All FAQs

Concise answers to common queries about our products, company and the connected
vehicle ecosystem.

What roles do Sibros and our customers play under the GDPR?

Under the GDPR, Sibros acts as a data processor for the personal data that Sibros processes on behalf of our customers through their use of the Deep Connected PlatformTM.  Sibros will only collect, access, store, and process this data as instructed by our customers. 

Sibros customers are the data controllers for the personal data that is collected and processed through their use of our Deep Connected Platform because they “determine the purposes and means” of processing this data. Customers determine what data is collected and for what purpose(s), including the timing and frequency, and have the ability to create and run custom reports on their data.

How does Sibros comply with the GDPR?

Sibros has implemented various systems, procedures, and documentation to comply with and support our customers’ compliance with the GDPR, including the following:

Customer DPA and Data Transfer (SCCs) Terms:  

Sibros’ Data Processing Agreement (our “Customer DPA”) includes standard data protection terms applicable to the processing of personal data and the provision of our services, which are tailored to address the unique aspects of Sibros' services and reflect our data security procedures. Our Customer DPA incorporates:

  • Data processing terms as required by Art. 28 of the GDPR;
  • Module 2 (controller to processor) of the EU Standard Contractual Clauses (the “SCC”);  
  • The UK International Data Transfer Addendum (“IDTA”) approved by the Information Commissioner’s Office (“ICO”) for applicable data transfers subject to the UK GDPR and  
  • A description of the technical and organizational measures Sibros has implemented and will maintain to ensure the security of customer data.

Subprocessor Compliance: 

Sibros has taken a number of actions to ensure that its use of subprocessors complies with applicable data protection obligations.  

  • Sibros has identified and maintains a list of its subprocessors, which can be accessed HERE.  Sibros may add or delete subprocessors at any time. Customers can subscribe to subprocessor update notifications from Sibros, and such notifications will be sent prior to processing of customer data by a new subprocessor. Customers may raise objections regarding new subprocessors in accordance with the terms of our Customer DPA with the respective customers.  
  • Sibros has entered into data processing agreements (including the SCCs and UK IDTA as applicable) with its subprocessors, which include equivalent terms to those which apply to Sibros under its Customer DPA.  
  • Sibros conducts due diligence and security reviews of its subprocessors prior to their processing of any customer personal data.
  • Key subprocessors include Amazon Web Services (AWS) and Google Cloud Platform (GCP), which have their own GDPR compliance programs in place, available here:
  • AWS: https://aws.amazon.com/compliance/gdpr-center/ 
  • GCP: https://cloud.google.com/privacy/gdpr and https://cloud.google.com/blog/products/compliance/how-google-cloud-helps-customers-stay-current-with-gdpr

Data Transfers: 

Our Deep Connected Platform products and services, as well as our technical support and corporate operations, are provided from the United States, Germany, France, the UK, and India. We employ a range of measures to ensure that customer data is secure and safe and to maintain the integrity, accuracy, and confidentiality of that data when it is transferred to these jurisdictions.  These measures include entering into agreements that include GDPR-compliant data processing terms and the EU SCCs and UK IDTA as applicable.  Sibros has also implemented procedures and updated its practices to respond to the Schrems II decision by the European Court of Justice.  See below for more information.

Data De-Identification: 

Sibros protects and manages the usage of PII, especially geolocation, and performs de-identification actions including deletion or obfuscation of personal data and identifiers associated with the end user, VIN, and GUID(s), including by masking or deleting other unique identifiers such as ESN. The remaining disassociated data is also subject to further data exclusion and masking, which may include random staggering of the data, character shuffling, random dictionary substitution, or deletion of data to make it statistically improbable that the remaining data can be correlated with a particular vehicle or end user.

How does Sibros help customers provide adequate notice and disclosures to data subjects?

As the data controller, our customers are responsible for providing notice and obtaining any required consent from data subjects. As the data processor, Sibros provides customers the opportunity to display and link to a GDPR-compliant privacy notice and, where relevant, consent language addressed to the end-users, i.e., the data subjects.  Our customers are responsible for providing the relevant notice or consent language and for managing any applicable notices and consents and configurations for such. 

Notice and consent language and implementation is configured for each customer during the onboarding process and can be updated and configured as necessary thereafter. Customers configure how and when consent is requested, logged, and subsequently stored. For example, Sibros provides customers with a mechanism for obtaining mandatory electronic consent for log collection and Over the Air (OTA) updates. Customers must obtain end-user consent and send or transmit confirmation of such consent to Sibros before initiating data collection from or deploying FOTA updates to a particular vehicle through the Platform.  

How does Sibros help customers respond to data subject requests?

Our customers, as the controllers of end-user personal data processed within the Platform, may have certain legal obligations to respond to data subject requests under the GDPR and other applicable regulations. Within our customer portals, customers have the ability to create and export custom end-user reports for some data. The ability to request the deletion of specific end-user data and otherwise manage end-user data is available via Support tickets under the category “Data Privacy Request.” Customers can submit a support ticket in the customer portal to request Sibros support for processing data subject requests. Sibros has established processes, as described below, to facilitate and support our customers in responding to data subject requests regarding Platform data.

Access and Data Portability 

Customers can submit a support ticket for a “Data Privacy Request” issue type specifying “Data Access Request” in their respective customer portal to request Sibros’ assistance in preparing and exporting a portable copy of end-user data associated with a particular Vehicle Identification Number (“VIN”).  To request an end-user access report, customers must provide the VIN for the relevant end user’s vehicle.  Data Access Request reports are provided to customers as a downloadable TAR File.

+ End User Access Report Format and Download

End-user access reports are compiled by Sibros as a TAR file and are usually processed within 10 business days.  Sibros will provide customers with a secure download link to access the report.  The link and end-user access report (TAR File) are available for 60 days, after which they expire.  

Deletion Requests

Customers can submit a support ticket for a “Data Privacy Request” issue type specifying “Data Deletion Request” in the customer portal to initiate an end-user deletion request for data associated with a particular VIN.   To request deletion of personal data regarding a specific end-user, customers must provide the VIN for the end user.  Sibros processes deletion requests by deleting and/or disassociating the vehicle and device data from a particular end user within the Platform.  Archived data that is stored as part of Sibros’ data back-ups are not subject to deletion and disassociation, unless the backup data is restored by Sibros. However, backups are regularly deleted or overwritten (usually within 180 days).   

