Auto-ISAC Series of Automotive Cybersecurity Best Practices
Status: Final Published
Date: Since July 2019
Region: United States
Document: Link
Background
The Auto-ISAC stems from Presidential Decision Directive 63 (PDD-63) in 1998 on the creation of public-private sector partnerships for the protection of the U.S. critical infrastructure. It comes under the purview of the National Infrastructure Protection Plan (NIPP 2013) – Partnering for Critical Infrastructure Security and Resilience. Formed in 2015, and operational in 2016, the Auto-ISAC is composed of 30+ OEMs. Its goal is to provide a global information-sharing community focused on promoting and sharing information on vehicle cybersecurity.
In 2016, Auto-ISAC published a series of best practices (seven in total, plus an executive summary), which cover the following topics:
- Incident response (updated July 2019)
- Collaboration and engagement with appropriate third parties (updated July 2019)
- Governance (updated July 2019)
- Risk assessment and management (updated August 2019)
- Threat detection, monitoring, and analysis (updated August 2019)
- Training and awareness (updated August 2019)
- Security development life cycle (update not available online)
They are aimed at OEMs, suppliers, and the commercial vehicle sector primarily.
Summary
The best practices offer a risk-based approach for OEMs to manage and mitigate vehicle cybersecurity and cover all phases of the vehicle lifecycle, including design, development, and post-production.
The Incident Response Best Practice includes guidance on how to prepare an incident response plan (establishing roles and testing through drills), identify and then fix incidents rapidly (including technical, and non-technical processes, such as communications, legal, and regulatory), and finally close out the process with self-evaluation and implementing any longer-term remediation actions.
The Collaboration and Engagement with Appropriate Third-Parties Best Practice offers a framework to work with other potential stakeholders, including academia, government, and media, for example. Three main activities are outlined for OEMs, and these are information sharing (notably around threat intelligence, vulnerability research, and best practices), event engagement (conferences and hackathons are cited as examples), and finally programs that can include standards development, coordinated disclosures, and certifications.
The Governance Best Practice outlines how to align cybersecurity within an organization. The key practices here include designing cybersecurity governance in terms of scope, vision, and functions, and then building and operating the program into the corporate structure and in product design. The building angle includes ensuring clear leadership, a staff structure, and an interaction model, while the operational angle requires the establishment of appropriate policies and procedures, performance management, and resource allocation.
The Risk Assessment and Management Best Practice provides strategies to mitigate the potential impact of vulnerabilities, focusing on categorizing, prioritizing, and treating cybersecurity risks. These include a number of tasks, including defining scope and requirements, ensuring appropriate coverage, documenting roles and responsibilities, analyzing the risk life cycle, formalize a risk tolerance profile, evaluating results and determining risk treatment plans, communicating those risks to leadership and stakeholders, integrating these processes into cybersecurity governance, and ensuring compliance.
The Awareness and Training Best Practice recommends the design of programs that can assess the business needs of a particular organization for cybersecurity, developing and implementing the program with associated cybersecurity awareness products, content and activities, and cycling back to improve upon the program through regular monitoring and effectiveness analysis.
Threat Detection, Monitoring, and Analysis Best Practice is focused on proactive cybersecurity through the definition of an appropriate plan to understand the threat environment for the automotive industry. This includes engaging in threat intelligence and monitoring, as well as threat analysis to keep appraised of threat actors, potential threats, and associated risks that could affect vehicle cybersecurity. These processes should lead to various actions, including input to engineering teams, vulnerability management, incident response, and information sharing.
The Security Development Lifecycle Best Practice provides recommendations on how to securely integrate both hardware and software security features during the product development process, from the design phase, through to development (and including security testing and verification), and beyond at the post-development phase (on the provision of feedback looking back to the design and development phases during operations and maintenance). This final best practice is the only one of the seven that is not yet publicly available.
Notes
The Auto-ISAC Best Practices essentially expand on the Framework for Automotive Cybersecurity Best Practices published in January 2016 by the Alliance of Automobile Manufacturers and the Association of Global Automakers, which provides a short four-pager on the guiding principles for automotive cybersecurity (enshrined in the Auto-ISAC’s seven Best Practice guides).
The Auto-ISAC has aligned these best practices with the U.S. NHTSA’s own cybersecurity guidance, as well as those issued by the NIST (including SP 800-61 Computer Security Incident Handling Guide, SP 800-150: Guide to Cyber Threat Information Sharing, 800-30: Guide for Conducting Risk Assessments, SP 800-50: Building an Information Technology Security Awareness and Training Program; 800-64: Security Considerations in the Systems Development Lifecycle, SP 800-121 Guide to Bluetooth Security, SP-127: Guide to Securing WiMAX Wireless Communications), ISO 17799 on Mobile Phone Security, the ISO 27000 series, and ISO/IEC 30111 on Vulnerability Handling Procedures, as well as SAE J3061: Cybersecurity Guidebook for Cyber-Physical Vehicle Systems.
