New technology has paved the way for extraordinary advancements in vehicle safety, emissions reduction, and fuel economy. Today’s vehicles do more to keep drivers secure and connected than ever before. However, connected vehicles must be designed and manufactured with security in mind. Today, members of the Automotive Information Sharing and Analysis Center (“Auto-ISAC”) released an overview of comprehensive Automotive Cybersecurity Best Practices (“Best Practices”) developed as a proactive measure to further enhance vehicle cybersecurity throughout the industry.
Over five months, more than 50 automotive cybersecurity experts from around the world have participated in the development of these Best Practices to advance automotive cybersecurity capabilities. The effort began in early 2016 when the 15 automaker members of the Auto-ISAC formed a working group to examine all cybersecurity aspects of the motor vehicle ecosystem.
“Automakers are committed to being proactive and will not wait for cyber threats to materialize into safety risks,” said Auto-ISAC Chairman Tom Stricker of Toyota. “The Best Practices initiative represents this commitment to proactive collaboration that our industry made when we stood up the Auto-ISAC last year. I’m proud of the way we have united in our endeavor to minimize the risks our consumers might face from cybersecurity and privacy threats.”
The Executive Summary of the Best Practices has been released publicly on the Auto-ISAC website. The Best Practices provide guidance to assist an organization’s development in seven key topic areas, including:
- Governance: Aligns a vehicle cybersecurity program to an organization’s broader mission and objectives.
- Risk assessment and management: Mitigates the potential impact of cybersecurity vulnerabilities by developing processes for identification, categorization, prioritization, and treatment of cybersecurity risks.
- Security by Design: Follows secure design principles in developing a secure vehicle, as well as the integration of cybersecurity features during the product development process.
- Threat detection and protection: Detects threats, vulnerabilities, and incidents to proactively monitor environments and mitigate risk.
- Incident response: Enables automakers to respond to a vehicle cyber incident in a reliable and expeditious manner.
- Awareness and training: Cultivates a culture of cybersecurity and ensures individuals understand their role and responsibility in promoting vehicle cybersecurity.
- Collaboration and engagement with appropriate third parties: Enhances cyber threat awareness and attack response.
The Best Practices provide deep technical and organizational breadth to support, develop, and improve defenses against potential cybersecurity threats of the motor vehicle ecosystem. They are grounded in ISO, NIST and other established cybersecurity frameworks but are tailored to the motor vehicle. Auto-ISAC members have committed to continuously enhancing the Best Practices over time to keep pace with the constantly evolving cyber landscape.
The creation of Best Practices follows the release of the Framework for Automotive Cybersecurity Best Practices jointly released by the Alliance of Automobile Manufacturers (“Auto Alliance”) and the Association of Global Automakers (“Global Automakers”) in January 2016. The Auto-ISAC coordinated with both organizations throughout the Best Practices development.
The auto industry has been successful in galvanizing collaboration to address product and data security before a major cyber incident has taken place. In November 2014, members of both the Auto Alliance and Global Automakers voluntarily adopted Privacy Principles that will govern data retrieved from vehicles. The auto industry was the first in the Internet of Things ecosystem to take such a firm stance on customer data use.
The Executive Summary of the Best Practices and other information on Auto-ISAC can be found at www.automotiveisac.com.
Auto-ISAC was formed in July 2015 in a collective effort by the auto industry to establish a secure platform for sharing, tracking and analyzing intelligence about cyber threats and potential vulnerabilities. Auto-ISAC operates as a central hub that allows members to anonymously submit and receive information to help them more effectively counter cyber threats in real time. Currently, Auto-ISAC members account for more than 98 percent of light-duty vehicles on the road in North America.