 Good afternoon, everybody. Before I would start, I want to introduce our institute, the Institute for Security and Safety at the Brandenburg University of Applying Sciences. So institute was founded in 2012, asked by the International Atomic Energy Agency to support them after the Stuxnet incidents happened, they ran nuclear plants, and we supported this nuclear field, this nuclear sector for a couple of years. Later than, we supported the energy grids and the cybersecurity regulations for energy. And as you can imagine, there is no room for flaws, neither in nuclear sector nor in the cyber grids and the energy grids. So our area of expertise is cybersecurity energy and also in automotive. So we started to support UNICE in 2019, but we are more or less looking from outside to the sector and to the cybersecurity regulation. And I try to give you today an overview of our thoughts from that perspective. We also are involved in a couple of international activities. I don't want to go through all of them, but want to mention the first one. So we are working with UNICE and also with ITU. So we are in center of excellence of ITU Academy, but we are also working with OEWG, that's an open-ended working group on cyber norms and upon international level, which is directly run under as a general assembly of the United Nations. And that is important. I will come back to it later. First of all, every time when I have to do with a cybersecurity framework or cybersecurity regulation and session to CESIS, Vehicle Cybersecurity Framework is ready. It's time for deployment. I have always the same questions because we can be protected by 99%, but if there's a 1% vulnerability, then we might have a problem. So the questions which came up into my mind are are we ready to deploy on the one hand and is the framework sufficient on the second hand? Let's go and you'll get the first question. First of all, I think everybody has the same understanding when talking about cybersecurity and the new UNR155 regulation, by looking to the upper right area, saying secure software development, secure hardware development for cars, secure diagnostic systems, this kind of things. So this red box is pretty much focusing on cybersecurity in cars. But the UNR regulation also says that it's applicable to development, production and post-production, which means that we're spoken that also the green part should be focused on. So which means cybersecurity in production and because the car is produced by the manufacturer. But that extends now the view from only looking to the car and probably car communication to the production environment. So we have to secure the production environment or is this the question? And if we look to engineering, for example, and engineering workstations and the development process of cars, we also have to look to the blue box or blue boxes because now it comes to business IT. Back-end systems are also business IT when operating cars. And so we have all these different security domains which by today are not integrated in companies. So my understanding and my experience from talks with the secretary is that this are distinguished organizational units and they are not working together. Probably business IT has implemented in information security management system according to ISO 27001, which is often seen in such kind of companies. On the other hand, we have now the UNR 155 for the red box. But what do we have for the green box, for example? And the UNICEF regulation does not say anything about cybersecurity threats against production systems. So I think we have different scopes. We have overlapping scopes. We have probably overlapping responsibilities in the companies working on these topics. And the question arises, which kind of integrated processes we need, for example? Is there one standard which can cover all other different standards which have to be integrated into each other? That are questions which will come up. And now, okay, we have this UNICEF regulation, which will be a delegated active on the EU level. And then for European scope, it comes to the OEMs. And as I said, the OEMs have probably an ISMS run by today. And now they have to implement in CSMS, the cybersecurity management system, which is fine, which makes sense. So we have from the German Automotive Association, there is a red book explaining a little bit how to implement the CSMS. So OEMs have their part. They're pre-audits and they're supported more or less. But what's about the suppliers? As the suppliers, they are not really aware of this new UN regulation. And that has to do with the fact that this regulation comes from UN level, far away from where our suppliers are working today. And the discussions I have now nearly every week with suppliers are, so how are coming this new cybersecurity regulations down to the different supply levels? Is it by using contracts? Is it by using requirements? Is it by using tools like we have in Germany, this TISACS methodology, which now covers information security, prototype protection and data protection. So should we add something there, which is more or less a manufacturer auditing? So that are questions which we are now discussing also with our institute. Within this week, we have an expert round on a table discussing between OEM and between supplier what is needed to have it. And even if we have that, the next question is, now we have the regulation. And probably the regulations understood and it's clear how it comes to the supplier, do have the competencies. And that is, of course, the next question. So UNR 155 says competent personnel with appropriate cybersecurity skills and specific automatic risk assessment knowledge is needed. But if you go to UNX5, look deeper into the measures and think about what measures are there and how they are probably implemented, it's