An auto industry group has released a set of best practices to help manufacturers design and build more secure vehicles. The document focuses on broad concepts, such as risk assessment and threat detection, rather than specific guidance.
The release of the best practices by the Auto-ISAC comes at a time when security researchers are shining a bright light on deficiencies in existing computer systems in vehicles. The last couple of years have seen a string of projects aimed at uncovering security vulnerabilities in vehicles, most famously the work done by researchers Chris Valasek and Charlie Miller in which they found and exploited bugs in a Jeep vehicle that allowed them to shut down the car remotely. That research produced a mountain of publicity and spurred a patch by the manufacturer, along with concerns from legislators and regulators about the security of connected vehicles.
The guidance for auto makers focuses on seven separate functions: security by design, risk assessment and management, threat detection and protection, incident response, collaboration and engagement with third parties, governance, and awareness and training.
“The Best Practices adhere to a risk-based approach to help automakers and industry stakeholders manage and mitigate vehicle cybersecurity risk. This risk-based approach enables all organizations— regardless of size, vehicle technology, or cybersecurity maturity—to tailor Best Practice implementation in a manner appropriate to their systems, services, and organizational structures,” the document says.
The biggest section of the best practices document is the piece on security by design. Auto makers have spent decades designing and optimizing processes for the development and manufacture of vehicles, but their processes for building and implementing software systems are somewhat less mature. And that’s a major concern for regulators and customers, as many modern vehicles are computers with tires and engines attached to them. They have computers that control not only the entertainment functions, but also the engine and brakes and other key systems. Those systems are sometimes interconnected and reachable from the the Internet in some situations. Securing the software that runs those systems is one of the key methods for improving the security of connected vehicles.
Among the areas in the security by design portion of the document are:
- Consider commensurate security risks early on and at key stages in the design process.
- Identify and address potential threats and attack targets in the design process.
- Consider and understand appropriate methods of attack surface reduction.
- Layer cybersecurity defenses to achieve defense-in-depth.
- Identify trust boundaries and protect them using security controls.
- Include security design reviews in the development process.
- Emphasize secure connections to, from, and within the vehicle.
- Limit network interactions and help ensure appropriate separation of environments.
The best practices also include a section on incident response and recovery, advising manufacturers to develop detailed plans for responding to security incidents and vulnerability disclosures. Right now, auto makers are in the same situation that many software companies were 15 years ago, facing vulnerability disclosures and inquiries from researchers without being prepared for it. Software makers learned eventually that it made sense to respond quickly and professionally to researchers, and auto makers are at the beginning of that process now.