24th August 2016
The Automotive Information Sharing and Analysis Centre (Auto-ISAC) has published its first ever best practice guide, to ‘collectively address cyber threats that could present unreasonable safety or security risks.’
Auto-ISAC has followed the precedent set by other ISACs and developed a set of Best Practices aimed at securing the motor vehicle ecosystem.
The publication of these Best Practices Follows the January 2016 release of The Proactive Safety Principles, in which Auto-ISAC demonstrated the automotive industry’s dedication to collaboratively enhancing the safety of the travelling public.
The Best Practices expand these principles into workable organisational and technical methods of vehicle security across seven key functions: governance, risk management, security by design, threat detection, incident response, training and collaboration with appropriate third parties.
The growing problem of cyber security
The executive summary accompanying the Best Practices states: “As vehicles become increasingly connected and autonomous, the security and integrity of automotive systems is a top priority for the automotive industry.”
This acknowledges that, as with any computer, the sophisticated systems on which cars increasingly rely for superior performance and reliability also increase their vulnerability to cyber attack.
The Auto-ISAC Best Practices focus on product cyber security within the vehicle ecosystem to directly address this problem. By adhering to a risk-based approach, car manufacturers and industry stakeholders can manage and mitigate the cyber security threats to vehicles.
This approach allows all related organisations to tailor the Best Practice implementation to suit their systems, services and organisational structures. It also works regardless of company size, vehicle technology and cyber security maturity level.
Best Practices; not assessment or compliance framework
The Best Practices incorporate concepts from several other established standards and frameworks created by the International Organisation for Standardization (ISO), National Institute of Standards and Technology (NIST), SAE International and others.
However, they do not constitute a formal assessment, compliance framework or mandate prescriptive requirements. Instead, each organisation must determine how to apply the Best Practices internally to suit their own needs and the needs of their customers.
Many of the Best Practices do build on established ideas within the recognised standards or are adapted to address the unique elements of the motor vehicle ecosystem. In addition, the scope of these practices reflects others that address information technology, supply chains and manufacturing security.