Auto Industry Publishes Best Practices for Cybersecurity

New Best Practices Guidelines from the Auto Industry ISAC are intended to promote cyber security. (Image courtesy of The Library of Congress.)
New Best Practices Guidelines from the Auto Industry ISAC are intended to promote cyber security. (Image courtesy of The Library of Congress.)

In-brief: An Automotive industry information sharing group has published Best Practices” document, giving individual automakers guidance on improving the cybersecurity of their vehicles.

The Automotive industry’s main group for coordinating policy on information security and “cyber” threats has published a “Best Practices” document, giving individual automakers guidance on implementing cybersecurity in their vehicles for the first time.

The Automotive Information Sharing and Analysis Center (ISAC) released the Automotive Cybersecurity Best Practices document on July 21st, saying the guidelines are for auto manufacturers as well as their suppliers.

The Best Practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response, training, and collaboration with appropriate third parties.

Taken together, they move the auto industry closer to standards pioneered decades ago and embraced by companies like Microsoft. They call on automakers to design software to be secure from the ground up and  to take a sober look at risks to connected vehicles as part of the design process.

Automakers are told to test for and respond to software vulnerabilities and to develop methods for assessing and fixing security vulnerabilities. Automakers are also urged to create training programs, promote cybersecurity awareness for both information technology and vehicle specific risks and educate employees about security awareness.

Launched in July, 2015, the Auto ISAC is an outgrowth of the Alliance of Automobile Manufacturers and counts the  world leading makers of cars as members, including Ford, GM, Mercedes Benz, BMW and others. Initially launched as a way to share threat information between automakers, the group also plans to grow to include suppliers and other strategic partners and ecosystem partners such as telecommunications and technology companies.

David Barzilai, the co-founder of Karamba Security said that the guidance will be valuable if it can get industry players aligned and make approaches to cybersecurity in vehicles less disparate.

“Previously you’ve seen a lot of segregation and individual approaches to the problem.,” he said. “You’ve had some OEMs and Tier 1 suppliers who geared up and have had security teams in place for several years. Others have just introduced them in the last year,” he noted.

The attention to vehicle cyber security problems has been on slow boil for years, as researchers demonstrated ways to compromise in vehicle systems. But the issue moved to the front burner at the 2015 Black  Hat Briefings Conference in Las Vegas, when researchers Charlie Miller and Chris Valasek demonstrated a method for remotely controlling critical vehicle systems like braking and acceleration using software based attacks. That hack kicked off a firestorm of controversy and prompted Fiat Chrysler to recall 1.4 million vehicles to repair the fix.

There is also evidence that concerns about security are affecting consumers opinions about connected cars. Kelly Blue Book survey of 813 visitors to the company’s website, published in March, found that 62% think “connected cars will be hacked,” and that a minority (42%) said they “want cars to be more connected.” 

Notoriously reclusive in matters relating to the software and hardware they put into vehicles, automakers are urged in the new guidance to engage with “third parties” who have knowledge of cyber security issues. That includes industry bodies, such as the Auto-ISAC itself and the Auto Alliance, governmental bodies like the National Highway Traffic Safety Administration, NIST,  Department of Homeland Security and FBI. Finally, automakers are urged in the best practices document to engage with academic institutions and cybersecurity researchers.

To that point, a number of automakers have announced bug bounty programs in recent years, including Elon Musk’s Tesla, GM and, most recently, Fiat Chrysler.

Barzilai, whose company makes security programs that protect automotive software from being exploited, said the risk of exploitable vulnerabilities in subsystems used in cars is great, given that the same software and hardware may be used in common across different models by the same car maker, and between different manufacturers, compounding the risk.

“From the hacker’s point of view, once they find a way to exploit a vulnerability they can exploit it across different car models,” Barzilai said.

Best practices or not, experts agree that more regulations governing cyber security are almost certain to come down from lawmakers in the U.S. and the E.U. in coming  years.

As reported by Security Ledger, The European Union Agency for Network and Information Security (ENISA) announced last week that it is conducting a study on cyber security measures for smart cars and wants to speak with “relevant stakeholders” including Tier 1 and Tier 2 suppliers to automakers.

In the U.S. the National Highway Traffic and Safety Administration (NHTSA) in April issued a request for proposals (RFP) to private firms for support developing automotive cybersecurity guidelines. NHTSA is looking to contractors to “help develop initial light-vehicle cybersecurity guidelines” that will “help provide the foundation for safe, reliable and secure vehicle systems.”