Until fairly recently, you might not have considered vehicles to be major cybersecurity targets. But with the rise in connected and autonomous cars, hackers and other cyber criminals can break into the systems that run these vehicles and wreak havoc.
“With all of the connectivity available comes cyber risk,” says Faye Francy, executive director of the Automotive Information Sharing and Analysis Center (Auto-ISAC), an industry-driven community to share and analyze intelligence about emerging cybersecurity risks to vehicles.
Technology has a long tradition of racing ahead of oversight, and the automotive industry is still catching up to the speed of change. Updates to the ISO 26262 functional safety standard were recently made in December 2018 and touch on cybersecurity, but expect to see more emphasis on this topic in the future. That’ll be especially true as automotive connectivity and complexity escalates, and the development of autonomous vehicles (addressed by another safety standard, ISO/PAS 21448, or Safety Of The Intended Functionality (SOTIF), which has incidentally sparked its own upcoming conference in Germany) progresses.
As an additional resource, Auto-ISAC aims to enhance vehicle cybersecurity capabilities across the global automotive industry, including light- and heavy-duty vehicle original equipment manufacturers (OEMs), suppliers and the commercial vehicle sector.
“The Auto-ISAC is the go-to organization that facilitates cybersecurity resiliency for the global automotive industry,” Francy says. Automakers worldwide joined together in 2015 to form the nonprofit community to address growing vehicle cybersecurity risks.
A Shared Responsibility
The focus of Auto-ISAC is to foster collaboration for mitigating the risks of cyber attacks and to create a safe, efficient, secure and resilient global connected vehicle ecosystem,” Francy says. Members use a secure intelligence-sharing portal to anonymously share information that helps them more effectively respond to cyber threats, vulnerabilities and incidents.
The 49 members includes all major automakers across North America, Europe, and Asia, as well as suppliers to the heavy-duty trucking and commercial vehicle sector. In 2017, the Auto-ISAC established a Strategic Partnership Program to enable ongoing coordination with key stakeholders including partners, government regulatory agencies and law enforcement.
One of the key accomplishments of the Auto-ISAC is its Best Practices initiative, which focuses on developing guidelines organizations can use to advance their vehicle cybersecurity programs, Francy says. The members conceive, write and develop Best Practice guides that are in various stages of review.
The guides cover organizational and technical aspects of vehicle cybersecurity including incident response, collaboration and engagement with third parties, governance, risk management, security by design, threat detection and protection, and training and awareness.
“These guides are released to the community to help the automotive industry stakeholders mature,” Francy says. Currently there are three guides available to the public on the Auto-ISAC Web site: Incident Response, Third Party Collaboration, and Engagement and Governance.
The digital age has introduced connected, advanced automotive capabilities for consumers, such as driver assist, navigation and hands-free calling. But this also introduces the possibility of risk such as hacker attacks.
“We have moved from a more physical analog attack surface to a digital, networked environment,” Francy says. “This provides different opportunities for the bad actors, due to the increase in innovative technologies and the interconnectedness” of the ecosystem.
Fortunately, the industry has taken a number of actions to identify and thwart cyber threats, including implementing security features in every stage of the design and manufacturing process, collaborating with public and private research groups to share solutions, and participating in multiple cyber forums on emerging issues. There is, of course, much more work to be done.
Automotive companies can learn from the Auto-ISAC leadership as it builds and leads a community of best practices, Francy says. The organization conducts an annual tabletop exercise, quarterly workshops and monthly analyst calls with members. It also leads virtual, monthly community calls and runs an annual Vehicle Cybersecurity Summit.
Auto-ISAC partnership programs “are developed to cultivate relationships beyond our membership, with the common goal to enhance vehicle cybersecurity and develop a vibrant and robust information-sharing community,” Francy says.
Learn how a Fortune 100 semiconductor company is meeting the challenges of functional safety standards for its automotive-related technology with Jama Connect by downloading our paper.
Author Bob Violino is a freelance writer who covers a variety of technology and business topics. Follow him on Twitter.