In response to increasing cybersecurity threats in vehicles, in 2015 the Automotive Information Sharing and Analysis Center (Auto-ISAC) was formed. Its member companies include all automakers operating in North America except for Tesla. The ISAC allows companies to share cyberthreat information in real time and develop solutions to them. It serves as a central point for intelligence that allows manufacturers to analyze and share potential vulnerabilities in vehicle electronics.
Vehicles are becoming increasingly connected to other devices and information systems. About 33% of vehicles on U.S. roads today include connectivity that has the potential to allow a pathway into the vehicle’s control systems. It’s predicted that a decade from now, virtually all vehicles will have data connections.
The Auto-ISAC has published its first set of cybersecurity best practices here. Here are the highlights:
Security by Design. This is an approach to software and hardware development that seeks to make systems as free of vulnerabilities and resistant to attack as possible. In the vehicle context, it integrates hardware and software cybersecurity features during product development. It emphasizes secure connections to, from and within the vehicle. Software level vulnerability testing is recommended.
Threat Detection and Protection. This is proactive cybersecurity through the detection of threats, vulnerabilities and incidents. Routine scanning and testing of the highest risk areas is anticipated. It supports anomaly detection in vehicle operations systems, services and other connected functions, while balancing the need for owner privacy.
Risk Assessment and Management. This develops processes for identifying, categorizing, prioritizing and treating cybersecurity risks that could lead to safety and data security issues. A risk assessment would be included in initial vehicle development and continue to be evaluated at each stage of the vehicle lifecycle. The supply chain would be included in risk assessments.
Incident Response and Recovery. An incident response plan enables automakers to respond to a cyberincident reliably and expeditiously. It would ensure that a team is in place in advance, and that testing and incident simulations are run periodically to prepare. Internal and external stakeholders of a vehicle cyberincident would be notified.
Training and Awareness. Training and awareness programs cultivate a culture of cybersecurity. Such programs would be run for internal stakeholders across the vehicle ecosystem. Employees would be educated on security awareness and their roles and responsibilities. Mobile, IT, and vehicle-specific cybersecurity awareness is contemplated.
Governance. This aligns a vehicle cybersecurity program with a company’s broader mission and objectives. It includes dedicating appropriate resources to cybersecurity activities and communicating responsibilities to all appropriate internal stakeholders.
Collaboration and Engagement with Third Parties. The industry is committed to engaging with third parties including peer organizations, suppliers, and government agencies (NHTSA, DHS, FBI and others).
The Best Practices offer suggested measures, and each automaker has unique needs and capabilities. The guidelines conclude by stressing that “cybersecurity is a priority to Auto-ISAC members and stakeholders across the motor vehicle ecosystem. These Best Practices can guide effective risk management at the product level and further enhance the security and resiliency of the automotive industry.”