VinCSS & C2A Security’s strategic partnership fortifying compliance and vehicle security in the connected car era

Automotive Industries interview with Tin T. Nguyen, Director, Automotive Cybersecurity Services, VinCSS

In the dynamic realm of automotive cybersecurity, where innovation intertwines with the imperative of safeguarding connected vehicles, strategic collaborations emerge as indispensable tools for progress. In a dialogue with Tin T. Nguyen, Director of Automotive Cybersecurity Services at VinCSS, we delve into the motivations and aspirations behind VinCSS’s recent partnership with C2A Security, marking a significant stride towards automating compliance and fortifying vehicle security.

Nguyen sets the stage by articulating VinCSS’s perpetual quest for enhancement. The burgeoning complexities in EV cybersecurity underscore the necessity for synergistic alliances. Nguyen emphasizes that tackling these challenges solo is no longer tenable. Instead, the quest for adept partners becomes paramount, particularly in navigating the expanding landscape of potential cyber threats.

The integration of C2A Security’s EVSec platform into VinCSS’s operational framework is poised to revolutionize cybersecurity compliance for connected vehicles. Nguyen envisions seamless assimilation of this platform into daily operations, envisioning it as an indispensable tool in orchestrating security implementations across the lifecycle of current vehicle projects for OEMs and Suppliers. This integration promises to empower VinCSS’s teams, from engineers to project managers, with streamlined processes and enhanced efficiency.

The joint Proof of Concept (PoC) between VinCSS and C2A Security assumes pivotal significance in advancing product cybersecurity automation and vulnerability management. Nguyen elucidates on the critical role of the PoC phase in evaluating alignment with existing operations, identifying areas for improvement, and preemptively addressing potential gaps. This meticulous groundwork sets the stage for a robust and resilient cybersecurity framework.

In terms of regulatory compliance, Nguyen highlights the pivotal role of the integration in aligning with ISO 21434 standards in order to achieve compliance to mandatory regulations such as UN R155. Having completed four end-to-end OEM vehicle homologation projects this past year alone with another two on the horizon this year, from security design through implementation and achieving compliance to UN R155 and 156, VinCSS recognizes that the EVSec platform’s tailored design can ensure meticulous mapping of compliance efforts. This will bolster not only operational clarity but also raise the bar for cybersecurity standards across the automotive industry.

Reflecting on VinCSS’s trajectory in the cybersecurity domain, Nguyen underscores the evolution from traditional enterprise cybersecurity services towards pioneering endeavors in passwordless technologies. Acknowledged as a leader in passwordless authentication technology by Frost & Sullivan in both 2022 and 2023, VinCSS is poised to transcend boundaries with its foray into automotive cybersecurity, with products and services that catalyze advancements in the new Software Defined Vehicle (SDV).

As automotive markets grapple with increasingly stringent regulations, VinCSS remains resolute in its commitment to innovation through collaboration. The connected car attack surface continues to grow exponentially along with the risk of exploitation, and the only way to adhere to the key principle of defense-in-depth is through this collaboration with other subject matter experts. Nguyen underscores the symbiotic relationship between VinCSS’s expertise and and key global partners in assisting OEMs and Suppliers achieve the most effective and thorough coverage of vulnerabilities across the connected car ecosystem.

In conclusion, the discourse with Tin T. Nguyen illuminates VinCSS’s unwavering dedication to fortifying automotive cybersecurity through strategic partnerships, technological innovation, and a relentless pursuit of excellence. As the automotive industry charts a course into an era defined by emerging technologies and evolving threats, VinCSS stands poised at the vanguard, shaping the contours of a more secure and resilient automotive landscape.

—-NOTES ONLY—-

Automotive Industries interview with Tin T. Nguyen, Director, Automotive Cybersecurity Services, VinCSS

Automotive Industries: Hi Tin, what drove VinCSS to partner with C2A Security for the joint project on automating compliance and vehicle security?

Nguyen: My team is always looking to improve how we do things. The cybersecurity for EVs gets increasingly complex by the day and we realize that this is not something that we can tackle by ourselves. So, we need to find the right partners in helping us cover down on the growing attack surfaces, and automating that is so critical in allowing us to scale and more effectively manage that coverage.

Automotive Industries: How does VinCSS envision the integration of C2A Security’s EVSec platform enhancing cybersecurity compliance for connected vehicles?

Nguyen: It’ll be a part of our daily operations. I see it as a way to help me better plan for and execute the security implementation for our vehicle projects across the whole lifecycle of the projects. It’ll be integrated into the daily workflow of my engineers, testers, project managers, and management team in helping us more efficiently streamline efforts.

Automotive Industries: Could you elaborate on the significance of this joint Proof of Concept (PoC) in terms of advancing product cybersecurity automation and vulnerability management?

