The Auto ISAC recently released its “Automotive Cybersecurity Best Practices.” The Best Practices document follows on the Framework for Automotive Cybersecurity Best Practices released earlier this year.
In reviewing the new Cybersecurity Best Practices, it represents a good start in trying to identify content and key cybersecurity functions, but in the absence of specific requirements or compliance measures, there is unstated recognition that much work remains to be done. As the Auto ISAC is new and only recently operational, the Best Practices reflect a first attempt at defining the issues and challenges, along with identifying broad concepts about the need for industry collaboration going forward.
Upfront, the Best Practices state that “Cybersecurity experts agree that a future vehicle with zero risk is unobtainable and unrealistic.” Cyber-attacks on computers, servers, and connected devices are a reality of everyday life, and despite the evolution of enhanced security and countermeasures, hackers will continue their efforts and expand into connected vehicles. Being honest and direct about the realities of cyber-attacks on connected vehicles is a good place to start.
The Best Practices also identify seven Key Cybersecurity Functions: 1) security by design; 2) risk assessment and management; 3) threat detection and protection; 4) incident response; 5) collaboration and engagement with appropriate third parties; 6) governance; and, 7) awareness and training.
Of these seven functions, three are critical with respect to motor vehicle suppliers.
Security by design
Considering that suppliers develop and manufacture nearly 70 percent of a vehicle’s content, they must be included in designing cybersecurity features for vehicle electronics. Typically, the vehicle manufacturer specifies to the supplier what the specifications should be for a particular component. In turn, the supplier manufactures and then ships to the vehicle manufacturer assembly line where all of the components are assembled and connected into a working vehicle; Only the vehicle manufacturer has a complete understanding how various components are integrated and interact with one another. From a practical standpoint, suppliers will need to have greater insights as to how their individual components and cyber protection systems will interact with the OEMs’ other electronic and critical safety systems on the completed vehicle.
Threat detection and protection
Perhaps this function can also encompass the other functions of risk assessment, incident response, and collaboration with third parties. These functions are at the very heart of the Auto ISAC – which, by design, exists for vehicle manufacturers and suppliers to share information about cyber threats, responses, and collaboration about evolving protections. The challenge here is to integrate suppliers into the Auto ISAC. Several Tier One suppliers that manufacture connected electronic components have joined or are in-process to join the ISAC, but their participation is subject to the approval of auto manufacturers and suppliers do have limited participation rights within the ISAC. And, going forward, there will need to be an active role for heavy duty and aftermarket component suppliers that develop and manufacture connected vehicle electronics and devices.
Awareness and training.
Suppliers and OEMs alike will be challenged to integrate strategic thinking about cybersecurity into their business models, products, and organizational structure. It is not unreasonable to suggest that suppliers and OEMs should all put in place executive level personnel to address cybersecurity issues, and that should include company-wide awareness and training on the impact that cyber security will have as vehicles become more connected.
As the Auto ISAC points out in its Cybersecurity Best Practices, there is always the prevailing assumption that systems will have vulnerabilities. But establishing pathways to deal with cybersecurity in proactive and prompt ways signals that the industry is better prepared and vigilant.
MEMA Staff Contact: Tom Lehner