Information sharing: the key to protecting vehicles from cyber-threats
Faye Francy, Executive Director at Auto-ISAC, discusses how one company’s detection of a potential attack can help another company prevent a security breach…
Vehicle connectivity is transforming the automotive industry, enabling safer, cleaner, more fuel efficient and smarter vehicles. However, as consumers demand new capabilities and enhanced connectivity, the automotive industry is becoming more vulnerable to an increasingly complex set of cyber-security challenges.
Protecting consumers from cyber-threats is a relatively new challenge for the automotive industry – one that differs from traditional safety, quality, compliance and reliability challenges. Individual companies have supported and engaged in efforts to safeguard their customers and address these emerging cyber-security concerns by working with governments, third party security technologists, non-profit organisations, universities and Science Technology Engineering and Mathematics (STEM) initiatives.
These individual efforts have provided a degree of protection to the industry and its consumers, but the cyber-threat to the connected vehicle is dynamic and adaptive to new technologies. This highlighted the need for an industry-wide approach to connected vehicle cyber-security. As a result, in 2014, the Auto Alliance, Global Automakers and 14 automakers joined forces to form the Auto-ISAC – a community in which to share and analyse intelligence about emerging cyber-security risks to vehicles.
The organisation has global representation from over 44 members across North America, Europe and Asia. Its members represent 99 per cent of all the light-duty vehicles on the road in North America.
Its goals are to:
- Serve as an unbiased information broker
- Increase timeliness, quality and quantity of information shared
- Conduct threat analysis for contextual, relevant and actionable information
- Maintain agility and flexibility to adapt to the evolving cyber landscape.
As a model, an ISAC is an organisation or trusted third party that enables information sharing and collaboration within a critical infrastructure sector. It acts as a central resource for gathering and disseminating information on security threats and provides a method for the anonymous sharing of information within its membership, as well as two-way sharing between its members and the public sector. There are currently 24 ISACs established for critical infrastructure industries including financial, energy and aviation.
From its inception, the key mission of the Auto-ISAC was to establish an industry-wide culture of security information sharing. The organisation works to illustrate to its members the value of information sharing by providing actionable intelligence and analysis from various law enforcement and federal resources, but most importantly, from Auto-ISAC members themselves. Furthermore, it provides its members with a means of developing consensus within the industry, by focusing on the premise that one company’s detection of a potential threat may mean another company’s prevention of a security breach.
Now, the Auto-ISAC is the global automotive industry’s leading voice for cyber-security, giving members a seat at the table when industry best practices and future governmental requirements are shaped. It serves as a central hub of information that allows members to anonymously submit and receive information to help them more effectively respond to emerging cyber-threats. This capability is supported within a secure platform for sharing, tracking and analysing intelligence about potential cyber-threats and vulnerabilities related to the connected vehicle.
Alongside this, the Auto ISAC works to increase collaboration and sharing across its membership by hosting analysts’ workshops, tabletop exercises, seminars and through its annual Auto-ISAC Summit, a multi-day event that gathers the automotive industry to learn about and discuss emerging threats to the connected vehicle.
To enhance the security posture of the industry, the Auto-ISAC and its members are completing a series of industry security ‘Best Practice Guides’, all of which will be available to the public in 2019. Additionally, the Auto-ISAC helps and encourages the industry to establish vulnerability disclosure programmes that can assist in identifying vulnerabilities and potential mitigations. It also hosts a monthly Community Call, featuring guest speakers discussing topics and initiatives relevant to connected vehicle cyber-security.
As for the future scope of automotive cyber-security, the trend is for even more collaboration and information sharing. Whereas tremendous progress has been made over recent years to instill an environment that is comfortable with information sharing, the industry has also recognised the need for a redoubling of efforts to stay ahead of the ever-growing threat landscape. The Auto-ISAC will continue to support its members as they lead this charge in safeguarding the connected vehicle, their consumers and the automotive industry.
Faye Francy is the Executive Director of the Automotive Information Sharing and Analysis Center (Auto-ISAC). She serves the global automotive industry through sharing and analysis of trusted and timely cyber-threats against the connected vehicle industry. Her responsibilities include developing and executing a Strategic Plan and building a set of best practices and operational resiliency for the community. This position works with private-sector members, partners and governments to strengthen industry’s capabilities in detecting, preventing, responding and mitigating disruptions to the connected vehicle industry. Previously, Francy was the Aviation ISAC Executive Director and held numerous leadership positions at Boeing, including Cyber ONE Leader, Director Enterprise Technologies, Phantom Works and Air Traffic Management.