Nguyen: The POC phase is critical in seeing how the product will align with and improve our current operations. We’ll get a chance to see where it can specifically improve on our weaknesses while simultaneously showing us where gaps may still exist. This will allow us to iron out any details and potential issues before moving into a full production stage.

Automotive Industries: What specific standards and regulations do you anticipate this integration to better comply with, and how will it benefit the automotive industry?

Nguyen: This will allow us to better track our compliance to the new ISO 21434 standard which in turn allows us to align with global cybersecurity best practices and mandatory regulations such as UN R155. The EVSec platform is designed specifically to map our efforts to ISO 21434 so we maintain clarity on what has been done and what needs to be done.

Automotive Industries: Mr. Nguyen, can you share some insights into VinCSS’s journey in consolidating its position in the cybersecurity industry over the past five years?

Nguyen: VinCSS started off as a “traditional” cybersecurity company in that it was all about providing key services first – both red and blue team services, to include but not limited to penetration testing, security operations, incident response, threat hunting, etc. As capabilities grew, we created our R&D team which now mostly focuses on passwordless technologies. Our production efforts have now been recognized twice by Frost & Sullivan, in 2022 and 2023, as being a leader in passwordless authentication technology. My team, the automotive team is the newest addition to VinCSS, starting off first with the provisioning of services to ensure EV compliance to the new global standards and regulations, but also to grow the security capabilities across the whole ecosystem of the connected car. Next steps include our new R&D efforts for security products.

Automotive Industries: With automotive markets increasingly stringent with regulations such as UN R155, R156, and China’s GB standards, how does VinCSS plan to address the rising demand for advanced cybersecurity solutions?

Nguyen: We realize this is not a game that can be won by ourselves. The key is to maintain the right partnerships that allow us to increase our capabilities jointly. That’s why C2A is in the picture. Both our teams have complimenting strengths that provide us the ability to provide greater defense in depth for the OEM.

Automotive Industries: How does VinCSS’s expertise complement C2A Security’s automated risk management technology, and what synergies do you foresee in future collaborations?

Nguyen: Our biggest strength is our experience on the OEM side. To date, we’ve completed 4 cybersecurity homologation projects in achieving compliance to UN R155, end to end. Meaning, we’ve been part of the projects from planning and design, through all stages of the V-Model, through to operations where we’re now also monitoring vehicles on the road. We have another 4 cybersecurity homologation audits that need to be done in this next year as well. Pairing with C2A, our workflow and project management becomes less of a burden as doing things manually not just weighs us down in terms of time and effort, but allows risk to creep in with the possibilities of human error. It’s a pairing of the human and technological efforts to achieve optimal results. Seeing as we’re in our initial steps right now, the future may bring on additional collaborations in how we integrate C2A products into other aspects of cybersecurity program management.

Automotive Industries: Could you provide examples of how VinCSS has supported automotive clients in achieving certifications such as UN R155 and R156?

Nguyen: Our efforts span across the OEM and Tier 1 supplier environments. As the organic arm of an EV OEM, we sit alongside their engineering teams throughout the entire lifecycle of a vehicle project, advising on the design and implementation of cybersecurity into the vehicles and the connected environment. We’ve helped the OEM obtain the Certificate of Compliance for UN R155 and 156 on the Organization level – establishing the Cyber Security Management System (CSMS) and the Software Update Management System (SUMS), as well as obtain the Certificates of Compliance across 4 vehicle models this past year alone, with another 4 on the way. For Tier 1 suppliers, we have consulted and advised on how they can comply with ISO 21434 standards in order to support OEM efforts in obtaining UN R155/156 compliance. We also stand side by side the suppliers from the supplier evaluation and requirements stages through the implementation and post-operational support phases, not just advising about how they can conduct risk assessments and security implementation, but also conducting component level testing on their modules etc.

Automotive Industries: As a leading player in the automotive cybersecurity space, what does VinCSS envision for the future of automotive security, particularly in light of emerging technologies and evolving threats?

Nguyen: I think it’s easy to say that we’re going to see an increase in service and product providers, however I’d actually like to tackle the answering of this question from a grassroots level. I think that we’re going to start seeing (and have already started seeing) more foundational education efforts for automotive security. Currently, the vast majority of auto security experts are converts, meaning they’re engineers with more traditional electrical engineering backgrounds who have learned and pivoted to security. They’re brilliant with auto security, but there’s still a gap in traditional network security knowledge. Now, we’re starting to see traditional network security experts moving into automotive, having to learn the engineering side. We’re also starting to see education at the university level. Particularly, VinCSS is currently in the process of establishing a relationship with an international university in contributing to their automotive cybersecurity program. You’re going to see younger generations of specialists with both the network security AND engineering backgrounds that we need to really tackle the problems associated with the new Software Defined Vehicle (SDV).