United States: Automotive Industry Organization Releases Recommended Cybersecurity Best Practices

Auto-ISAC is not alone in its efforts to address potential cybersecurity risks imposed by connected vehicles. As we have previously discussed, in 2015 legislators introduced the SPY Car Act, which requires automakers to meet certain vehicle data security standards to combat potential hacking threats. The U.S. Department of Transportation (DOT) notes that it has been researching and testing vehicle communications for over a decade. In addition, through the Intelligent Transportation Systems Joint Program Office, the DOT has worked to fund almost $25 million in cyber security research between 2012 and 2014. The National Highway Traffic Safety Administration (NHTSA) also published information relating to its comprehensive approach to vehicle cybersecurity.

The Best Practices continue these efforts by promoting a self-regulation framework within the industry for vehicle cybersecurity. The Best Practices outlined by Auto-ISAC include:

• Governance: Organizations should consider appropriate oversight and processes to ensure accountability, compliance with regulations, internal policies and external commitments.
• Risk Assessment and Management: Organizations should focus on processes for identifying, categorizing, prioritizing and treating cybersecurity risks that could lead to safety and data security issues.
• Security by Design: Incorporating standards from the National Institute of Standards and Technology (NIST) and other established practices, organizations should integrate hardware and software cybersecurity features during the product development process for vehicles.
• Threat Detection and Protection: By proactively anticipating threats, vulnerabilities and incidents, organizations can raise awareness for remediation and recovery.
• Incident Response: If a cybersecurity incident does occur, organizations should have established processes, including an incident response plan, in place to identify the incident and ensure a timely response and recovery.
• Training and Awareness: Organizations should seek to establish a culture of security and enforce vehicle cybersecurity responsibilities.
• Collaboration and Engagement With Appropriate Third Parties: Organizations are encouraged to engage with third parties, including peer organizations, suppliers, cybersecurity researchers, government agencies and the Auto-ISAC, to collaborate on cybersecurity challenges.

Member organizations of the Auto-ISAC vary widely in size and current cybersecurity sophistication. Thus, the Best Practices are meant to be a set of industry guidelines for cybersecurity emerging concerns, for specific member organizations to adopt as applicable. While the Best Practices do not replace any current government regulations governing data security, they represent a comprehensive effort to address specific potential risks and vulnerabilities posed by increasingly connected vehicles.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.