Growing reliance of modern vehicles on interfaces connecting vehicles to external networks can leave systems, including steering and brakes, at risk to cyberattacks.
The dependence today's vehicles have on software that controls a number of growing safety features and other functions opens up a vulnerability to cyberattacks that lead the Automotive Informational Sharing and Analysis Center (Auto-ISAC) to publish a set of seven "best practices."
Auto-ISAC formed the list to guide companies on how to reduce the risk of, and address, these threats to automotive systems. The best practices are an expansion on the Framework for Automotive Cybersecurity Best Practices published January 2016 and include the following:
Governance and Accountability
Under governance and accountability, Auto-ISAC outlined the need for a cybersecurity program that aligns with the organization's objectives, and then establishes the processes to ensure compliance with regulations and policies.
Risk Assessment and Management
Another Best Practice when handling the potential impact of vulnerabilities, is to establish a standardized process to identify, measure, and – most importantly – prioritize the sources of risk. The risk assessment and management process would be a framework as to what to expect, and the plan to avoid it.
Security by Design
During the product development process, vehicles should also integrate hardware and software cybersecurity features. With security by design Auto-ISAC emphasized the need to layer cybersecurity defenses to "achieve defense-in-depth" designs.
Threat Detection and Protection
Organizations need to outline how to identify and manage vulnerabilities, and how to support detection for vehicle operation systems and services with consideration for privacy, with the threat detection and protection best practice.
Incident Response and Recovery
Auto-ISAC also advices a incident response plan document to guide protocols for recovering from cybersecurity incidents and ensure improvement by performing periodic testing.
Training and Awareness
Vehicle design is one way to combat or avoid threats, but the best practice also calls for tailored training programs for internal stakeholders and employees.
Collaboration and Engagement with Appropriate Third Parties
The last Best Practice calls for the review of gathered information and data before release to third parties, and engagement with industry, governmental and academic bodies to use as a resource.
Auto-ISAC wants to use these best practices as a guideline, and has no requirements for implementation from its members. For more details visit: https://www.automotiveisac.com/best-practices/
