The Automotive Information Sharing and Analysis Center, or Auto-ISAC — an information sharing organization at the center of the automobile industry’s efforts to improve vehicle cybersecurity — released new guidelines Friday for how manufacturers should approach digital security, including standards to disclose vulnerabilities and protect manufacturers’ supply chains.
The move is being hailed by some security experts as a step in the right direction that will improve safety in Internet-connected cars.
The best practices fact sheet — revealed on the last day of the annual Detroit-based Billington Cybersecurity conference — represents a timely and concerted push by the auto industry to emphasize cybersecurity during a time in which the risks of poor security have been well recognized.
“This is a great proactive step that encourages automakers to bake cyber security into every stage of the manufacturing process, from concept phase to production and throughout the vehicle’s lifecycle,” explained Monique Lance, a marketing director for Israeli cybersecurity firm Argus.
During multiple public appearances in San Francisco last week, U.S. Highway Traffic Safety Administration Chief Mark Rosekind said that “no one incident” would derail the department’s support for the development of driverless car technologies and therefore its larger mission to improve driving safety.
But the driverless technology of tomorrow, referenced by Rosekind, will also rely on network connectivity that today remains susceptible to interception and possible disruption, as was demonstrated in a now viral video featuring two cybersecurity researchers remotely taking control of a Jeep Cherokee.
“As vehicles become increasingly connected and autonomous, the security and integrity of automotive systems is a top priority for the automotive industry,” the best practices document reads.
Automobile cybersecurity only became a real concern for some lawmakers on Capitol Hill when the aforementioned Jeep hack conducted by researchers Charlie Miller and Chris Valasek made headlines, explained Booz Allen Hamilton Principal Jon Allen, who oversees a cybersecurity division in the firm’s commercial high tech, manufacturing and retail sector.
Coincidently or not, multiple hearings on Capitol Hill have taken place since Miller and Valasak’s demonstration; exploring the state of digital security in the automobile industry and if a legislative remedy is in fact appropriate.
“If manufacturers and designers can truly adhere to these best practices, it will go a long way to protecting American families from automotive cyberthreats,” said Rep. Ted Lieu, D-Cali., in a statement reflecting on the new auto guidance. In November, Lieu introduced automotive cybersecurity legislation alongside Rep. Joe Wilson, R-S.C.
A cyberattack on a so-called “smart car” — which could render basic mechanical functions useless — can cause death and injury to drivers because of a potential crash, security experts have theorized.
“As we see in all industries, cyber security is not a point solution, but an end-to-end problem that needs a full life-cycle security mindset. Just as intrusion detection alone does not stop all attacks, the best practices emphasizes security by design, risk management, reporting and sharing, and training,” said RunSafe CEO Joseph Saunders, whose McLean, Va.-based firm develops hardware and software to protect vehicles from hackers.
“What is ultimately needed is both security embedded in components on vehicles to help with zero-day attacks as well as updates delivered over-the-air — or through dealerships — to assist with the latest holes in intrusion detection systems,” he added.
The “Automotive Best Practices” document does not specify whether it prefers over-the-air or on-premise security software updates for vehicles. And this distinction is important because it will help determine how often and easily drivers can upgrade their car’s cyber defenses.
Members of the Auto-ISAC include Ford, BMW Group and GM.