In the world of project management, the three sides of the “Iron Triangle” are Cost, Time and Quality. The age-old cliché regarding these: “you may pick two” to improve, but you can never have all three without reducing scope. In other words, if you want something to market quickly and cheaply, then something will have to give, e.g. quality.
Regarding automotive cybersecurity, the convergence of recent events — specifically the spreading coronavirus and the divisive post-election rhetoric – are making it so that automotive manufacturers who need to meet the new United Nations Economic Commission for Europe (UNECE) automotive cybersecurity requirements in the next eighteen months will struggle to sustain the three sides of the Iron Triangle. Outside forces will, in fact, want to shrink all three sides, and yet none of those are viable choices or tradeoffs.
So let’s look at the major influences – Increasing Coronavirus and Post-Election Conflict — and subsequently understand how the auto industry will need to consider such tradeoffs. And, to not be all doom and gloom, let’s discuss a possible solution that might deliver a win-win solution.
In the past few weeks, another wave of Covid-19 has hit multiple continents with renewed force. The United States
jumped above 120,000 cases several days in the first week of November and averaging over double October’s average cases. Additionally, France, Germany and England have all imposed new lockdowns in that same timeframe. As previously experienced in Q2 of 2020, such infectious increases and associated lockdowns will likely interfere with global manufacturing, new vehicle rollouts, supplier sourcing and corporate budgets. The world has learned to cope with some of the hardship of sheltering-in-place, but manufacturing and shipping cannot easily overcome lockdowns.
Effect on Time: In the European Union, the new regulations for cybersecurity will be mandatory for all new vehicle types from July, 2022, and will eventually become mandatory for all new vehicles produced after July, 2024. If manufacturers fail to meet the approaches laid out by the standard (ISO 21434) — which essentially require each brand to 1) manage vehicular risks, 2) secure the vehicles by design to mitigate risks along the value chain, 3) detect and react to ongoing risks and 4) provide secure software updates – they will not be permitted to sell those vehicles on multiple, participating continents. Given the historical difficulty in quickly ramping-up a qualified cybersecurity team, the path to meet timelines for many manufacturers would have been to hire 3rd party experts. However, Covid-19’s surge shall likely freeze 2021 budgets in Q1, which will make meeting the deadline all the more difficult.
Effect on Cost: Given that likely decrease in time, the manufacturers will likely need to pay employees or contractors “premium