really first it's clear that we need people with high-sophistic cybersecurity knowledge. And so that is, for me personally, that is one of the biggest challenges we have because there is this timeline, we have mid of 2024 as a deadline, so to say. And we need people who engineered and produced electronic architectures based on this measures, based on risk analysis, threat analysis on this kind of measures. So I think that's a really big challenge and so from our point of view, competent competence analysis and the development of appropriate mental choices are the answer to that. Now looking to the second part of my questions, this framework sufficient. And with sufficient, I mean, does it cover everything which should cover or is there other boundaries? How far is the scope going? So in the middle, we see development production, post-production, that are the main processes, that are the words which are in the UN regulation. But what's about the supply chain? So the steps before, looking to hardware and software, we know that there are big challenges in securing hardware and software. I'm sure if you know that even on the hardware side, there are so many hardware trojans in between that there is an own categorization of this type of trojans and the tax. So we have a big challenge on the hardware and software side, how to produce secure hardware and secure software. Then of course, as discussed, coming to company from the development processes through production to post-production, which more or less means operating and operating also means the car is driving, the car is driving in cities. If you think about smart cities and smart projects, the car has to be an integrated part of a smart city concept. And also the charging infrastructure are interesting because charging infrastructure, that are more or less parts of the energy network. And I talked to you about you. So I'm personally working on a European level much with the energy sector and in the energy. And what we are looking from that point of view is that the networks has to be developed in the same way as needed for such kind of automotive development. So at the World Economic Forum and our working group there, we calculated how many cars, how many cars has to be hacked to bring the whole energy network in Europe down, or at least make it in Sabre. So that are questions which are coming up and which has to be looked at if we are thinking about a reliable and secure infrastructure in Europe or all over the world. So cyber security will be, and I'm really convinced about that, cyber security will be a selection criteria in the future on the question, do I buy such a car? Do I operate around such a car? Cyber security is a basic for that. And we have seen the last couple of months. So from December, January, February, March, we have seen two major incidents on the one hand, Solar Wines, which was a attack against the US mostly, and the other one was Hafnion, which was a attack against exchange infrastructure. And both of that seems to be nation states or nation sponsored attacks against infrastructures, against systems, against companies. So we have to, if we talk about cyber security in a holistic view, it's not good enough to look to one regulation or a couple of regulations focusing on the car or probably supply chain. We also have to look what is the international view on that. And that has to do with the factor, with the question on if we have massive cyber attacks against cars again, against energy infrastructures, not city infrastructures, who is defending? Who is defending in that cases? It's interesting to hear that the reinsurance sector now this year starts to think about exclusion for cyber war. So there will be, and that's their game, that they want to have in cyber war exclusion by 2022, which means we are all in a situation that we have more or less in a situation to self defense our cyber infrastructures and our cyber elements we have, cyber systems. So that part working on the international level on cyber norms and protection is a part of the puzzle. We cannot start as a manufacturer's level and saying, okay, a manufacturer produce secure product by using secure parts and then having a good secure supply chain. It's also a big part looking above this, beyond this and think about what's in states level, what's going on there, how to protect this, what is an automotive ecosystem is this point of view? And with this I'll come to the end and we'll give you some ideas on which actions are needed for cybersecurity readiness and sufficiency. So more or less to give some somehow answers to my first questions. We did a couple of things in the past or initiated a couple of things. For example, a research project in Germany on a generic digitalized vehicle architecture as a digital twin on an automotive cyber range. And so that will be hopefully a research project starting next year. So we need that for testing, for development, for forensics, for training for all these purposes because we cannot hack cars and find out how it's going. So we need this kind of element. We need also an address this in a talk, capacity building automotive and probably a generic curriculum design which fits to UNR 155. And also guidance is implemented as needed. We did such a document for the German automotive sector, especially for the suppliers because they are waiting for good information on how they should implement supply chain and what does cybersecurity management system means for them. And also I would add to that the multi-stakeholder dialogue on cyber in the vehicle ecosystem and international initiatives on security and sustainability in cyber, which are also part of a successful development on future network. So that was it from my side. Thank you very much. And I will give back to Marco. Thank you very