TPISR – Third-Party Cybersecurity In the Automotive Industry

From high-performance mechanical parts to digital assistance and safety features, modern cars come equipped with an ever growing number of technological innovations. To help auto manufacturers protect design specifications and other sensitive information even as they work with third party suppliers, the Automotive Industry Action Group (AIAG) developed the Third-Party Information Security Requirements (TPISR): A cybersecurity standard meant to prevent leaks and data breaches across the supply chain. Read our guide to learn more about TPISR requirements and how IAM software can help you achieve TPISR compliance!

What Is the TPISR Standard?

Modern cars are an engineering marvel made up of as many as 30,000 individual parts. Since it would be impossible to manufacture each component in-house, car companies work together with a variety of third-party suppliers to create all the parts required to assemble a complete vehicle. However, this comes with its own set of challenges. Suppliers need access to designs and blueprints in order to produce parts exactly to specification, but car manufacturers need to protect technical data for their products in order to keep their edge in the global market.

In order to allow automotive companies to safely share protected information with their suppliers despite the growing threat posed by data theft, ransomware and zero day vulnerabilities, the Automotive Industry Action Group (AIAG) has composed a cyber security framework called TPISR (short for Third-Party Information Security Requirements). The standard outlines minimum safety requirements for businesses that receive, store and manage sensitive information from manufacturers in their own network. A unified framework like this has two big advantages:

  • 1

    Original equipment manufacturers (OEMs) can be sure that their data is protected.

  • 2

    A supplier only needs to be assessed once to work with any OEM that uses the standard, rather than having to prove their trustworthiness over and over again.

The sale of counterfeit car parts not only accounts for millions of dollars of lost revenue each year, but can also pose a safety hazard for passengers, since fake parts are often built from less durable materials and may fail under stress.

Which Companies Use TPISR?

TPISR was published in 2018 by AIAG, an industry association originally founded by the three largest automotive companies in North America: Ford, Chrysler and General Motors. However, membership of the AIAG has since grown to over 4,000 companies from around the world. Members include OEMs such as GM, Ford, Fiat Chrysler, Honda or Toyota, as well as Tier 1 Suppliers such as Delphi, Lear, Magna or Robert Bosch. Tier 1 Suppliers are companies that provide parts directly to OEMs. They might themselves rely on other businesses, which are considered Tier 2 Suppliers, and so on.

However, while TPISR outlines minimum safety requirements that third parties are strongly encouraged to implement, OEMs are not currently required use TPISR. Manufacturers that are part of the AIAG are still free to set their own priorities in business partnerships, including the option to enforce more strict cybersecurity standards.

The German Association of the Automotive Industry has developed its own cybersecurity standard called TISAX (Trusted Information Security Assessment Exchange). Because of the global nature of the automotive industry, there is quite a bit of overlap between OEMs and suppliers that use TPISR and TISAX. You can learn more about TISAX certification in our guide on the subject.

Who does TPISR apply to?

TPISR defines a third party as any organization or business that creates, collects, stores, transmits, manages or transmits information from original equipment manufacturers outside of the OEM’s network, i.e. using their own computer systems or cloud-based services. As you may have noticed, this describes almost any business that exchanges digital information with a car company.

Ultimately, whether TPISR certification is required or not depends on the specific business relationship between an OEM and a third-party organization. However, most of the requirements laid out in the safety standard are considered best practices in the field of cybersecurity anyway, so companies are well advised to implement these fundamental safety measures regardless.

In this digital age, basic cybersecurity as well as cyber insurance should be part of any company’s risk management strategy. The costs associated with hacks, malware and data breaches can prove catastrophic without these forms of mitigation.

You can learn more about the benefits of identity and access management for automotive companies and how IAM can help your organization meet its compliance goals in our overview on Access Management for Automotive Companies.

Unauthorized attempt to download copyrighted data is prevented by IAM software.
TPISR compliance demands physical and logical access control. Adobe Stock, (c) chinnarach

TPISR Requirements: What Suppliers Need to Know

The requirements laid out by TPISR cover both physical and logical controls meant to secure access to protected information, as well as general responsibilities of information security such as employee education. Some passages act only as a general guideline, whereas others set very specific demands. In general, TPISR is divided into 9 chapters, each comprised of a number of unique items. Our list provides a few examples for each area:

  • Information Security Program: security awareness, compliance monitoring, risk management processes

  • Logical Access Controls: password length and expiration, data encryption, regular user access reviews

  • Physical Security: protection from theft, power outages, natural disasters

  • Vulnerability Management: antivirus usage, regular updates and vulnerability scans

  • Incident Response: collecting and reviewing security events, notifying OEM if necessary

  • Data Retention: record management, secure media disposal

  • External Audits: annual security assessments, compliance with other relevant standards like the SOX Act or PCI DSS

  • Communications: no public disclosure of protected information

  • Availability Management: business continuity and data restoration strategies

TPISR, NIST CSF & ISO 27001: What’s the Difference?

