of Protect-Detect-Respond has become established and proven itself. However, the first aspect, the protection of systems, is unfortunately often neglected. Yet “locking” the “IT front doors” via comprehensive system hardening is one of the best preventive measures against cyber attacks.

In the meantime, this realization is – fortunately – gaining acceptance in many areas. DISA, CIS, ACSC and other cybersecurity organizations have been issuing recommendations for comprehensive system hardening for years, and they have also incorporated system hardening into ISO 27001 as an important measure.

Industry standards such as PCI DSS 4.0 (Payment Card Industry Data Security Standard), VAIT (The Supervisory Requirements for IT in Insurance Undertakings ) and BAIT (The Supervisory Requirements for IT in Financial Institutions) also call for hardening of operating systems and applications. And the German BSI IT-Grundschutz is understandably blowing the same horn.

Accordingly, the German association of the automotive Industry is also following the increasingly stringent specifications and regulations and has incorporated them into VDA-ISA – and thus into TISAX.

Where is the journey heading?

The threat and costs of cyber-attacks are continuously increasing, and accordingly, there will be further tightening of regulations and corresponding laws. Not only companies that are of economic importance must secure their IT systems better than ever.

Increasing cyber attack costs (Image: Statista)

This means that the requirements in the IT security environment in accordance with VDA-ISA and TISAX will also increase. Based on initial information, we assume that TISAX will probably be based on the updated standard for information security ISO 27001:2022.

This means that the secure configuration of IT systems will become a must-have requirement in the near future. The secure configuration section in ISO27001:2022 addresses this from this perspective.

Automotive manufacturers, service providers, and suppliers must prepare themselves for the fact that regulatory requirements will increase – partly because of the changed threat situation. This is the only way to reduce the risk of data leaks, of mission-critical data being encrypted in case of doubt, or of networked systems being damaged.

You want to harden your systems properly?

Then let us help you! FB Pro’s hardening specialists will advise you on the most important measures and implement automated hardening of your systems if required. We will be happy to provide you with advice and support.

Send us an email!

Images: Freepik, Statista

Leave a Reply