+ Deletion Process

End user VIN is deleted from the relevant GUID asset table(s), which map vehicle and device-related data to a specific VIN within the Platform, and the relevant GUID(s) for the vehicle are also deleted from the Asset tables, which severs the link between the end user and the corresponding vehicle and device-related data within the Platform.  At this point, the device data cannot be associated with an end user without external data sources. It may take up to 15 days for a deletion request to be fully processed.

Other Data Subject Requests

Sibros collects vehicle and device data as it is generated by the vehicle or device and, as such, is not able to verify inaccuracy or “correct” any vehicle and device data that is generated and processed within the Platform. To request support from Sibros to process a correction or other data subject request, customers may submit an “Other Data Request” ticket and provide the relevant VIN for the end user. 

Does Sibros' customer DPA work for global companies?

Yes, Sibros has customers in many jurisdictions worldwide, which is why our data processing terms are drafted broadly to address data protection requirements around the globe. Our Customer DPA incorporates the core privacy principles on which many international data protection law regimes are built and uses the strict GDPR framework as baseline language.

Will Sibros review law enforcement requests to ensure requests for disclosure of data are reviewed and managed appropriately?

Yes. As an important privacy safeguard, Sibros is committed to ensure that law enforcement, intelligence agency, or other government requests for disclosure of data will be carefully scrutinized and that Sibros will only disclose the minimum amount of data necessary in response to a request. Where requests are unlawful or unfounded, Sibros will take appropriate steps to challenge these.

Has Sibros received requests from law enforcement to disclose data in the past?

No, to date, Sibros has not received any request from law enforcement to disclose data from or about its customers.

How does Sibros address SCHREMS II?

In the wake of the new EU Standard Contractual Clauses and the Schrems II ruling by the Court of Justice of the European Union (CJEU), Sibros wants to provide our customers with the information needed to evaluate and assess transfers of personal information outside the European Economic Area (EEA) and the United Kingdom (UK), specifically regarding access from the United States.

What impact does SCHREMS II have on our customers?

Under certain laws, including the GDPR, the UK GDPR, and Swiss Privacy laws, companies may only transfer personal information outside the EEA/UK/Switzerland where either of the following is true: 

  • The recipient country provides an adequate level of data protection (as determined by the EU Commission)/ICO or 
  • A valid transfer mechanism, as approved by the relevant regulatory body, is in place between the data exporter (customer) and data importer (Sibros), such as the EU Standard Contractual Clauses (SCCs).

Previously acknowledged as a ‘valid transfer mechanism’ the EU-US and CH-US Privacy-Shield Framework were invalidated by the Schrems II ruling as a means on which companies can rely upon to transfer data from the EU or Switzerland to the United States. 

Does that mean Sibros and its customers cannot rely on Standard Contractual Clauses (SCCS) anymore?

No, in principle, the CJEU upheld the validity of the SCCs (available at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en) as a lawful transfer mechanism but, in addition, now requires companies to evaluate and assess its global transfers and evaluate on a case-by-case basis, whether the privacy and surveillance laws of the recipient country, as well as the technical and organizational security measures deployed by the data importer, ensure a level of data protection adequate to the level required by applicable EEA/UK/Swiss law.

What do customers need to do to address SCHREMS II, and does Sibros help?

In addition to executing the new EU Standard Contractual Clauses (SCCs) available at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en, and the UK Addendum, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, Customers must also conduct a “Schrems II Transfer Assessment” when relying on the new SCCs. Sibros provides these FAQs to help its customers understand what compliance mechanisms Sibros has put in place and to help customers comply with their own compliance requirements.

Does Sibros' Data Protection Addendum (DPA) include the Standard Contractual Clauses (SCCS)?

Yes, where transfers of EEA/UK/Swiss originating personal data to the United States are at stake (“Relevant Transfers”), the customer and Sibros generally rely on executed SCCs and the UK Addendum as relevant. The SCCs and UK Addendum are part of Sibros' Customer Data Processing Addendum.

Is Sibros certified under the data privacy framework/ data bridge?

Sibros has been closely monitoring developments regarding the new EU-US and Swiss-US Data Privacy Frameworks (“DPFs”), which has been approved and signed in July of 2023. For more information, see https://www.dataprivacyframework.gov/s/. In addition, the U.S. and UK governments have announced a deal in principle to establish the "UK Extension" to the EU-U.S. Data Privacy Framework. If established, both would then allow U.S. companies that certify to the DPF to transfer personal data from the EEA/UK to the US, respectively. Sibros is in the process of evaluating the published documentation and a self-certification under the DPFs.

What additional factors should be taken into consideration when determining whether a transfer of personal data from the EU to the US is unlawful?
  • The CJEU and European Data Protection Board (EDPB)  both refer to (1) security controls and (2) contractual safeguards as additional considerations to determine the lawfulness of transfers.  
  • In our view, data controllers (i.e., our customers) must consider the (1) likelihood and (2) risk of harm in relation to the specific types of personal data being transferred.  We note that the US Government confirmed in a white paper that the majority of data being transferred by companies is of no interest to intelligence agencies and that, therefore, most companies never even receive an order for disclosure of data. 
  • Thus, as a controller, our customers should look not just at the laws of the third country (in our case, the United States) but also at additional contractual or security-based safeguards agreed to between you and Sibros, as well as the likelihood and risk of harm to data subjects for the transfers of data that may take place.

What factors may be relevant to a customer’s risk-based assessment?

Customers may wish to take the following factors into account: 

  • Most US companies do not deal in data that is of any interest to US intelligence agencies and will never receive orders from agencies for disclosure of data.  This was confirmed in a recent white paper published by the US government.  
  • Sibros' Data Processing Agreement (DPA) includes a number of contractual safeguards (including the Security Control measures listed in Annex II to the SCCs)– as part of and in addition to the SCCs - which mitigate against the risks identified by the CJEU.
  • Sibros has updated its customer agreements to include the new version of the SCCs/ UK Addendum.
  • The Security Controls that Sibros has put in place to mitigate against the risk of interception of / misuse of data by third parties which include: 
  • Maintains industry standard compliances as documented here.
  • Applicable technical and organizational safeguards.
Where are Sibros’ cloud provider subprocessors located?

