March 25, 2019
March Madness | Will Your Authentication Solution Stand Up?
Each year in the spring, the NCAA holds a basketball…
An auto industry group has released a set of best practices to help manufacturers design and build more secure vehicles. The document focuses on broad concepts, such as risk assessment and threat detection, rather than specific guidance.
The release of the best practices by the Auto-ISAC comes at a time when security researchers are shining a bright light on deficiencies in existing computer systems in vehicles. The last couple of years have seen a string of projects aimed at uncovering security vulnerabilities in vehicles, most famously the work done by researchers Chris Valasek and Charlie Miller in which they found and exploited bugs in a Jeep vehicle that allowed them to shut down the car remotely. That research produced a mountain of publicity and spurred a patch by the manufacturer, along with concerns from legislators and regulators about the security of connected vehicles.
The guidance for auto makers focuses on seven separate functions: security by design, risk assessment and management, threat detection and protection, incident response, collaboration and engagement with third parties, governance, and awareness and training.
“The Best Practices adhere to a risk-based approach to help automakers and industry stakeholders manage and mitigate vehicle cybersecurity risk. This risk-based approach enables all organizations— regardless of size, vehicle technology, or cybersecurity maturity—to tailor Best Practice implementation in a manner appropriate to their systems, services, and organizational structures,” the document says.
The biggest section of the best practices document is the piece on security by design. Auto makers have spent decades designing and optimizing processes for the development and manufacture of vehicles, but their processes for building and implementing software systems are somewhat less mature. And that’s a major concern for regulators and customers, as many modern vehicles are computers with tires and engines attached to them. They have computers that control not only the entertainment functions, but also the engine and brakes and other key systems. Those systems are sometimes interconnected and reachable from the the Internet in some situations. Securing the software that runs those systems is one of the key methods for improving the security of connected vehicles.
Among the areas in the security by design portion of the document are:
The best practices also include a section on incident response and recovery, advising manufacturers to develop detailed plans for responding to security incidents and vulnerability disclosures. Right now, auto makers are in the same situation that many software companies were 15 years ago, facing vulnerability disclosures and inquiries from researchers without being prepared for it. Software makers learned eventually that it made sense to respond quickly and professionally to researchers, and auto makers are at the beginning of that process now.