What is Cyber Security?
Introduction
Somebody has said that “Happiness has many roots, but none more important than security.” We all look for security in everything. It could be health, money, mental satisfaction and many more things. As a human, we are willing to pay any price for feeling secure. As a country, the major spending is on arms and ammunition so that the boundaries can always remain secure.
Objective
Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. The cyber-attacks are usually aimed at accessing, changing, or destroying sensitive information, extorting money from users or interrupting normal business processes. In 2020, the average cost of a data breach was USD 3.86 million globally, and USD 8.64 million in the United States.
Cybersecurity is a growing risk to all manufacturing facilities, including the automotive industry. It is not limited to the support functions and office areas using computers. Manufacturing also uses computerized controls and equipment which is at risk of cyber-attack. Risk analysis and contingency testing have been identified as an important way of identifying and controlling cyber-attacks.
In this blog, the focus is on understanding the implementation of necessary protections to ensure continued operation & production to meet customer requirements and what can be the possible controls as part of a cyber-attack contingency plan validation.
Read More: https://bit.ly/Step1DefineProblem
Definitions:
Embedded Software (IATF, clause 3.1): is a specialized programme stored in an automotive component (typically computer chip or other non-volatile memory storage) specified by the customer, or as part of the system design, to control its function(s).
Read More: https://bit.ly/ProblemSolvingTechnique
Detailed Information:
A Cyber-attack is an attempt to gain illegal access to a computer or computer system to cause damage or harm. It is often deliberate exploitation of weaknesses in the security of computer systems or networks to gain access to data, alter computer code, logic or data.
What is Cyber Security?
Cyber security is the application of technologies, processes and controls to protect systems, networks, programs, devices and data from cyber-attacks. It aims to reduce the risk of cyber-attacks and protect against the unauthorized exploitation of systems, networks and technologies.
Meaning of Cyber and Security:
Cyber: Internet, Information, Technology, Network, Applications, Data, Computer
Security: System security, Network security, Application security, Information security
Potential cyber-attacks pose a risk to all organizations due to the valuable information held within their information technology systems. Organizations need to address the possibility of a cyber-attack that could disable the organization’s manufacturing and logistics operations. Organizations need to ensure they are prepared in case of a cyber-attack by considering potential cyber-attacks in their risk analysis.
Employee knowledge is a key enabler to prevent issues from becoming significant, including identifying potential cyber-attacks.
Read More: https://bit.ly/RootCauseAnalysis3L5Y
Why is Cyber Security Important?
- Cost of cyber security breach rising
- Attacks are increasingly sophisticated
- Critical Management Issue
- Cyber-crime is big business
Read More: https://bit.ly/IshikawaDiagram
Types of Cyber-Attack
- Phishing: is the practice of sending fraudulent emails that resemble emails from reputable sources. The aim is to steal sensitive data like credit card numbers and login information. It’s the most common type of cyber-attack. You can help protect yourself through education or a technology solution that filters malicious emails.
- Ransomware: is a type of malicious software. It is designed to extort money by blocking access to files or the computer system until the ransom is paid. Paying the ransom does not guarantee that the files will be recovered or the system restored.
- Malware: is a type of software designed to gain unauthorized access or to cause damage to a computer, such as ransomware, botnet software, RATs (remote access Trojans), rootkits and boot kits, spyware, Trojans, viruses and worms.
- Backdoors, which allow remote access
- Form jacking, which inserts malicious code into online forms.
- Crypto-jacking, which installs illicit cryptocurrency mining software.
- DDoS (distributed denial-of-service) attacks: flood servers, systems and networks with traffic to knock them offline.
- DNS (domain name system) poisoning attacks, which compromise the DNS to redirect traffic to malicious sites.
Read More: https://bit.ly/7ProblemSolvingTechnique
Possible ways of Cyber-Attack:
Cyber-attacks and cybercrimes are not always a result of a sophisticated series of actions to guess passwords using powerful computer programs run by teams of people from remote locations. They are often actions designed to
- convince individual persons to release sensitive or private information through email notes (typically phishing)
- pretexting (impersonating a trusted person or government official)
- phone calls announcing fake emergencies getting personal information
- visual reading of typed passwords
- infecting popular websites with malware
- text messages with links to sites installing malware
- USB drives left on desks, appearing to be legitimate, which are plugged into PCs
- theft of discarded materials containing confidential computer information
Impact of Cyber-Attack:
- compromise confidential data
- information and identity theft
- automation-caused operational interruptions
- illegal remote controlling of systems or data
- could encrypt company’s critical data and demand a ransom to unencrypt the data
Read More: https://bit.ly/CausalFactor
Difference Between Cyber Security and Information Security:
- Cyber security focuses on protecting computer systems from unauthorized access or being otherwise damaged or made inaccessible.