Although the Third-Party standard is specific to the automotive industry, the AIAG based its requirements on existing standards for IT security wherever possible. This approach is meant to aid compliance, since it allows businesses to draw on additional resources and build on previous certifications. In particular, TPISR draws on the international standard ISO 27001 and two publications by the National Institute of Standards and Technology: NIST 800-53 and NIST 800-171.

This means that organizations that have already implemented the NIST Cybersecurity Framework or an Information Security Management System based on ISO 27001 are well on their way to implementing this policy. The available documentation even highlights which requirements map to which chapters in these frameworks.

What does TPISR Not Cover?

The Third-Party Information Security Requirements cover controls meant to improve the general cybersecurity of companies that produce automotive parts. It does not extend to vehicle cybersecurity itself, i.e. the protection of software and hardware components within cars. The security of connected cars falls under different safety standards like UNECE WP.29, which deals with topics such as incident response and over-the-air updates.

TPISR and IAM: Protecting Sensitive Data

The policy includes physical and organizational safety measures, as well as a wide range of technical demands that suppliers must meet. While IAM software does not cover every aspect of the security standard (subjects like data recovery, encryption and antivirus usage, for instance, typically require dedicated tools), identity and access management offers a solid foundation for securing access to critical data.

By providing a central platform for managing user accounts across your company network, cloud-based services like MS 365 and third-party applications like SAP, tenfold makes it fast and easy to track permissions and restrict access to sensitive data in accordance with the Principle of Least Privilege. To top it off, tenfold documents every change made to users and access rights, providing you with detailed reports on current and past permissions to complete your audit trail. The following overview shows some of the TPISR requirements that tenfold helps you meet.

Logical Access Controls

TPISR stipulates that access rights must be “granted on a need-to-know basis“, “reviewed periodically to determine if access is appropriate” and “revoked when access is no longer required”.

tenfold‘s approach of role-based access control ensures that employees are only granted rights they actually need to do their job. By assigning permissions to groups instead of users, access rights are adjusted automatically when accounts are moved to a different group or removed entirely. Automating user lifecycle management like this prevents old access rights from being “forgotten” and turning into a possible security risk and compliance violation.

Additionally, tenfold‘s recertification feature allows you to define regular intervals for reviewing access rights. tenfold then automatically sends reminders to the relevant stakeholders or data owners, asking them to confirm whether permissions they have granted are still needed. Outdated permissions can be removed with a single click.

Password Controls

The tenfold dashboard automatically highlights accounts without password expiration, allowing you to make sure all user and device accounts meet the requirements set forth by the AIAG. It also brings many other common file server and Active Directory problems to your attention, letting you fix various issues with a single click.

To reduce the strain that password management puts on IT admins, tenfold‘s self-service interface also allows users to reset their own password (or a supervisor, if the account is inaccessible). To do so, employees are directed to an external platform where they must verify their identity through pre-defined checks.

External Audits

tenfold‘s documentation and reporting features help third parties verify compliance with the TPISR standard. All changes made to users and access rights are automatically recorded, including permissions that were granted through custom workflows, whether access rights were renewed or revoked during the access review process and, most importantly, by whom.

Upon request, tenfold will also generate reports that summarize the effective permissions held by an account at present or at any point in the past. This allows you to prove that access to critical data was kept to a need-to-know basis and, in the event of a security incident, makes it easy to reconstruct who had access to sensitive information.

tenfold Access Management – Compliance Made Easy

It’s fast and easy installation, large set of out-of-the-box plugins and competitive price point make tenfold the IAM solution of choice for midmarket organizations. Take control of access rights with our easy-to-use interface and wide range of powerful features. tenfold makes user management both more efficient and more secure, allowing you to automate many routine processes while still following IT security best practices. Best of all, tenfold‘s access review and reporting features help you achieve and prove compliance with security standards like SOX, NIST, HIPAA, ISO 27001 and more. Sign up for a free trial today!

White paper

Identity & Access Management Solutions Compared

Our white paper will help you navigate the IAM market, familiarize you with available products and explain key questions to ask yourself when evaluating IAM solutions.

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.