Members of the Automotive Information Sharing and Analysis Center (Auto-ISAC) recently released an overview of comprehensive Automotive Cybersecurity Best Practices developed as a proactive measure to further enhance vehicle cybersecurity throughout the industry. Cybersecurity has been a significant concern in the automotive industry, especially since the Wired article in July, 2015 that described hackers remotely taking control over a Jeep while it was driving 70 MPH on a highway. Fortunately, the subject was participating in an unofficial test with the hackers who used previously unknown exploits to control the vehicle. The new Automotive Cybersecurity Best Practices represent the work of over 50 automotive cybersecurity experts who worked for over five months to advance automotive cybersecurity capabilities. As an example of where the Internet of Things (IoT) meets real world risk, this is a major step forward in public safety. As stated in the Alliance of Automobile Manufacturers statement: The Best Practices provide guidance to assist an organization’s development in seven key topic areas, including:
- Governance: Aligns a vehicle cybersecurity program to an organization’s broader mission and objectives.
- Risk assessment and management: Mitigates the potential impact of cybersecurity vulnerabilities by developing processes for identification, categorization, prioritization, and treatment of cybersecurity risks.
- Security by Design: Follows secure design principles in developing a secure vehicle, as well as the integration of cybersecurity features during the product development process.
- Threat detection and protection: Detects threats, vulnerabilities, and incidents to proactively monitor environments and mitigate risk.
- Incident response: Enables automakers to respond to a vehicle cyber incident in a reliable and expeditious manner.
- Awareness and training: Cultivates a culture of cybersecurity and ensures individuals understand their role and responsibility in promoting vehicle cybersecurity.
- Collaboration and engagement with appropriate third parties: Enhances cyber threat awareness and attack response.