Sibros uses Amazon Web Services (AWS) and Google Cloud Platform (GCP) for cloud hosting and computing services. Sibros' own instances are generally located in the United States. However, additional regions of the AWS and GCP instance may be agreed upon with the customer, for example, in the EU and certain APAC regions.

Is a transfer of data from the EU/UK to the US automatically unlawful if it is possible that Sibros is subject to FISA 702 or EO 12,333?

No. We are not of the view that any and all transfers to the US are unlawful simply because the possibility that Sibros may be subject to FISA 702 or EO 12,333 cannot be excluded.  In addition, the Schrems II decision calls for case-by-case assessments, and the European Data Protection Board (EDPB) FAQs encourage controllers to look at “the circumstances of the transfer,” including the supplementary measures and safeguards in place to protect the data, which supports the argument that not all transfers are automatically unlawful.  Many EU supervisory authorities have agreed that an approach of carrying out a risk-based assessment is the way to go, indicating that other factors than FISA 702 should be taken into consideration during the risk assessment process. 

Customers should take their own advice on this matter.  However, to help you with your risk assessments, we have put together information in these Customer FAQs for you.

What is the difference between FISA and EO 12,333?

FISA applies to the collection of foreign intelligence involving non-US persons where the collection occurs within the US and the collection of foreign intelligence regarding US persons, whereas EO 12,333 applies to a non-US person located outside the United States.

How can it be ensured that the cloud side is not compromised via API, login, etc.? What best practices are implemented?

The following measures and practices are implemented:

  • Access is restricted to authorized personnel; SSO and MFA are enforced.
  • Access is monitored with alerts triggered for unauthorized access.
  • Keys are segregated and signatures are firmware validated.
  • Mutual Transport Layer Security (TLS) with certificate for all command and control processes is used.
  • Permitted actions and values are configured via protobuf, which is controlled and managed with approvals.
What validations for cloud security are in place?

The following are used: 

  • Static analysis of code (SAST)
  • Secrets review 
  • Dependency checking (vulnerability assessments)
  • OWASP Top 10 
  • OWASP API Top 10
  • OWASP IOT ASVS
  • CI/CD review of SBOM
Examples of automotive cybersecurity incidents that can be mitigated using Sibros’ OTA solution?
  • Drop request: Attacks that block network traffic (in-vehicle or outside) to prevent vehicles from updating software
  • Eavesdrop: Attacks that listen to network traffic to reverse-engineer ECU firmware.
  • Freeze attack: Indefinitely sends an ECU the last known update, even if there may be newer updates on the repository.
  • Mixed-bundles: Attackers force ECUs to install incompatible software updates to cause ECU interoperability failure.
  • Slow-retrieval: Slows down delivery of ECU updates so that a known security vulnerability can be exploited.
  • Partial-bundle: Causes some ECUs to not install the latest updates by dropping traffic to these ECUs.
  • Rollback: Causes an ECU to install outdated software with known vulnerabilities. 
  • Arbitrary software: Attackers use compromised repository keys to release an arbitrary combination of new images to cause ECUs to fail.
  • Mix-and-match: Most severe of all attacks installing arbitrary software on ECU to modify vehicle performance.
What are the differences between OTA systems with or without Uptane?

Uptane is the first security framework for automotive OTA updates that provides serious compromise resilience, meaning that it can withstand attacks on servers, networks, keys, or devices. The differences are as follows:

  • A single server that is compromised cannot compromise more of the system.
  • It is possible to recover from a single key compromise.
  • The complete vehicle IP address is not readily accessible.
  • Network security is not the only security control.
  • Delivery authenticity is validated separately from firmware authenticity.
  • Vehicle manifest and vehicle component authenticity are validated.
  • Component and ECU rollback and replacement attacks are easily detected and remediated.
What are the security considerations/measures when integrating Deep Updater in the TCU (external communication device)?

The following measures are taken:

  • Device provisioning
  • HSM integration
  • In-vehicle secure communications 
  • Provisioning of EOL integrations and device provisioning 
  • Uptane keys and component replacements
How could a breach affect Deep Logger and Deep Commander and what preventive measures has Sibros taken?

Security is designed into the solution. Additionally, it is assessed to TISAX, SSAE 16/18 SOC 2 Type 2, ISO 26262 in place with ISO 27001, ISO 21434, and ISO 24089 in progress.

Could an infected ECU use Deep Logger to send attacks to the cloud? If so, what has been done to mitigate this risk?

Log files are archived and optionally compressed. They are also handled securely and not directly uploaded into the system. The only reference information is in the system, and the S3 bucket is only used for storage of files that are uploaded as GUID’s (Globally Unique Identifiers).

Is Sibros a data controller or a data processor in the framework of the GDPR?

Sibros acts as a data processor. The OEM is the data controller.

What happens when changes are made?

All changes for cloud and firmware are reviewed.

What is the coverage for incidents?

Sibros has a very well defined incident management process, and security incident management and breach response processes.

How are vulnerabilities assessed?

With the following reviews and assessments: 

  • Components vulnerability review (firmware and cloud software)
  • Cloud infrastructure vulnerability review (cloud software)
  • OWASP IOT ASVS assessment (firmware)
  • Cloud posture assessments
  • AWS GuardDuty, GCP SCC, and other cloud threat assessment tooling
What security/function is implemented inside the target ECU or client?

Support for 0x27 and key exchange, secure storage and symmetric key handling to be determined by target ECU.

How is data in transit secured?

The following are used: 

  • MQTT(s) over Mutual TLS 
  • HTTPS over TLS
What is the Sibros Armor framework?

Sibros Armor includes the following checks and failsafes: 

  • 2-way authentication of communication between vehicle and cloud
  • Device provisioning framework incorporating secure integrations with manufacturing 
  • DeviceID and Vehicle Identification (VIN) with a data abstraction framework that incorporates Privacy by Design
  • Role-based Access Control (RBAC)
  • Approval workflow for deployments and changes for systems
  • SSO and MFA for user authentication
  • In-vehicle secure communications
  • Secure storage / HSM integrations
How does Sibros link devices and data?