much, Guido. You've definitely outlined some of the major concerns and major issues that we're going to have to address. Just listening to you and I have had the opportunity to review your presentation before and your thoughts. It does sound to me like the answer to the questions that you've posed that we're not really ready for deployment. Is that your conclusion or is that sort of intermediate conclusion? What is it? Yeah, so it was not my intention to answer this both questions because I think we have the panel with a lot of really renowned experts in this field. So I'm not really, I'm not sure if I'm in the position to say this will fail in any case. No, it will not. I only want to address that we have to look or have to look at an holistic approach that you have to have things in mind, especially if you start in that phase where you have a new regulation, you are only focusing on what the regulation is saying. Probably not looking to, okay, there are other areas which have to be developed in the same time or if you take 2024, how far is there a cybersecurity regulation on the energy side, which is directly connected to the car? The car is part of an energy network. So is that going in the same direction? Is it going in the same speed? Is it synchronized at some points? How does ecosystems talk to each other? And that is what I want to make aware that these questions are really important because the car doesn't mean we need on the one hand energy and we need on the other hand, communication. And that things have to be there if you want to be successful. The other thing you mentioned, and this is a very important aspect, those of us who are working in the automobile industry understand that the job of the automotive OEMs right now is as much coordinating as it is assembly, as manufacturing is being done and it's being distributed all over the world and different types of delivery chains. But you said that you don't feel that the suppliers are yet part of the picture that you've met suppliers who don't seem to understand that this is going to happen, this must happen. It's going to be from those in those countries where type approval is required that this will be a requirement for having a vehicle, putting a vehicle on the road. What needs to be done to get the suppliers into this picture? I would say we need two things. On the one hand, we need the competences on the supplier side that they are able to understand what to do. On the other hand, we need a mechanism or instruments on how are coming the cybersecurity requirements into the processes of the supplier. Until today, if I talk to them, they're saying, okay, sometimes there are coming functional requirements or safety requirements from the OEM and they are not sure if cybersecurity is inside or if that is a cybersecurity requirements according to the UN regulation. So there's no clear understanding on how that goes. And that's exactly why we have to discuss which way that should go, which instruments are there. That it must be clear to the supplier what he has to do. They are only producing what the customer will need. You think the OEMs need to be doing more to ensure that the suppliers know what they're supposed to be doing? Yeah, they have to do more. And we have the problem that or as the suppliers I talked to, they fear that every OEM interprets the UN regulation a different way and the requirements also in a different way. So that supplier says, okay, I'm getting requirements from OEM one and from the same more or less requirements from OEM two, but one is focusing on measures. The next one is focusing on security processes. And so I'm not able to implement what is needed or what my customers wanted to me because it's too expensive to implement that. The, your institute is, I know it's not just focused on Germany because of people can come from everywhere, but you seem to have a very close contact with the OEMs who are in Germany. Are there other institutions like yours that are doing similar work that you're cooperating with because this has to cover all 27 countries within the EU, at least from the type approval Europe side. And then there's a type approval in Japan and South Korea and so on. But are there other institutions that you're cooperating with that can sort of make sure that we're covering all of the OEMs, not just the German OEMs? Yeah, so we started in November with our first round table discussion because we saw that the suppliers are not aware of this UN regulation, especially smaller ones. And now this week on Thursday we have our second round table where we invited them and that's more or less open for every OEM, but it's in German. So, but every OEM is welcome. The suppliers welcome. And we want to discuss this. And there are other universities which are more on the automotive and technical side. Yeah, so the research project we initiated was together with a castle university of applying science and together with Kitt and Bosch is in there and the opinion is in there. So we are thinking about that. But I don't know exactly if there is a European and international activities going on there. So because for us, it's our first major step going into automotive while seeing that this need is there in Germany. So I'm not really aware of how it looks from a French perspective or for a Japanese perspective. But we are open to cooperate of international universities, all institutes. Yeah. I want to thank you. At this point, there would be great applause for the, for your keynote presentation. I really appreciate you are taking the time to and participating in this symposium and we'll look forward to in a year's time, all the work that's been done by your Institute and reporting on that. Thank you again very much. Yeah. Thanks, thanks, Michael. And thanks to everybody that's at you and doing this here.