In July 2016, the Automotive Information Sharing and Analysis Center (Auto-ISAC) released "Automotive Cybersecurity Best Practices" for carmakers and their suppliers. This document expands on their "Framework for Automotive Cybersecurity Best Practices" published in January 2016. This is the first time the automakers have addressed cybersecurity in a formal manner and a strong sign they are treating hacker threats seriously.
I am encouraged that the auto industry leveraged the experience of other industries when approaching this task. The Best Practices document builds upon guidelines from NIST and ISO/IEC in creating its cybersecurity guidance. While cars need different security measures from mobile phones or websites, there are elements that are the same across these platforms and the automakers have emphasized the relevant teaching from industries with a longer history of security-conscious software development.The topics covered by the Best Practices are:
Risk Assessment and Management
- Identifying risks and then ranking them on the likelihood of occurrence and the potential impact on the vehicle, the driver and/or the data in the car.
- A good starting point is Threat Modeling, which I have written about earlier .
Security by Design
- Integrating cyber security and privacy into hardware and software from the start of the development process, not trying to add it on at the end.
- When we surveyed automakers and their suppliers in 2016, only 15% stated that security is "Totally Integrated" from the start, while 47% said it was "Added on." The improvement from last year's survey were not statistically significant.
Threat Detection and Protection
- Monitoring systems to detect any potential attacks and taking appropriate steps to stop the hackers and remediate the threat.
- You'll often hear the statement "there have been no known attacks on vehicles outside of researchers." This is mostly true, but since car makers have few systems in place to monitor or record attacks, it is unclear if there have been undetected attacks. However, it is clear that vehicles are becoming attractive targets for the growing armies of both white and black hat hackers.
Incident Response and Recovery
- This section details how to recover from an attack quickly and safely, and using the information to improve security architecture and development processes moving forward.
- Automakers need Over-the- Air (OTA) updates in order to be able to respond to cybersecurity incidents quickly, as relying on their customers to bring cars into the shop for updates is a slow and largely ineffective process. Implementing OTA in a secure manner is a difficult task and is not available from most car manufacturers at this time.
Training and Awareness
- The Best Practices document acknowledges that automakers and their suppliers need to "cultivate a culture of security and enforce vehicle cybersecurity responsibilities." They call out the need for training employees for their specific roles, including developers, IT and mobile, as well as general security awareness for all employees.
- I am pleasantly surprised that training has been included in the automotive best practices. Despite the self-evident benefits, many industries have yet to recognize the value of training their employees on cyber security topics. Most software engineers learn how to write efficient, fast, compact code, but few learn how to write secure code at university or on-the- job. Security Innovation offers more than 120 computer based training classes as well as instructor led training to teach engineers how to make secure applications. They have some automakers using the courses now and maybe the inclusion of training as a Best Practice will inspire more automakers to check out the TEAM Academy curricula.
Collaboration and Engagement with Appropriate Third Parties
- The document encourages car makers to engage with industry groups, government bodies, and research groups to gain additional resources in identifying and mitigating threats and to share information.
- This includes working with 3rd parties to supplement their internal resources and to gain a new perspective from others with substantial cyber security expertise. Vulnerabilities can be tricky to find, so having an extra set of knowledgeable eyes can be beneficial.
The increased connectivity in modern automobiles adds convenience and safety to drivers and passengers, but also introduces new threats. The Auto-ISAC has taken an important step in acknowledging these threats and giving car manufacturers and suppliers help in identifying the steps required to make cars more resistant to cyber-attacks.
Originally posted on July 27, 2016 at https://blog.securityinnovation.com