Recently the Automotive Information Sharing and Analysis Center (Auto-ISAC) released "Automotive Cybersecurity Best Practices" for carmakers and their suppliers. This document expands on their "Framework for Automotive Cybersecurity Best Practices" published in January 2016. This is the first time the automakers have addressed cybersecurity in a formal manner and a strong sign they are treating hacker threats seriously.
I am encouraged that the auto industry leveraged the experience of other industries when approaching this task. The Best Practices document builds upon guidelines from NIST and ISO/IEC in creating its cybersecurity guidance. While cars need different security measures from mobile phones or websites, there are elements that are the same across these platforms and the automakers have emphasized the relevant teaching from industries with a longer history of security-conscious software development.The topics covered by the Best Practices are:
Risk Assessment and Management
- Identifying risks and then ranking them on the likelihood of occurrence and the potential impact on the vehicle, the driver and/or the data in the car.
- A good starting point is Threat Modeling, which I have written about earlier and for which Security Innovation offers a training course.
- Integrating cyber security and privacy into hardware and software from the start of the development process, not trying to add it on at the end.
- When we surveyed automakers and their suppliers last year, only 14% stated that security is "Totally Integrated" from the start, while 51% said it was "Added on." We will be releasing the results of a follow-on survey in the fall and it will be interesting to see whether these numbers have improved.
- Monitoring systems to detect any potential attacks and taking appropriate steps to stop the hackers and remediate the threat.
- You'll often hear the statement "there have been no known attacks on vehicles outside of researchers." This is mostly true, but since car makers have few systems in place to monitor or record attacks, it is unclear if there have been undetected attacks. However, it is clear that vehicles are becoming attractive targets for the growing armies of both white and black hat hackers.
- This section details how to recover from an attack quickly and safely, and using the information to improve security architecture and development processes moving forward.
- Automakers need Over-the- Air (OTA) updates in order to be able to respond to cybersecurity incidents quickly, as relying on their customers to bring cars into the shop for updates is a slow and largely ineffective process. Implementing OTA in a secure manner is a difficult task and is not available from most car manufacturers at this time. Security Innovation has a training course describing the steps car makers need to implement OTA updates securely.
- The Best Practices document acknowledges that automakers and their suppliers need to "cultivate a culture of security and enforce vehicle cybersecurity responsibilities." They call out the need for training employees for their specific roles, including developers, IT and mobile, as well as general security awareness for all employees.
- I am pleasantly surprised that training has been included in the automotive best practices. Despite the self-evident benefits, many industries have yet to recognize the value of training their employees on cyber security topics. Most software engineers learn how to write efficient, fast, compact code, but few learn how to write secure code at university or on-the- job. Security Innovation offers more than 120 computer based training classes as well as instructor led training to teach engineers how to make secure applications. We have some automakers using the courses now and maybe the inclusion of training as a Best Practice will inspire more automakers to check out our TEAM Academy curricula.
- The document encourages car makers to engage with industry groups, government bodies, and research groups to gain additional resources in identifying and mitigating threats and to share information.
- This includes working with 3rd parties, like Security Innovation's Automotive Centers of Excellence, to supplement their internal resources and to gain a new perspective from others with substantial cyber security expertise. Vulnerabilities can be tricky to find, so having an extra set of knowledgeable eyes can be beneficial.