After more than five months of planning, the Automotive Information Sharing and Analysis Center (Auto-ISAC) Thursday released a set of automotive cybersecurity “Best Practices.”
The practices are meant to serve as guidance in the development of automotive cybersecurity in seven key areas including governance, risk assessment and management, security by design, threat detection and protection, incident response, awareness and training, and collaboration and engagement with appropriate third parties.
Auto-ISAC is also developing supplemental materials, including a reference model and practice guides, to benefit members and stake holders as well.
More than 50 automotive cybersecurity experts from around the world participated in creating the guidelines to provide insight and support to help and improve defenses against potential cyber threats.
"Automakers are committed to being proactive and will not wait for cyber threats to materialize into safety risks," Auto-ISAC Chairman Tom Stricker of Toyota said in the July 21 press release.
Tripwire Security Research and Software Development Engineer Lane Thames applauded the initiative but said the implementation of the practices may be slow and tricky at first.
“Adding cyber features to automobiles will make them even more complex, and security issues, if not addressed early on, could have a significant negative impact on automotive security,” Thames told SCMagazine.com via emailed comments. “On the flip side, cyber technology in automobiles can make our lives much more convenient while also increasing automotive safety.”
He went on to say the vast majority of engineers, scientists and technology personnel involved in the design process lack the background knowledge needed to implement more secure cyber technologies for these systems.
Other cybersecurity professionals felt the Best Practices alone will have little affect on the overall security without any incentive to actually secure vehicles.
Rubicon Labs Vice President Rod Schultz told SCMagazine.com via emailed comments that the automotive industry has known about the lack of security in its vehicles for more than 10 years and is just now starting to take action.
“You are finally seeing the first efforts to address this due to widespread public knowledge (Black Hat 2015 and other press worthy events) and the desire of each automotive OEM to not be viewed as the weakest in the group,” Schultz said.
"Bind these best practices to a massive carrot or a very painful stick and you will begin to see much more progress in automotive security."