- Information security is a broader category that protects all information assets, whether in hard copy or digital form.
Types of Cyber Security:
- Critical infrastructure cyber security
- Network security
- Cloud Security
- IoT (Internet of Things) Security
- Application Security
Read More: https://bit.ly/PoisonTest
How Cyber Security can be improved?
- Staff awareness training
- Application security
- Network security
- Password Management
- Leadership commitment
- GDPR (General Data Protection Regulation) in Europe or similar requirements in other regions
- reinforcing the importance of being prepared in the case of cyber-attacks
- information technology security techniques: ISO/IEC 27001
- Ethical Hackers
Dangerous Cyber security myth:
- Cybercriminals are outsiders: In reality, cybersecurity breaches are often the result of malicious insiders, working for themselves or in concert with outside hackers. These insiders can be a part of well-organized groups, backed by nation-states.
- Risks are well known: In fact, the risk surface is still expanding, with thousands of new vulnerabilities being reported in old and new applications and devices. And opportunities for human error – specifically by negligent employees or contractors who unintentionally cause a data breach – keep increasing.
- Attack vectors are contained: Cybercriminals are finding new attack vectors all the time – including Linux systems, operational technology (OT), Internet of Things (IoT) devices, and cloud environments.
- MY industry is SAFE! Every industry has its share of cybersecurity risks, with cyber adversaries exploiting the necessities of communication networks within almost every government and private-sector organization. For example, ransomware attacks are targeting more sectors than ever, including local governments and non-profits, and threats on supply chains, “.gov” websites
Read More: https://bit.ly/WhatEmbeddedSoftware
IATF 16949 Standard requirements for Cyber Security:
Requirement | Clause Number | Expectation |
Risk Analysis | 6.1.2.1 | Proactive Approach: Cyber-attack threats, connected with the outside world, what are the controls? |
Contingency Planning | 6.1.2.3 | – Prepare a plan for contingency related to Cyber-attack on an information technology system
– Periodically test the contingency plans for effectiveness like a simulation of a cyber-attack, regular monitoring for specific threats, identification of vulnerabilities – The testing should be appropriate to the risk of associated customer disruption – Vulnerability test by using an ethical hacker to assess the existing security system |
Plant, Facility and Equipment Planning | 7.1.3.1 | Implement cyber-protection of equipment and systems supporting manufacturing |
Competence | 7.2.1 | The training and awareness about prevention are relevant for attempted cyber-attacks. |
FCA CSR dated 15 March 2021: Embedded software | 8.3.2.3 | Cyber Security during New Product Development Process |
Industry Challenges:
- The requirement for Cyber Security has been added in the sanctioned Interpretation in July 2021 which needs to be implemented by November 2021. How many organizations are aware of the new requirement?
- How often industry personnel are clear about the meaning of Cyber Security?
- How many organizations have started implementing the controls related to cyber security by reviewing their risk analysis and contingency planning?
References:
IATF 16949: 2016, Sanctioned Interpretation & FAQ
ISO 9001: 2015
ISO 9000: 2015
Industry Experts
This is the 153rd article of this Quality Management series. Every weekend, you will find useful information that will make your Management System journey Productive. Please share it with your colleagues too.
In the words of Albert Einstein, “The important thing is never to stop questioning.” I invite you to ask anything about the above subject. Questions and answers are the lifeblood of learning, and we are all learning. I will answer all questions to the best of my ability and promise to keep personal information confidential.
Your genuine feedback and response are extremely valuable. Please suggest topics for the coming weeks.
Recent Posts
Recent Comments
- Bhavya Mangla on SPC: Unilateral Tolerance Capability Indices
- Gurpreet Singh on SPC: Unilateral Tolerance Capability Indices
- Bhavya Mangla on SPC: Difference Between Cpk and Ppk
- P R Ramesh on SPC: Difference Between Cpk and Ppk
- Bhavya Mangla on FMEA: Difference between Old (4th Edition – 2008) and New Version (1st Edition: 2019 – AIAG/VDA Handbook)
Excellent, all the related clauses of IATF 16949 : 2016 are covered. Thanks for sending.
Thanks Mr Kar for the kind feedback and appreciation.