Auto-ISAC, the automotive industry’s threat information sharing group industry, released its best practices for cybersecurity in automobiles.
The guidelines address a number of security issues that have frequently been brought up by researchers, including vulnerability disclosure and supply chain management.
Automotive security became a legislative focus last year, when a video demonstrating researchers Charlie Miller and Chris Valasek remotely hacking Jeep Cherokee as driven went viral.
“We’ve been fortunate not to be the subject of a major real-world attack,” said Tom Stricker, the chairman of the ISAC board.
An executive summary of the best practices debuted on the Auto-ISAC (Information Sharing and Analysis Center) website on Thursday. It was a topic discussed on Friday at the industry’s Billington Automotive Cybersecurity Summit in Detroit.
The best practices include welcoming third party involvement. Companies are told to “outline how the organization manages vulnerability disclosure from external parties,” to make it easier for researchers like Miller and Valasek to report vulnerabilities.
They also include calls to make the software supply chains more transparent.
Like many automotive components, automotive device software is often developed elsewhere, often time using third-party coding libraries. When security vulnerabilities are found far up the supply chain, it is impossible to figure out exactly what devices are affected without some form of transparency.
One thing not in the guidelines is firm advice on how updates should be delivered. Right now, the industry is split between “over-the-air” updates, which download themselves onto automobiles, and updates that require a trip to the dealership.
Cybersecurity advocates back over-the-air updates, because they boost compliance with updating the cars. Some auto manufacturers prefer the dealership model because it limits the amounts of things that can go wrong during updates.
Nonetheless, the executive summary is receiving positive reviews from legislators and hacking experts.
“If manufacturers and designers can truly adhere to these best practices, it will go a long way to protecting American families from automotive cyberthreats,” said Rep. Ted Lieu (D-Cali) in a press release congratulating Auto-ISAC on the release.
Lieu introduced automotive cybersecurity legislation in November with Rep. Joe WilsonAddison (Joe) Graves WilsonOvernight Defense & National Security — Presented by Raytheon Technologies — Biden backtracks on Taiwan GOP lawmakers worry vaccine mandate will impact defense supply chain Pandora Papers prompt lawmakers to push for crackdown on financial 'enablers' MORE (R-S.C.).
Beau Woods, deputy director of the Cyber Statecraft Initiative at the Atlantic Council and representative of I Am The Cavalry, a group that advocates for greater security in the internet of things devices, was also impressed by the best practices.
“It looks like a great first start,” he said. “It goes farther than other major industries.
A FAQ which accompanies the guidelines says the rules were “written specifically for U.S. light duty, on-road vehicles, but are applicable to the broader international automotive market.
--Update 11:34 a.m.