Automotive security – Interview with Jozef Szakál, Audi Hungária

Cybersecurity plays a major role in the automotive industry today. Software components are responsible for more of a vehicle’s functions than ever before, and these components have to be in constant communication with one another. This has led to greater levels of comfort when it comes to cars, but all of that software isn’t without its own challenges and threats. We spoke with Jozef Szakál, the CISO of Audi Hungaria, about cybersecurity in the automotive industry.

Tell us a bit about yourself and your career path

My name is Jozef Szakál. I’ve been working at Audi Hungaria for 10 years in a variety of IT roles, and I’ve been a CISO for 3 years. I’m responsible for IT security, and lead a team which manages many internal projects. Audi Hungary is located in Győr, and is the largest automotive motor factory in the world. It also operates as a vehicle factory – we assemble the Audi TT,  and Audi Q3 models here. My main role is to provide information security by working with an information security management system (ISMS).

We have nearly 200 positions in IT and project management, so I also help a lot with recruitment. For people looking for a career in information security, IT system maintenance, or similar roles, we help them start that path here with us. As a major automotive organization both inside and outside of Hungary, we’re very active in hiring for the IT market, and we offer many career opportunities and plenty of challenges for our potential employees.

What are the challenges/rewards of being a CISO in the automotive industry?

As a profit-oriented company, one of our main goals is to maximize the creation of premium products while minimizing expenditures. There are different threat vectors that could jeopardize our position in the market, so it’s my responsibility to present these vectors to management transparently.

In Győr, we have the appropriate knowledge to maintain and even strengthen our position, and we need to protect that knowledge. Continuity plays an important role when it comes to seamless productivity, but management needs to know everything, and that jeopardizes continuity. How likely is a certain threat to occur? What are the potential impacts of a particular vulnerability? We have to ask the right questions, find the right answers, and present them to management. Managing IT security means maintaining balance, finding the right resources, and maintaining a position that helps us move forward.

Are there any obligatory regulations in the industry that help to secure data?

Since Audi Hungaria is part of the Volkswagen Group, both Hungarian and German regulations and standards apply. As a company, we have two main security standards, f.e. ISO 27001, ISO 21434, ISO 24089.  The last two standards that I mentioned stem from the United Nations Economic Commission for Europe (UNECE). The basic goal of meeting these regulations is to make sure the operation of automobiles cannot be compromised at any level.

The first standard relates to the Cybersecurity Management System (CSMS), and ensures the protection of the automobile throughout its entire lifecycle, from the initial design to the end of support. This includes risk assessments, cybersecurity audits, and thorough documentation, among many other requirements. CSMS mainly focuses on cybersecurity in the different phases of manufacturing and assembling automobiles.

The second important standard is the Software Update Management System (SUMS) which manages software updates in order to make sure they are transparent and traceable by external authorities. This entails regular assessments of certification of vehicles, manufacturer management systems, and crucially, meeting governance mechanisms. Software development in the automotive industry comes with regular audits. These are necessary if we want to maintain software integrity and make sure our products cannot be sabotaged.

As for self-driving cars, the main goal is to prevent any aspect of the operation of the vehicles from being compromised.

We need to identify and manage not only the risks of our company but also those of our suppliers.  As such, any supplier of the VW Group that works with sensitive group data must participate in regular audits in order to meet the necessary security standard, Trusted Information Security Assessment Exchange. The TISAX assessment is necessary for data that requires a high level of protection, including data stored by automotive manufacturers. For example, just this year, three subcontractors that work with the Volkswagen Group were attacked. If a breach occurs, it can compromise network communications and infect other connected companies. If that happens, a shutdown is possible, and that can lead to a massive decrease in procurement and production. To ensure the continuity of operations, it’s important to focus on the entire supply chain, not just on ourselves.

Have you experienced any attacks or security breaches as a CISO? If so, how did you react?

In this industry, attacks can be carried out against the companies directly or the automobiles themselves. The following example was not a malicious attack, but it’s a good example regarding my previous point about securing the entire supply chain. A few years ago, CrySys Lab launched a successful breach test in which found a vulnerability in the diagnostic software that connected to the Audi TT. The software had been provided by an external manufacturer, but by exposing its weak spot, the “attackers” were able to compromise the car by using reverse engineering. This example reinforces the aforementioned fact that all subcontractors need to provide a high level of protection to prevent breaches like this from happening.

Attackers can also target companies in the automotive industry. We maintain an ISMS with a high-maturity level, which is made up of the right process and technological elements,we use that against classic and new attack vectors

It is almost inevitable that an attack, whether targeted or untargeted, will be launched against a company. Malicious attempts like ransomware often target companies that will be forced to pay, for example, companies in the healthcare industry. However, there are many examples of attacks against organizations in the automotive industry.

In 2020, Honda Motor and KIA Motors also suffered a ransomware attack. Their networks and production were sabotaged, and massive technical difficulties resulted.

A huge enterprise like Audi has thousands of computers, used for everything from software development to automation to corporate communications. How do you minimize the risk of a potential cybersecurity attack?

Prevent, detect, react! The right security mindset starts with prevention.

We need to take every possible preventative security measure to avert a potential breach. The next step is detection. If and when an attack does occur, we need to be able to detect it as soon as possible. Time is a huge factor in this stage, and minimizing the time it takes to detect an attack is crucial. And finally, there are multiple ways to react to a threat professionally. We are responsible for the security measures that protect the company.

Can you tell us about the security measures taken at Audi?

We take a robust perspective: our company policy and security regulations allow us to create protective measures in terms of process, organization, technology and physical security.

Audi Hungary has approximately 12,000 employees. With a workforce that large, you need standard security protocols and warnings, and we can only do that by working together with the right security mindset and awareness. Human resources and communication fields need to cooperate with employees. We create content that has a pull effect, rather than a push effect. For example, we organize regular security presentations and create compelling visual material so that it’s more engaging and interesting for our employees.

We also believe education is essential. We work with influencers who speak out about information security, making it more authentic and believable.

Communicational awareness is also important. We need to be transparent about security within the company. We trust our employees, and that strengthens us against external threats.

As a closing thought, what is some advice you have for other CISOs in the automotive industry?

The CISO role is a complex role. You need to be well-versed in the latest cybersecurity standards and technologies, and be able to integrate the necessary measures into company standards. You have to be a technician, but also a good politician. You can’t do anything without support from management. You need to understand the company culture, engage with management, and help them understand the value of investing in the protection you provide. Win over the management, understand the company, and implement the IT security processes accordingly.

As a CISO, you have the opportunity to create beautiful and useful things. It is complex, as I said, but if you do everything the way it should be done, satisfaction will be sure to follow. It is a great responsibility, but done correctly, it is an even greater opportunity.