The Automotive Information Sharing and Analysis Center, an organization composed of car companies, released best practices for preventing and responding to hacks on connected cars.
The Automotive Information Sharing and Analysis Center (Auto-ISAC), a group formed by companies in the automobile industry to address automotive cybersecurity, has released best practices for increasing the security of computerized vehicles.
While no serious auto breach incidents have occurred yet, there have been reports that connected cars could be targets of hacks. Auto-ISAC and these best practices, in addition to other groups working to better auto cybersecurity, were formed to prevent such situations.
“The automotive technology landscape is changing; it’s evolving; it’s becoming more connected,” said Tom Stricker, Auto-ISAC chairman and vice president of product regulatory affairs for Toyota. “There’s potentially the opportunity for folks who have bad intentions or are just technologically curious to try to access vehicles through means that we might not necessarily want them to. And so just recognizing where the technology is headed, we wanted to try and get out in front of the potential for cyber-related attacks on vehicles.”
This year 15 car companies—which manufacturer almost all the cars on the road and created Auto-ISAC last year—created a working group and gathered 50 experts to suggest and review vehicle cybersecurity guidelines, which resulted in these best practices. They also consulted experts and more than 30 similar cybersecurity standards from other industries, explained Auto-ISAC Executive Director Jon Allen.
The subject areas the best practices cover are:
- Governance, which aligns automotive cybersecurity with companies’ missions.
- Risk assessment and management, which suggests processes for handling cybersecurity risks.
- Security by design, which promotes building in cybersecurity features during product design.
- Threat detection and protection, which encourages monitoring for and detecting potential threats to prevent a breach.
- Incident response, which helps car companies respond to and recover from a breach.
- Awareness and training, which prepares individuals for potential auto threats and breaches.
- Collaboration and engagement with appropriate third parties, which offers another level of attack prevention or response.
Detailed playbooks of best practices for each of these areas are still being developed.
Auto-ISAC’s work on the guidelines stemmed from a higher-level scoping document released in January from the Alliance of Automobile Manufacturers and the Association of Global Automakers: the Framework for Automotive Cybersecurity Best Practices.
The best practices, which are based on current or developing vehicle capabilities, will also be updated as new technology emerges. “Frankly in this space, you have to do that because the technology changes quickly and the landscape around threats and so forth changes quickly as well,” Stricker said.