Sibros primarily uses a Globally Unique Identifier (GUID) to create a link between device identification information such as Vehicle Identification Number (VIN) / Electronic Serial Number (ESN) and the data collected by Deep Logger, Deep Updater, and Deep Commander.

What are management best practices regarding access to the system? How do we ensure background checks of employees?

All access needs authorization and is granted on a need-to-know basis. All employees are background checked as part of their onboarding process.

What is Sibros’ general security approach?

Sibros follows an approach of security designed from the ground up and built into the DNA of the product. This includes in-vehicle secure communications and secure storage / HSM integrations.

What are Sibros’ security compliance and certifications?

Our solution is assessed to TISAX, SSAE 16/18 SOC 2 Type 2, ISO 26262 (ASIL-D) in place with ISO 27001, ISO 21434, and ISO 24089 in progress. Sibros also addresses and supports security regulations such as UNECE WP.29 R155 and R156, with AIS 189, AIS 190 under review; as well as privacy regulations such as GDPR and CCPA, with Indian DPDP under review.

What should the procedure for the end of cybersecurity support for an item or component include in regard to customer communication?

The procedure for customer communication of the end of cybersecurity support for an item or component should include information on how and when the cybersecurity support will end, any necessary steps that the customer needs to take, and any recommendations for replacement or upgrading of the item or component.

What is the end of cybersecurity support and decommissioning phase?

The end of cybersecurity support and decommissioning phase is where methods and procedures are enacted to communicate the end of cybersecurity support and decommission relevant items and components.

What is the purpose of developing updates and relevant capabilities within the vehicle during the operations and maintenance phase?

The purpose of developing updates and relevant capabilities within the vehicle during the operations and maintenance phase is to ensure that the vehicle stays updated and secure in accordance with ISO 21434 and WP.29 R156.

What is the importance of a cybersecurity incident response plan?

A cybersecurity incident response plan is important for every cybersecurity incident as it provides remedial actions based on vulnerability management procedures, a communication plan involving all relevant internal and external parties, designated responsibilities for remedial actions, procedures for recording new and relevant information pertaining to the cybersecurity incident, a method or measure for determining progress, and cybersecurity incident response closure criteria.

What is included in the production control plan for post-development?

The production control plan for post-development includes the application sequence for post-development cybersecurity requirements, any equipment and production tools, production cybersecurity controls to prevent unauthorized access or alteration, and confirmation methods to ensure post-development cybersecurity requirements are met.

What is the production phase in relation to cybersecurity management?

The production phase is the phase in cybersecurity development where cybersecurity requirements are applied and new vulnerabilities are prevented during production.

What is cybersecurity validation in product development?

Cybersecurity validation involves confirming and validating cybersecurity goals and claims and eliminating any unreasonable risks. It considers the configurations for series production and includes confirming the adequacy of cybersecurity goals for threat scenarios and corresponding risks, achieving item cybersecurity goals, and validating operational environment requirements.

What methods are used for the testing of integration and verification in the product development phase?

Methods used for the testing of integration and verification include functional testing, vulnerability scanning, fuzz testing, and penetration testing.

What is the purpose of integration and verification in product development as it relates to cybersecurity?

Integration and verification in product development involve verifying that all defined cybersecurity specifications are met in the implementation and integration of components, and performing testing to confirm, minimize, and manage unidentified weaknesses and vulnerabilities in the component. The purpose is to ensure that cybersecurity goals and claims are validated and any unreasonable risks are eliminated.

What is the role of design in product development as it relates to cybersecurity?

In product development, design involves defining cybersecurity specifications based on existing architectural design and assigning the defined cybersecurity requirements to components of the architectural design. It also includes applying established and trusted design and implementation principles to prevent or reduce cybersecurity vulnerabilities and verifying cybersecurity specifications to ensure completeness, correctness, and consistency with specifications from higher levels of architectural abstraction.

What is the product development phase as it relates to cybersecurity?

During the product development phase, the organization must have processes in place to test and assess whether a product or component identified in the concept phase is secure and resistant to cyber attacks. This includes identifying the item information such as its intended behavior, architecture, and operational environment, as well as performing an analysis to determine cybersecurity goals and risk treatment decisions.

What is the purpose of verifying cybersecurity management analysis results in the concept phase?

The purpose of verifying the results is to ensure completeness, correctness, and consistency with respect to cybersecurity goals and claims.

What is the cybersecurity concept in the concept phase of cybersecurity management?

A description of the technical and operational cybersecurity controls in place to achieve cybersecurity goals. This includes considerations for functional dependencies in the item and/or cybersecurity claims and defines the cybersecurity requirements of the item and the operational environment needed to achieve the cybersecurity goals.

What is the purpose of performing an analysis of cybersecurity goals in the concept phase?

The purpose of performing an analysis in the cybersecurity goals stage is to identify assets, threat scenarios, impact ratings, attack paths, attack feasibility ratings, risk values, and determine risk treatment based on analysis results for each threat scenario.

What are the item definition requirements in the concept phase?

Item definition requirements in the cybersecurity management concept phase include identifying item information such as item boundary, intended behavior, preliminary architecture, and operational environment.

What is the concept phase in relation to cybersecurity management?

The concept phase is the initial phase in cybersecurity management where the item to be developed is defined along with its relation to cybersecurity goals and concepts.

What are examples of risks that might be identified during a TARA?

Examples include ransomware attacks, compromise of internal user credentials + MFA, and compromise of security framework (for example Rippling).

What is the risk treatment decision in TARA?

A risk treatment decision is the process of selecting one or more risk treatment options. These might include risk avoidance, risk reduction, division of risk through sharing, and risk retention.

What is risk value determination in TARA?

Risk value determination is the process of assigning a risk value between 1 and 5 to each threat scenario based on its impact and attack feasibility.

What is the attack feasibility rating in TARA?

Attack feasibility rating is the process of determining the feasibility of an attack path using various rating methods such as an attack potential-based approach, a common vulnerability scoring system (CVSS)-based approach, or an attack vector-based approach.

