Cybersecurity

GAP Analysis and Establishment of a Cybersecurity Management System (CSMS)

The GAP analysis service provided by GAES compares your organization’s existing cybersecurity practices with the requirements of ISO/SAE 21434 and UNECE R155, systematically identifying shortcomings and areas for improvement.

As a result of the analysis:

• It can be determined to what extent the current organizational structure complies with the relevant regulations,
• Weaknesses in processes, documentation, and technical solutions become clear,
• A strategic roadmap is created to achieve the targeted level of compliance.

Following the GAP analysis, building on the findings, we establish a tailored CSMS infrastructure. During this process, we:

• Develop management guidelines and a responsibility matrix,
• Integrate the TARA (Threat Analysis and Risk Assessment) process,
• Ensure the traceability of cybersecurity work products,
• Ensure consistent documentation of processes according to ISO/SAE 21434,
• Establish mechanisms for internal audit, corrective actions, and continuous improvement.

Why is it important?

CSMS is not merely a collection of documents, but a security culture that ensures the organization is systematically prepared to handle cyber threats throughout the vehicle’s entire lifecycle. Successful implementation of CSMS is a prerequisite for R155 type approval and provides a significant competitive advantage in collaborations with OEMs.

Freegan chia ullamco reprehenderit chicharrones, echo park esse tilde. 90’s hammock do
cupidatat, edison bulb mumblecore vape cloud bread put a bird on it dreamcatcher artisan
lomo raw denim.

Application of Threat Analysis and Risk Assessment (TARA) and development of the cybersecurity concept

The electronic control units (ECUs), wireless communication protocols, and software systems used in modern vehicles are exposed to increasingly complex threats. Therefore, identifying cyber threats and controlling risks in the early stages of the vehicle development process is a fundamental prerequisite for safety and regulatory compliance.

At GAES, through TARA applications conducted in accordance with ISO/SAE 21434, we determine the extent to which system components are vulnerable to potential threats. During this process, we:

• Define system assets and valuable resources,
• Model potential attack paths,
• Calculate risk scores based on damage event scenarios and probability analyses,
• Define and prioritize cybersecurity goals based on the results.

The TARA outputs serve as the basis for creating work products fundamental to cybersecurity engineering and are structured in accordance with the requirements of UNECE R155 Annex 5.

Solutions developed to reduce identified security risks are integrated into the system architecture as a cybersecurity concept. Within this framework, we:

• Define technical controls and countermeasures related to security goals,
• Develop solution proposals for communication security, data integrity, access control, and software update mechanisms, among others,
• Ensure the traceability of security requirements throughout the design process.

This approach lays the foundation for sustainable cybersecurity throughout the product’s lifecycle.

Definition and execution of testing and validation strategy

The effectiveness of cybersecurity measures depends not only on theoretically defined guidelines but also on how effective these measures are in practice. GAES, in accordance with the requirements of ISO/SAE 21434 and UNECE R155, ensures not only the development of the testing strategy but also its professional execution, thereby making vehicle cybersecurity measurable.

Defining the Strategy

The first step in the testing process is to develop validation plans that align with security requirements and system architecture. Within this framework, we:

• Assign appropriate testing methods to each security goal,
• Identify attack surfaces of critical system components (CAN, TCU, OTA, Bluetooth, Wi-Fi, etc.),
• Define the scope, methodology, and success criteria of testing,
• Optimize repetitive testing with automation infrastructures where necessary.

Execution

Building on the defined strategy, GAES experts conduct comprehensive testing activities in on-site or laboratory environments:

• Functional tests: Examining whether the defined security requirements function correctly within the system.
• Fuzz testing: Measuring software fault tolerance at interfaces and protocols by applying unexpected data inputs.
• Penetration tests: Uncovering system vulnerabilities by simulating real attack techniques.
• OTA and wireless security tests: Examining software updates, as well as Bluetooth and LTE connections, from the perspective of encryption, authentication, and access control.

Verification of Security Performance

Documenting test results is crucial for strengthening customer confidence and demonstrating technical compliance during R155 type approval processes. GAES’s testing expertise extends not only to identifying problems but also to providing development and improvement recommendations that support sustainable cybersecurity.

Supplier Management

In the automotive industry, vehicle manufacturers’ cybersecurity obligations are not limited solely to their own systems. UNECE R155 mandates a security approach that extends to the entire supply chain and expects manufacturers to establish structures that enable them to oversee the processes of their suppliers. In this context, supplier management becomes a strategic responsibility for cybersecurity compliance.

The supplier management service provided by GAES supports OEMs and Tier 1 suppliers in aligning their technical and process collaborations with subcontractors with the requirements of ISO/SAE 21434 and UNECE R155. Within this framework, we:

• Define compliance expectations and minimum security criteria for suppliers,
• Verify the accuracy and consistency of work products (cybersecurity goals, TARA outputs, V&V documentation),
• Analyze and prioritize supplier risk levels,
• Develop auditing plans and evaluation criteria,
• Conduct the CIA (Cybersecurity Interface Agreement) process.

Supplier Audit and Training Support

GAES does not merely evaluate technical documentation but also organizes internal audits, training, and awareness programs for suppliers. As a result:

• Suppliers’ cybersecurity maturity increases,
• Contribution to OEMs’ security goals is strengthened,
• Unexpected compliance discrepancies arising during type approval processes can be prevented.

Benefits and Impact

• Minimization of security vulnerabilities originating from suppliers,
• Regulatory compliance is ensured throughout the entire supply chain,
• Suppliers’ technical preparedness and sense of responsibility are strengthened.

GAES treats supplier management not merely as a control mechanism but as an integral part of a long-term cybersecurity culture.