Data Security Best Practices for the Automotive Industry
Flying cars may not be ubiquitous — like we once assumed they would be by now. Even fully autonomous vehicles haven’t become a reality yet. Nonetheless, the automotive industry is making exciting advancements.
Vehicles are becoming smarter and more connected. Driving systems increasingly use sensors to detect the environment of the car to enable more self-driving, efficiency, and safety features and functions.
There are now cars that offer augmented reality technology, using computers to give drivers supplementary information regarding speed, direction, and surrounding information in real-time. Others include heads-up display windshield technology, which projects information from vehicle dashboards as images on the windshields. Many feature advanced programs that adjust fuel, altitude, and temperature, helping to reduce emissions while generating more horsepower. The list goes on.
One of the byproducts of most of these advancements, however, is the production of a massive amount of data. That data needs to be stored somewhere, and, importantly, it must remain secure at all times. As a result, there’s an increasing need for data security and data storage best practices and solutions for the automotive industry. (This blog focuses on data security. Watch for a future blog on data storage.)
Automotive Cybersecurity Best Practices
A number of organizations have developed cybersecurity frameworks and best practice guides to help companies throughout the automotive industry in ensuring greater data security. Among them: The National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO) with its SAE 21434, and the Automotive Information Sharing and Analysis Center (Auto-ISAC) with its Best Practices Guide.
These organizations are committed to helping companies across the broad automotive industry strengthen their organizational and vehicular cybersecurity practices and implement product cybersecurity best practices and voluntary standards.
What the Auto-ISAC Best Practices Say
The best practices espoused in the Auto-ISAC Best Practices Guide provide a good place to start for companies in the automotive industry that seek to strengthen their security postures. The recommendations focus on:
- Incident Response
- Collaboration and Engagement with Appropriate Third Parties
- Risk Assessment and Management
- Awareness and Training
- Threat Detection, Monitoring and Analysis
- Security Development Lifecycle
A brief overview of each of the best practices follows. You can find the complete list here.
Incident Response Plan (IRP)
An IRP documents processes for responding to cybersecurity incidents that can affect the vehicle ecosystem. Best Practices include protocols for recovering from cybersecurity incidents in a reliable and expeditious manner and ways to ensure continuous process improvement. Best practices include:
- Helping to ensure the organization is able to respond efficiently and effectively by measures such as documenting a plan and call tree, establishing roles and responsibilities, testing the plans, and training.
- Finding incidents quickly to mitigate potential impact, with steps such as identifying, validating, classifying, and prioritizing potential incidents.
- Activating a team to rapidly contain, mitigate, remediate, and recover from the risk. This may include executing technical response activities, managing business risk through complementary corporate responses from communications, legal, regulatory, and other departments, and coordinating efforts across workstreams.
- Closing incidents, which may include the use of debriefs to assess the effectiveness of response procedures to determine necessary procedure or policy changes; evaluation, implementation, and monitoring of any longer-term remediation actions; and updates of the plan.
Collaboration and Engagement
Auto-ISAC’s best practices also emphasize information sharing, events, and programs as a way for the automotive industry to engage with partners, government entities, academia, the media, and others to combat cybersecurity threats as appropriate.
- Information sharing entails participating in efforts to share threat intelligence, vulnerability research, and best practices.
- Events refer to participating in a variety of event types, designing events to engage third parties, or participating in externally-led events.
- Programs encompass efforts such as identifying and participating in a variety of program types, designing programs to engage third parties, or participating in externally-led programs.
Auto-ISAC’s best practices for governance revolve around three key elements: design, build, and operate. This may include the following tasks:
- Define and communicate the program’s scope
- Articulate the mission and vision
- Identify key functions
- Organize within the program—activate the leadership, set clear decision authorities and create a staffing model
- Engage across the business—integrate with partners across the organization, and define and execute against expectations for leadership-level communications
- Develop policies and processes
- Manage performance through metrics
- Maintain a consistent and transparent process for resource allocation
Risk Assessment and Management
These best practices focus on processes for identifying, categorizing, prioritizing, and treating cybersecurity risks that could lead to safety and data security issues. They include:
- Defining the overall scope and requirements associated with implementing a cyber risk assessment methodology.
- Integrating various types of security assessments into appropriate phases of a vehicle or product’s lifecycle to ensure appropriate coverage.
- Documenting roles and responsibilities to help stakeholders understand expectations for their roles, tasks, and timing.
- Determining the appropriate cadence for risk assessments throughout the risk lifecycle, as the risk scores may periodically change.
- Formalizing a risk tolerance profile to inform decision-making; risk tolerance may vary by lifecycle phase, and is typically determined by evaluating risk acceptance criteria.
- Defining consistent methods to evaluate risk assessment results and determine risk treatment plans.
- Consistently communicating risk to leadership and stakeholders, ideally using non-technical terminology to help them compare vehicle cybersecurity risks to other more traditional enterprise risks.
- Integrating risk management processes and standards into the governance of business operations, and monitoring and enforcing compliance.
Awareness and Training
These best practices emphasize training and awareness programs throughout an organization to strengthen stakeholders’ understanding of cybersecurity risks. This capability is typically comprised of four fundamental activities:
- Designing awareness and training programs by assessing the needs of the business, scoping the program, and developing a strategy and plan.
- Developing the program by acquiring or developing awareness content and products, acquiring or developing training curricula, and fostering a culture of learning.
- Implementing the program by communicating the strategy plan, conducting training activities and distributing products, and conducting training.
- Improving the program on a regular basis by monitoring, reporting, analyzing effectiveness, and identifying improvement opportunities
Threat Detection, Monitoring and Analysis
Best practices in this area may include:
- Defining a threat detection and analysis process by understanding the automotive threat environment, developing a threat team structure and operating model, and defining stakeholder roles and responsibilities.
- Defining threat intelligence requirements that will help identify sources and the collection process.
- Establishing a threat monitoring process by defining priorities and identifying various techniques and approaches.
- Defining a threat analysis methodology that includes threat event identification, validation and verification, and necessary action to take.
- Establishing a process and developing or acquiring the right toolset to organize, store and share information for maximum effectiveness.
Security Development Lifecycle
Secure vehicle design involves the integration of hardware and software cybersecurity features during the product development process. Best practices in this area may include:
- Pre-Development: Considering existing system architectures that constrain future design decisions, identifying lessons learned from previous design cycles to incorporate, and defining types of cyber risks that are acceptable and unacceptable for the final product.
- Design and Development: Developing a comprehensive superset of all required cybersecurity specifications that can be tailored to a component-based upon its features during initial requirements design; using a system architecture that can help mitigate identified threats and risks; and embracing cybersecurity principles.
- Post-Development: Monitoring vehicle cybersecurity issues that emerge post-development, during vehicle operations and maintenance, to provide a feedback loop for the requirements and design phases of the automotive SDL process to aid in continuous improvements in security.
How US Signal Can Help
US Signal can work with your organization to assess how your current IT security is helping (or not helping) to implement industry cybersecurity best practices. From there, recommendations can be provided for IT infrastructure and managed security solutions that can bolster your company’s overall IT security – and specifically combat cyber threats.