What is attack path analysis in TARA?

Attack path analysis is the process of analyzing potential threat scenarios for the identification of potential attack paths.

What is the impact rating in TARA?

Impact rating is the process of analyzing potential damage scenarios and assessing their impact on road users. This includes safety, financial, operational, and privacy categories.

What is threat scenario identification in TARA?

Threat scenario identification is the process of identifying potential threat scenarios, including the targeted product or component, which cybersecurity property is compromised, and the source or cause of compromise.

What is asset identification in TARA?

Asset identification is the process of identifying potential damage scenarios that could result from the compromise of the cybersecurity properties of a specific product or component.

What is TARA?

TARA stands for Threat Analysis and Risk Assessment. It is a method used to analyze potential threats to the cybersecurity properties of a specific product or component and assess the risk of each threat scenario.

What should be done in the event of unclear, unfeasible, or conflicting cybersecurity requirements or requirements from other disciplines?

The customer and supplier should communicate to determine the appropriate course of action to remedy the issue. Responsibilities for the customer and supplier should also be specified using a responsibility assignment matrix.

What processes and procedures are required for the maintenance and monitoring of cybersecurity activities?

Processes and procedures required for cybersecurity activity maintenance and monitoring include: comprehensive collection of cybersecurity information from internal and/or external sources, definition and maintenance of triggers for cybersecurity information triage, assessment of collected cybersecurity information to determine if any cybersecurity events have taken place, assessment of any cybersecurity events for product or component weaknesses, vulnerability analysis to identify potential attack paths and feasibility, and vulnerability management to treat cybersecurity risks in accordance with national and international standards.

What is a cybersecurity interface agreement and why is it important?

A cybersecurity interface agreement specifies how cybersecurity activities will be distributed between the customer and supplier, including cybersecurity activity responsibilities, joint tailoring of activities (if applicable), information and documentation to be shared, distributed cybersecurity activity milestones, and a clear definition of the end of cybersecurity support for the product or component in question. It is important for both the customer and supplier to mutually agree upon the agreement prior to the start of distributed cybersecurity activities.

What should be included in a request for quotation for cybersecurity services?

When requesting a quotation from a potential supplier, a formal request to conform with national and international cybersecurity requirements, expectations of cybersecurity responsibilities, and any cybersecurity goals requirements relevant to the specified product or component should be included.

What are the requirements for supplier capability in distributed cybersecurity activities?

When evaluating potential suppliers, their capacity to develop and/or perform post-development activities in accordance with national and international cybersecurity engineering standards should be taken into consideration. Evidence of organizational cybersecurity preparedness and adequacy, continual maintenance and improvement of cybersecurity activities and incident responses, and a summary of previous cybersecurity assessment reports may be included.

What are the conditions that must be met before a product can be released for post-development?

To release the product or component for post-development, the cybersecurity case must provide a valid and thorough argument, the cybersecurity assessment must confirm or agree with the cybersecurity case, and the post-development cybersecurity requirements must be accepted. All of these must be available before product release for post-development.

How is a cybersecurity assessment performed in project-dependent cybersecurity management?

A responsible party must be appointed to oversee the planning and performance of a cybersecurity assessment. The assessment must include the cybersecurity plan and include all products and components in the plan, processes and procedures utilized to address cybersecurity risks, a review of the appropriateness and effectiveness of the implemented cybersecurity controls and activities, and rationales that demonstrate compliance with the requirements outlined in International Standards, such as ISO 21434. The assessment report must also include a recommendation for acceptance, conditional acceptance, or rejection of the product or component's cybersecurity.

What is a cybersecurity case and why is it important?

A cybersecurity case is a document that provides evidence to ensure the cybersecurity of the product or component in question is per national and international standards. It is important to create a cybersecurity case to comply with cybersecurity requirements.

What is a reuse analysis in cybersecurity management?

A reuse analysis is an evaluation conducted when a product or component is developed and meets certain criteria such as planned modifications or reuse in a different operational environment.

Can cybersecurity activities be tailored?

Yes, cybersecurity activities can be tailored. The rationale behind why an activity is tailored must be sufficient to achieve relevant protection objectives as outlined in ISO 21434.

What are the requirements for managing a product's cybersecurity development activities?

The first requirement is to assign, communicate, and share cybersecurity activity responsibilities with relevant parties based on information security requirements and best practices. A cybersecurity plan must also be created for each product, which includes objectives, dependencies, responsible personnel, resources, starting and endpoints, intended outcome, and required activities for concept and product development phases per relevant requirements. Cybersecurity plans must be assigned to personnel with the necessary training, certifications, and awareness. They must be updated for any changes or refinements, and adhere to configuration and documentation management procedures.

What are the requirements for an organizational cybersecurity audit?

To meet organizational cybersecurity audit requirements, organizations must perform periodic audits, provide evidence and documentation of all procedures, processes, incidents, and remediations, and judge whether their processes achieve the objectives outlined in relevant national and international cybersecurity standards.

What is an organizational cybersecurity audit?

An organizational cybersecurity audit is an independent evaluation of an organization's cybersecurity processes, procedures, and policies to judge whether they achieve the objectives outlined in relevant international cybersecurity standards.

What are the requirements for a management system in the context of cybersecurity management?

To meet management system requirements, organizations must establish a quality cybersecurity management system in accordance with international standards, make configuration information available for maintaining vehicle cybersecurity, establish a cybersecurity management system for production processes, and manage tools that can influence the cybersecurity of a product or component.

What is a management system in the context of cybersecurity management?

A management system is a set of processes, procedures, and policies that an organization puts in place to manage and address cybersecurity risks and requirements.

What are the requirements for information sharing in the context of cybersecurity management?

Information sharing requirements include defining situations and circumstances under which cybersecurity information sharing is relevant, permitted, and prohibited, as well as specifying information types to be shared, establishing approval processes, and defining relevant parties.

What is information sharing in the context of cybersecurity management?

Information sharing means exchanging relevant information about cybersecurity risks, threats, hazards, and conflicting requirements within and outside of an organization.

What does it take to establish and maintain a strong cybersecurity culture?

