Cyber resilience: Internet-based vehicle registration (i-Kfz) demands higher security standards from registration authorities
However, security deficiencies at many registration offices led to a major braking maneuver in December 2023: only car dealerships and registration service providers can still use the online service to be able to drive off with the vehicle immediately. Private individuals and companies still have to take the traditional route through the bureaucratic jungle to obtain all documents.
With the introduction of level 4, the minimum requirements for information security (MSA-i-Kfz) were further increased to ensure that the registration authorities and operators of the corresponding online portals comply with the necessary security standards. However, hacker attacks in October 2023 showed that the relevant authorities still have a lot of catching up to do to make life easier for their customers thanks to digitalized processes.
The detailed requirements of the fourth level cover a broad spectrum: they range from general security practices that lay a solid foundation for the protection of systems and data to specific specifications for securing the interfaces that are critical for the interaction between different components of the digital approval infrastructure. Both physical and logical security are addressed and general security requirements as well as security precautions at the interfaces in the system architecture must be taken into account.
MSA internet-based vehicle registration: rigorous checks by registration authorities
In order to verify compliance with these minimum security requirements, the KBA will in future rely on rigorous verification procedures: Audits and penetration tests will ensure that the registration authorities and the operators of the online portals meet the specified requirements. These tests, including IS short audits, IS web checks and IS penetration tests, are crucial for identifying and eliminating potential vulnerabilities in the systems before they can be exploited by attackers.
SEC Consult already has experience with the successful implementation of i-vehicle registration projects and offers a comprehensive service that supports the registration authorities. This includes a detailed analysis of current security measures, the identification of potential vulnerabilities and the development of customized solutions to improve the respective security architecture. In addition, SEC Consult offers training for the employees of the licensing authorities to promote a deep understanding of the security requirements and practices and thus to implement the measures sustainably.