The increased connectivity in modern vehicles adds convenience to drivers and passengers. However, it also sets in motion a proliferation of new cyber threats. Automotive manufacturers and suppliers are working to protect against these threats, identifying and implementing best practices needed to make modern vehicles more resistant to cyber-attacks.
Cybersecurity in the Automotive Industry – Do You Need it?
A recent report titled Ransomware Risk: Automotive Manufacturing in 2021 released by Black Kite found that almost half of the top 100 car manufacturers are highly susceptible to a ransomware attack. Moreover, 71 percent of automotive companies have the lowest ratings when it comes to patch management.
A few decades ago, such statements would seem nonsensical, but modern advancements have brought computerized features to nearly every new car made today. People plug in their smartphones to their car’s infotainment systems and cars regularly connect to the internet, introducing an increased landscape of threats to the connected vehicle ecosystem.
This new threat landscape is only expected to expand as more vehicle manufacturers undergo digital transformation, advanced driver assistance systems require more data and access to personal information, and automotive supply chains increase in complexity. In other words, cybersecurity in the automotive industry is absolutely needed.
7 Automotive Cybersecurity Best Practices
The Automotive Information Sharing and Analysis Center (Auto-ISAC), formed by automakers in August 2015, is a global information-sharing community designed to address vehicle cybersecurity risks.
Auto-ISAC regularly updates a list of best practices for automotive cybersecurity which provide a risk-based approach for manufacturers, suppliers, and the commercial vehicle sector to manage vehicle cybersecurity across all phases of the vehicle’s lifecycle. A brief summary of each of these practices is in the following sections.
Create an incident response plan
Creating an incident response plan ensures that you will have a well-thought-out set of steps to take should a security breach affecting the motor vehicle ecosystem occur. It’s always best to have plans mapped out before an incident so that action can be taken swiftly without compromising effectiveness.
Such a plan should include:
- Protocols for recovering from cybersecurity incidents in a reliable and expeditious manner
- Ways to ensure continuous process improvement
- Documentation of the plan strategy and establishment of roles and responsibilities
- A strategy for testing the plan through exercises and training
- Procedures for identifying, validating, classifying, and escalating potential incidents
- Procedures for activating a team to rapidly contain, mitigate, remediate and recover from incidents
- Procedures for closing out each incident such as debriefs, continued monitoring of remediation actions, and plan updates
Encourage collaboration and engagement with third parties
Collaboration among multiple stakeholders enhances threat awareness and response. Relevant third-parties may include industry partners, industry organizations, government, academia, researchers, and media. The collaboration can help facilitate information sharing-focused activities which bring together a wide variety of experts, and the establishment of long-term initiatives that make use of pooled resources.
Build risk assessment and management strategies
Risk assessment and management involves a focus on identifying, categorizing, prioritizing, and treating risks that could lead to a breach. The process of risk assessment helps automotive manufacturers identify critical assets and weak spots while developing strategies for closing security gaps. Associated tasks may include:
- Defining the scope and requirements of the assessment
- Integrating assessments into a vehicle’s lifecycle
- Documenting roles and responsibilities of stakeholders
- Developing a risk tolerance profile to inform future decision-making
- Determining the methods used to evaluate risk and develop plans
- Communicating risk to stakeholders
- Integrating risk management into governance and compliance
Have training and awareness programs
The weakest link in cyberthreat protection usually comes in human form. The people involved in implementing and managing vehicle technology should be kept aware and up to date on what the latest threats are and how to avoid making a critical mistake. Awareness and training programs should be developed in alignment with business needs, make use of appropriate training curricula, be implemented across all relevant sectors, and be continuously analyzed for effectiveness and modified for improvement as necessary.
Continuously detect, monitor, and analyze threats
Threats are ever-present and constantly evolving in the automotive technology ecosystem. The right tools and strategies should be implemented to continuously monitor, detect, and analyze these threats.
This goes beyond simply having a plan in place to respond to incidents as they occur and instead focuses on putting the right systems in place to catch problems before they happen, deploy patches in a timely manner, and constantly analyze network traffic for anomalies.
Build a framework for governance
“Governance” is the catchall phrase describing the systems involved in direction, control, decision-making, and structure within an organization. An effective framework for governance can help align cybersecurity strategies with a business’s overall goals and objectives. The following should be considered when developing a governance framework:
- How you will define and communicate the overall scope, mission, and vision
- Identification of key organization functions
- How you will organize and activate leadership to include where and how decision-making occurs
- What strategies you will use to engage all stakeholders across the business, organization, or sector
- What the strategy will be for developing policies and processes
- How performance will be managed, and which metrics are relevant
Implement security development lifecycle (SDL)
Vehicle cybersecurity isn’t something that only exists after a vehicle is built and deployed. It should be integrated throughout all parts of the vehicle’s lifecycle, including planning, design, and manufacturing.
In the pre-development stage, this involves considering how existing architectures might constrain future security needs, identifying lessons learned from previous design cycles, and evaluating risk. During design and development, it’s important to consider cybersecurity specifications at the component level, develop plans for testing and threat mitigation, and make plans for vehicle-wide security implementation.
Throughout the cycle, testing and verification practices can help improve the overall cybersecurity posture. Post-development, the vehicles will need continuous security monitoring and a way to implement new security improvements on an ongoing basis.
How SecurityScorecard Can Help
SecurityScorecard has formed a strategic partnership with Auto-ISAC. The Partnership affords Auto-ISAC access to a SecurityScorecard instance that can be used to continuously monitor the cybersecurity posture of its service providers Auto-ISAC leverages the visibility provided to conduct security assessments, identify pockets of risk aggregation across the automotive ecosystem, and help inform the ISAC’s intelligence collection. The partnership also gives all Auto-ISAC Members access to a Complimentary Enterprise Starter License that they can leverage to continuously monitor themselves and up to five third parties (vendors, suppliers, peers, or customers).
The SecurityScorecard platform identifies security issues across 10 risk factor groups, including network security, patching cadence, endpoint security, and social engineering. By providing instant and continuous visibility into the cyber health of your organization and any third-party vendors, the platform helps you identify vulnerabilities, active exploits, and advanced threats while rigorously protecting your business and strengthening your security posture.