Establishing and maintaining a strong cybersecurity culture involves ensuring that everyone with assigned cybersecurity roles has the necessary training, certifications, and awareness to fulfill their responsibilities. This includes providing risk management, functional safety, and privacy training and implementing continuous improvement processes for all cybersecurity activities.

What does it mean to have a strong cybersecurity culture?

A strong cybersecurity culture means that everyone in the organization shares the same beliefs, values, and behaviors that promote and support cybersecurity best practices.

What are the requirements for cybersecurity governance?

To meet cybersecurity governance requirements, organizations must define a cybersecurity policy that both acknowledges road vehicle cybersecurity risks and commits to managing those risks. They also need to assign responsibilities and organizational authority to achieve comprehensive cybersecurity, as well as provide resources for cybersecurity risk management, development, and incident management.

What is cybersecurity governance?

Cybersecurity governance is a set of rules and policies that organizations put in place to manage and address cybersecurity risks.

What do OEMs need to do to support cybersecurity engineering?

OEMs must establish rules and implement processes that adhere to national and international cybersecurity requirements, including assigning cybersecurity responsibilities, providing resources to address cybersecurity risks, and establishing a cybersecurity management system for relevant activities.

How big is the autonomous vehicle industry?

The autonomous vehicle market is growing rapidly and is projected to reach significant size in the coming years. According to some estimates, the global market size of autonomous vehicles was around $54 billion in 2020 and is expected to reach over $173 billion by 2026, growing at a compound annual growth rate (CAGR) of over 25%. However, the actual size of the market can vary depending on various factors, including the adoption rate of autonomous vehicles, regulatory barriers, and technological advancements.

How big is the car sharing (peer-to-peer) industry?

The peer-to-peer car sharing industry has been growing rapidly in recent years, with some reports estimating the global market size to be around $11 billion in 2020 and projected to reach $24 billion by 2026. However, the size of the industry can vary depending on the region and the specific services offered by each company.

How many automotive software related recalls are there globally?

The exact number of automotive software-related recalls each year worldwide is not publicly disclosed, as different countries have varying regulations and reporting requirements. However, it is widely acknowledged that the increasing reliance on software in vehicles has led to a rise in the number of software-related recalls in the automotive industry. Some reports suggest that the number of software-related recalls has increased significantly in recent years due to the growing complexity of software systems and the increased risk of cyber threats. As connected and autonomous vehicles become more widespread, it is expected that the number of software-related recalls will continue to increase.

How big is the V2X Industry?

The V2X (Vehicle-to-Everything) industry size is rapidly growing and expected to become a multi-billion dollar market in the coming years. According to recent market research reports, the global V2X market size was valued at around $1.3 billion in 2020 and is projected to reach $17.4 billion by 2026, growing at a compound annual growth rate (CAGR) of 52.1% from 2021 to 2026. The increasing demand for connected and autonomous vehicles and the growing demand for improved road safety and traffic efficiency are among the key factors driving the growth of the V2X market.

How big is the global 2-wheeler market?

The global two-wheeler market size was valued at approximately USD 123 billion in 2020 and is expected to grow in the coming years. The growth of the market can be attributed to the increasing demand for affordable and convenient personal mobility solutions, especially in developing countries. Additionally, the growth of urbanization and rising concerns about traffic congestion and air pollution are also driving the demand for two-wheelers. However, the market has been impacted by the COVID-19 pandemic and the subsequent economic slowdown, which has led to a decline in sales in some regions.

How big is the micro-mobility industry?

The micro mobility industry is growing rapidly and has become a multi-billion dollar industry in recent years. In 2020, the global micro mobility market size was estimated to be worth around US $16 billion and is expected to grow significantly in the coming years, driven by the increasing demand for sustainable and convenient mobility options. However, the exact size of the industry can vary depending on the sources used and the definitions and scope of "micro mobility".

How big is the global market size for commercial fleet vehicle manufacturing?

As of 2021, the global market size for commercial fleet vehicle manufacturing was estimated to be around $100 billion. This figure is expected to grow in the coming years, driven by factors such as increased demand for commercial vehicles, technological advancements, and government initiatives to promote fleet modernization. However, it's important to note that the actual market size can vary depending on various factors, such as the state of the economy, changes in consumer preferences, and fluctuations in raw material costs

What is transportation 2.0 and what are some of the upcoming trends and models?

1. Electric and Autonomous Vehicles: The development and deployment of electric vehicles (EVs) and autonomous vehicles (AVs) is a key trend in the transportation industry.2. MaaS (Mobility as a Service): MaaS refers to the integration of various transportation services, including public transportation, car sharing, bike sharing, and ride-hailing services, into a single platform.3. Micro-mobility: The popularity of e-bikes, e-scooters, and other micro-mobility options is increasing as people look for more sustainable and convenient modes of transportation.4. Connected and Shared Transportation: Connected cars, shared mobility services, and smart city initiatives are transforming the way people move in urban areas.5. Blockchain in Transportation: Blockchain technology is being used to improve supply chain transparency, secure data sharing, and streamline payment systems in the transportation industry.6. Space Tourism: The development of reusable rockets and other space technologies is making space tourism a reality, with companies like SpaceX and Blue Origin leading the charge.7. Sustainable Transportation: The growing awareness of the environmental impact of transportation is driving the demand for more sustainable modes of transportation, including EVs, hydrogen fuel cell vehicles, and alternative fuels.

What are some of the key future trends happening in the commercial and fleet vehicle industry?

Electric and Hybrid Vehicles: The adoption of electric and hybrid vehicles is expected to increase as companies look to reduce their carbon footprint and operating costs.Autonomous Fleet Vehicles: The deployment of autonomous fleet vehicles is expected to increase, leading to improved safety and efficiency, and reduced labor costs.Telematics and Connectivity: The use of telematics and connectivity technologies, such as GPS tracking and remote diagnostics, is expected to increase in order to improve fleet management and optimize vehicle utilization.Fleet Management Software: The use of fleet management software, such as fleet management systems (FMS) and fleet management solutions (FMSs), is expected to increase in order to improve the efficiency and productivity of commercial fleets.Shared Mobility Services: The trend towards shared mobility services is expected to continue, with companies looking to maximize vehicle utilization and reduce the size of their fleets.Sustainable Fleet Management: Companies are increasingly focused on sustainable fleet management, including the adoption of alternative fuels, energy-efficient vehicles, and environmentally friendly practices.Increased Use of Data Analytics: The use of data analytics is expected to increase in order to improve decision-making, reduce costs, and enhance fleet performance.These trends are expected to shape the future of the commercial fleet vehicle industry and drive innovation and growth in the sector.

