Penetrations tests to prove cyber security in IATF 16949

afer1964 · Mar 19, 2024

Which of you has successfully commissioned or completed a cyber security penetration test and thus passed the re-certification audit? Which service providers from the IT world can you recommend? Which certifications from IT service providers are required?

Andy Nichols · Mar 19, 2024

"Pen testing" as part of IATF 16949? Really?

afer1964 · Mar 20, 2024

Yes, in Germany, Austria, etc.

Andy Nichols · Mar 20, 2024

There's no requirement in IATF 16949 which relates to penetration testing of a cyber security system. Can I ask why the question?

yodon · Mar 20, 2024

Setting the compliance to 16949 question aside (which I can't answer anyway as I'm not in that field)...

Please clarify if you are asking about pen testing for product related software (e.g., software that can enable car shut-down or enable you to remotely unlock the doors) or for your internal network?

Generally, pen testing needs to be done by test specialists equipped to do such testing. They have to really hammer on the exploit attempts and that requires automated testing. I don't know of any certifications for completing pen testing on product software. If you're talking about your internal network, you can get certified to ISO 27001 (but that's more than just cybersecurity / pen testing).

Andy Nichols · Mar 20, 2024

Here's my guess: IATF 16949 requires as part of the organization's contingency planning, that it includes not just the "normal fire, flood, plague" etc. but also a breach of cyber security. I'd wager at least $5 that an auditor - having learned a little bit about some aspects of cyber security - that they now "expect" the organization to demonstrate penetration testing...

I'll happily donate the $5 if I'm not (somewhat correct). BTW - in Germany, the so-called VDA "TISAX" requirements for information security of automotive (prototype) products is gaining acceptance. Things are getting out of hand IMHO...

Golfman25 · Mar 20, 2024

Andy Nichols said: ↑

Here's my guess: IATF 16949 requires as part of the organization's contingency planning, that it includes not just the "normal fire, flood, plague" etc. but also a breach of cyber security. I'd wager at least $5 that an auditor - having learned a little bit about some aspects of cyber security - that they now "expect" the organization to demonstrate penetration testing...

I'll happily donate the $5 if I'm not (somewhat correct). BTW - in Germany, the so-called VDA "TISAX" requirements for information security of automotive (prototype) products is gaining acceptance. Things are getting out of hand IMHO...
Click to expand...

No way I take that bet. Probably 100% dead on.

afer1964 · Mar 20, 2024

Thanks for your initial answers.
It's about the IT remote location of a global corporation in the automotive supply industry. They have 280 employees on all continents in IT and are Tisax certified because of the VDA, ISO 14001, ISO 5001, and IATF 16949.
Conclusion from the Cyber Security Assessment Tool (CSAT):
After reviewing the CIS Controls™ (v8.0) questionnaire, described in detail later, the current overall maturity level of the Company cybersecurity program and practices matches level 3 – rationalized (from max. 4). The organization’s maturity level is based on the lowest scored CIS control, gathered during the interview with the security team.
The CSAT questionnaire is based on the CIS Controls, aiming to provide relevant information on your IT processes. In addition, the questionnaire also contains some questions connected to the ISO27001:2022 controls.
The overall impression is very good, which is also reflected in the company score of 3.4, which is one of the highest among the assessments carried out to date.

I know from experience that the auditor wanted to see objective results of the penetration test and unfortunately that is not available.

Andy Nichols said: ↑

Here's my guess: IATF 16949 requires as part of the organization's contingency planning, that it includes not just the "normal fire, flood, plague" etc. but also a breach of cyber security. I'd wager at least $5 that an auditor - having learned a little bit about some aspects of cyber security - that they now "expect" the organization to demonstrate penetration testing...

I'll happily donate the $5 if I'm not (somewhat correct). BTW - in Germany, the so-called VDA "TISAX" requirements for information security of automotive (prototype) products is gaining acceptance. Things are getting out of hand IMHO...
Click to expand...

you right Andy

Andy Nichols · Mar 20, 2024

afer1964 said: ↑

Thanks for your initial answers.
It's about the IT remote location of a global corporation in the automotive supply industry. They have 280 employees on all continents in IT and are Tisax certified because of the VDA, ISO 14001, ISO 5001, and IATF 16949.
Conclusion from the Cyber Security Assessment Tool (CSAT):
After reviewing the CIS Controls™ (v8.0) questionnaire, described in detail later, the current overall maturity level of the Company cybersecurity program and practices matches level 3 – rationalized (from max. 4). The organization’s maturity level is based on the lowest scored CIS control, gathered during the interview with the security team.
The CSAT questionnaire is based on the CIS Controls, aiming to provide relevant information on your IT processes. In addition, the questionnaire also contains some questions connected to the ISO27001:2022 controls.
The overall impression is very good, which is also reflected in the company score of 3.4, which is one of the highest among the assessments carried out to date.

I know from experience that the auditor wanted to see objective results of the penetration test and unfortunately that is not available.

you right Andy
Click to expand...

Thanks! Your IATF 16949 auditor is operating out of scope. What they are asking for is NOT A REQUIREMENT. Did they write an non-conformity?

Andy Nichols · Mar 20, 2024

If the Certification Body auditor knew anything about cyber security (regardless of the particular content in IATF 16949) they should have asked about the level of awareness of email, sms and other types of phishing attacks by the organizations personnel, including how to respond! Those who have at least got some background in information security can tell you that they pose the biggest threat, since few know a) how to recognize them and b) how to deal with them.

Log in or Sign up

Penetrations tests to prove cyber security in IATF 16949

afer1964 New Member

Andy Nichols Moderator Staff Member

afer1964 New Member

Andy Nichols Moderator Staff Member

yodon Well-Known Member

Andy Nichols Moderator Staff Member

Golfman25 Well-Known Member

afer1964 New Member

Andy Nichols Moderator Staff Member

Andy Nichols Moderator Staff Member

Log in or Sign up

Penetrations tests to prove cyber security in IATF 16949

afer1964 New Member

Andy Nichols Moderator Staff Member

afer1964 New Member

Andy Nichols Moderator Staff Member

yodon Well-Known Member

Andy Nichols Moderator Staff Member

Golfman25 Well-Known Member

afer1964 New Member

Andy Nichols Moderator Staff Member

Andy Nichols Moderator Staff Member

Useful Searches