What is micromobility?

Micro mobility refers to a category of transportation that encompasses small, light, and often electric vehicles, such as e-scooters, e-bikes, hoverboards, and similar modes of transportation. These vehicles are designed for short trips in urban and suburban areas, typically for distances less than 10 miles, and provide an alternative to traditional modes of transportation like cars, buses, and taxis. The concept of micro mobility has gained popularity in recent years due to the need for more sustainable and convenient mobility solutions in densely populated urban areas, where traffic congestion and parking issues are prevalent.

What is V2X

V2X refers to Vehicle-to-Everything communication, a technology that enables vehicles to communicate with other vehicles, road infrastructure, and other devices in real-time. The aim of V2X is to enhance safety, efficiency, and mobility on the roads by enabling vehicles to share information and collaborate with each other to prevent accidents and improve traffic flow. There are two types of V2X communication: Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I).

What is Mobility-as-a-Service

Mobility as a Service (MaaS) is a concept multi-modal transportation integrated into a seamless service, allowing users to access a range of transportation options through a single platform. The goal of MaaS is to provide a more convenient, efficient, and sustainable transportation system, while reducing the need for private car ownership.MaaS typically encompasses a variety of transportation options, such as public transit, ride-hailing, car-sharing, bike-sharing, and more. Users can access these services through a single app or platform, and often pay a subscription fee for access to the entire network of transportation options.The main idea behind MaaS is to provide users with a flexible, multi-modal transportation system that is easy to use, cost-effective, and environmentally friendly. By integrating various modes of transportation, MaaS aims to reduce congestion, emissions, and the need for personal vehicle ownership.

What is trucking-as-a-service

Trucking as a Service (TaaS) refers to a business model where a company provides trucking services to its customers as a service, rather than a product. In this model, the company owns and manages a fleet of trucks, and customers can access and use these trucks on-demand, without having to purchase or maintain their own vehicles. This can include various transportation services such as delivery, logistics, and supply chain management. TaaS aims to improve the efficiency and cost-effectiveness of the transportation industry by reducing the need for individual businesses to invest in their own fleets and provide a more flexible and scalable solution to meet their transportation needs.

What are the key technologies in the Software Defined Vehicle?

Vehicle Control Unit (VCU) - the central computer that manages and controls the various systems and components of a vehicle.Over-the-air (OTA) updates - the ability to remotely update the software of a vehicle without physically accessing it.Automated Driving System (ADS) - the set of technologies and systems that enable a vehicle to drive itself without human intervention.Vehicle-to-everything (V2X) communication - the exchange of information and data between a vehicle and its surroundings, including other vehicles, infrastructure, and devices.Sensor Fusion - the process of combining data from multiple sensors to provide a more complete understanding of the vehicle's environment.Autonomous Driving Levels - a standardized classification system used to describe the level of autonomy in a vehicle, ranging from Level 0 (no automation) to Level 5 (fully autonomous).Advanced Driver Assistance Systems (ADAS) - technology that enhances the safety and convenience of a vehicle, such as lane departure warning, adaptive cruise control, and automatic emergency braking.

Is there a difference in e/e architecture for connected and software-defined vehicles?

The notion of a connected vehicle only implies the existence of at least one module in the car that can communicate bidirectionally with other systems outside of the car. The software-defined vehicle, on the other hand, is operated, controlled and underpinned by software. So these two aspects, the connected vehicle architecture and the software defined architecture, are independent. However, in reality, they influence each other, because as an optimum, they will interact, communicate and enable each other, for numerous use cases.

How does data loggging work?

Sibros Deep Logger product performs automotive data logging by enabling real-time connected vehicle data collection directly from the vehicle's telematics control unit. This data is then relayed to the cloud portal where it can be utilized for troubleshooting faults, performing vehicle health analytics, alanylzing collision data, assessing preventive maintenance needs, and innovating novel features or vehicle enhancements.

How do you protect against cyber attacks in connected vehicles?

The Deep Connected Platform leverages a compromise resistant IEEE Uptane cybersecurity framework along with Sibros Armor to comply with international cybersecurity regulations, such as ISO 21434 and WP29 R155 and R156. Sibros' products include mechanisms to aide in early threat detection and mitigation, prevent surface area attacks and unauthorized backend access, and ensure all cybersecurity measures and processes are up to date.

Still have questions?

Send us a message.

{Page Title} FAQs

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique.

What roles do Sibros and our customers play under the GDPR?

Under the GDPR, Sibros acts as a data processor for the personal data that Sibros processes on behalf of our customers through their use of the Deep Connected PlatformTM.  Sibros will only collect, access, store, and process this data as instructed by our customers. 

Sibros customers are the data controllers for the personal data that is collected and processed through their use of our Deep Connected Platform because they “determine the purposes and means” of processing this data. Customers determine what data is collected and for what purpose(s), including the timing and frequency, and have the ability to create and run custom reports on their data.

How does Sibros comply with the GDPR?

Sibros has implemented various systems, procedures, and documentation to comply with and support our customers’ compliance with the GDPR, including the following:

Customer DPA and Data Transfer (SCCs) Terms:  

Sibros’ Data Processing Agreement (our “Customer DPA”) includes standard data protection terms applicable to the processing of personal data and the provision of our services, which are tailored to address the unique aspects of Sibros' services and reflect our data security procedures. Our Customer DPA incorporates:

  • Data processing terms as required by Art. 28 of the GDPR;
  • Module 2 (controller to processor) of the EU Standard Contractual Clauses (the “SCC”);  
  • The UK International Data Transfer Addendum (“IDTA”) approved by the Information Commissioner’s Office (“ICO”) for applicable data transfers subject to the UK GDPR and  
  • A description of the technical and organizational measures Sibros has implemented and will maintain to ensure the security of customer data.

Subprocessor Compliance: 

Sibros has taken a number of actions to ensure that its use of subprocessors complies with applicable data protection obligations.  

  • Sibros has identified and maintains a list of its subprocessors, which can be accessed HERE.  Sibros may add or delete subprocessors at any time. Customers can subscribe to subprocessor update notifications from Sibros, and such notifications will be sent prior to processing of customer data by a new subprocessor. Customers may raise objections regarding new subprocessors in accordance with the terms of our Customer DPA with the respective customers.  
  • Sibros has entered into data processing agreements (including the SCCs and UK IDTA as applicable) with its subprocessors, which include equivalent terms to those which apply to Sibros under its Customer DPA.  
  • Sibros conducts due diligence and security reviews of its subprocessors prior to their processing of any customer personal data.
  • Key subprocessors include Amazon Web Services (AWS) and Google Cloud Platform (GCP), which have their own GDPR compliance programs in place, available here:
  • AWS: https://aws.amazon.com/compliance/gdpr-center/ 
  • GCP: https://cloud.google.com/privacy/gdpr and https://cloud.google.com/blog/products/compliance/how-google-cloud-helps-customers-stay-current-with-gdpr

Data Transfers: 

Our Deep Connected Platform products and services, as well as our technical support and corporate operations, are provided from the United States, Germany, France, the UK, and India. We employ a range of measures to ensure that customer data is secure and safe and to maintain the integrity, accuracy, and confidentiality of that data when it is transferred to these jurisdictions.  These measures include entering into agreements that include GDPR-compliant data processing terms and the EU SCCs and UK IDTA as applicable.  Sibros has also implemented procedures and updated its practices to respond to the Schrems II decision by the European Court of Justice.  See below for more information.

Data De-Identification: 

Sibros protects and manages the usage of PII, especially geolocation, and performs de-identification actions including deletion or obfuscation of personal data and identifiers associated with the end user, VIN, and GUID(s), including by masking or deleting other unique identifiers such as ESN. The remaining disassociated data is also subject to further data exclusion and masking, which may include random staggering of the data, character shuffling, random dictionary substitution, or deletion of data to make it statistically improbable that the remaining data can be correlated with a particular vehicle or end user.

How does Sibros help customers provide adequate notice and disclosures to data subjects?

As the data controller, our customers are responsible for providing notice and obtaining any required consent from data subjects. As the data processor, Sibros provides customers the opportunity to display and link to a GDPR-compliant privacy notice and, where relevant, consent language addressed to the end-users, i.e., the data subjects.  Our customers are responsible for providing the relevant notice or consent language and for managing any applicable notices and consents and configurations for such. 

Notice and consent language and implementation is configured for each customer during the onboarding process and can be updated and configured as necessary thereafter. Customers configure how and when consent is requested, logged, and subsequently stored. For example, Sibros provides customers with a mechanism for obtaining mandatory electronic consent for log collection and Over the Air (OTA) updates. Customers must obtain end-user consent and send or transmit confirmation of such consent to Sibros before initiating data collection from or deploying FOTA updates to a particular vehicle through the Platform.  

How does Sibros help customers respond to data subject requests?

Our customers, as the controllers of end-user personal data processed within the Platform, may have certain legal obligations to respond to data subject requests under the GDPR and other applicable regulations. Within our customer portals, customers have the ability to create and export custom end-user reports for some data. The ability to request the deletion of specific end-user data and otherwise manage end-user data is available via Support tickets under the category “Data Privacy Request.” Customers can submit a support ticket in the customer portal to request Sibros support for processing data subject requests. Sibros has established processes, as described below, to facilitate and support our customers in responding to data subject requests regarding Platform data.

Access and Data Portability 

Customers can submit a support ticket for a “Data Privacy Request” issue type specifying “Data Access Request” in their respective customer portal to request Sibros’ assistance in preparing and exporting a portable copy of end-user data associated with a particular Vehicle Identification Number (“VIN”).  To request an end-user access report, customers must provide the VIN for the relevant end user’s vehicle.  Data Access Request reports are provided to customers as a downloadable TAR File.

+ End User Access Report Format and Download

End-user access reports are compiled by Sibros as a TAR file and are usually processed within 10 business days.  Sibros will provide customers with a secure download link to access the report.  The link and end-user access report (TAR File) are available for 60 days, after which they expire.  

Deletion Requests

Customers can submit a support ticket for a “Data Privacy Request” issue type specifying “Data Deletion Request” in the customer portal to initiate an end-user deletion request for data associated with a particular VIN.   To request deletion of personal data regarding a specific end-user, customers must provide the VIN for the end user.  Sibros processes deletion requests by deleting and/or disassociating the vehicle and device data from a particular end user within the Platform.  Archived data that is stored as part of Sibros’ data back-ups are not subject to deletion and disassociation, unless the backup data is restored by Sibros. However, backups are regularly deleted or overwritten (usually within 180 days).   

+ Deletion Process

End user VIN is deleted from the relevant GUID asset table(s), which map vehicle and device-related data to a specific VIN within the Platform, and the relevant GUID(s) for the vehicle are also deleted from the Asset tables, which severs the link between the end user and the corresponding vehicle and device-related data within the Platform.  At this point, the device data cannot be associated with an end user without external data sources. It may take up to 15 days for a deletion request to be fully processed.

Other Data Subject Requests

Sibros collects vehicle and device data as it is generated by the vehicle or device and, as such, is not able to verify inaccuracy or “correct” any vehicle and device data that is generated and processed within the Platform. To request support from Sibros to process a correction or other data subject request, customers may submit an “Other Data Request” ticket and provide the relevant VIN for the end user. 

Does Sibros' customer DPA work for global companies?

Yes, Sibros has customers in many jurisdictions worldwide, which is why our data processing terms are drafted broadly to address data protection requirements around the globe. Our Customer DPA incorporates the core privacy principles on which many international data protection law regimes are built and uses the strict GDPR framework as baseline language.

Still have questions?

Lorem ipsum dolor sit amet, consectetur adipiscing elit.