The Functions influence each other, and many Best Practices have applicability across Functions and vehicle lifecycle phases. Auto-ISAC is developing supplemental Best Practice Guides to provide Members and appropriate industry stakeholders additional information and implementation guidance for each of the seven functional areas: Best Practices Overview 4.
Furthermore, strong governance can help to foster and sustain a culture of cybersecurity. Best Practices do not dictate a particular model of vehicle cybersecurity governance but provide considerations for organizational design to align functional roles and responsibilities. Best Practices for Governance and Accountability include: Define executive oversight for product security.
Functionally align the organization to address vehicle cybersecurity, with defined roles and responsibilities across the organization. Communicate oversight responsibility to all appropriate internal stakeholders. Dedicate appropriate resources to cybersecurity activities across the enterprise.
Establish governance processes to ensure compliance with regulations, internal policies, and external commitments. Best Practices focus on processes for identifying, categorizing, prioritizing, and treating cybersecurity risks that could lead to safety and data security issues. Risk management processes can help automakers identify and protect critical assets, assist in the development of protective measures, and support operational risk decisions.
Risk Assessment and Management Best Practices include: Establish standardized processes to identify, measure, and prioritize sources of cybersecurity risk. Establish a decision process to manage identified risks.
Document a process for reporting and communicating risks to appropriate stakeholders. Monitor and evaluate changes in identified risks as part of a risk assessment feedback loop. Include the supply chain in risk assessments. Establish a process to confirm compliance by critical suppliers to verify security requirements, guidelines, and trainings.
Include a risk assessment in the initial vehicle development stage, and reevaluate at each stage of the vehicle lifecycle. Best Practices for Security by Design include: Consider commensurate security risks early on and at key stages in the design process. Identify and address potential threats and attack targets in the design process. Consider and understand appropriate methods of attack surface reduction. Layer cybersecurity defenses to achieve defense-in-depth.
Identify trust boundaries and protect them using security controls. Include security design reviews in the development process. Emphasize secure connections to, from, and within the vehicle. Limit network interactions and help ensure appropriate separation of environments. Test hardware and software to evaluate product integrity and security as part of component testing. Perform software-level vulnerability testing, including software unit and integration testing.
Test and validate security systems at the vehicle level. Authenticate and validate all software updates, regardless of the update method. Consider data privacy risks and requirements in accordance with the Consumer Privacy Protection Principles for Vehicle Technologies and Services.
Mobile Phone Security, and other established resources. Threat detection processes raise awareness of suspicious activity, enabling proactive remediation and recovery activities. Best Practices for Threat Detection and Protection include: Assess risk and disposition of identified threats and vulnerabilities using a defined process consistent with overall risk management procedures. Inform risk-based decisions with threat monitoring to reduce enterprise risk by understanding and anticipating current and emerging threats.
Identify threats and vulnerabilities through various means, including routine scanning and testing of the highest risk areas. Support anomaly detection for vehicle operations systems, vehicle services, and other connected functions, with considerations for privacy. Outline how the organization manages vulnerability disclosure from external parties. Report threats and vulnerabilities to appropriate third parties based on internal processes.
Vulnerability Handling Procedures, and other established resources. Best Practices include protocols for recovering from cybersecurity incidents in a reliable and expeditious manner, and ways to ensure continuous process improvement. Best Practices for Incident Response and Recovery include: Document the incident response lifecycle, from identification and containment through remediation and recovery. Ensure an incident response team is in place to coordinate an enterprise-wide response to a vehicle cyber incident.
Perform periodic testing and incident simulations to promote incident response team preparation. Identify and validate where in the vehicle an incident originated. Determine actual and potential fleet wide impact of a vehicle cyber incident.
Contain an incident to eliminate or lessen its severity. Promote timely and appropriate action to remediate a vehicle cyber incident. Restore standard vehicle functionality and enterprise operations; address long-term implications of a vehicle cyber incident. Notify appropriate internal and external stakeholders of a vehicle cyber incident.
Improve incident response plans over time based on lessons learned. Training and Awareness Best Practices include: Establish training programs for internal stakeholders across the motor vehicle ecosystem. Include IT, mobile, and vehicle-specific cybersecurity awareness.
Educate employees on security awareness, roles, and responsibilities. Tailor training and awareness programs to roles. Building an Information Technology Security Awareness and Training Program other established cybersecurity training resources.
When faced with cybersecurity challenges, the industry is committed to engaging with third parties, including peer organizations, suppliers, cybersecurity researchers, government agencies, and Auto-ISAC, as appropriate. Review information and data using a standardized classification process before release to third parties. Engage with academic institutions and cybersecurity researchers, who serve as an additional resource on threat identification and mitigation.
Form partnerships and collaborative agreements to enhance vehicle cybersecurity. Each automaker has unique needs and capabilities with respect to cybersecurity.
Therefore, the Best Practices may not be applicable to some organizations or parts of organizations. Accordingly, these Best Practices offer suggested measures. These Best Practices can guide effective risk management at the product level and further enhance the security and resiliency of the automotive industry.
We have completed two Best Practice Guides to date. The purpose of the Guides is to assist automotive industry stakeholders with identifying, prioritizing, treating, and monitoring vehicle cybersecurity risks. The Guides provide forward-looking guidance without being prescriptive or restrictive.
These best practices are: Companies have the autonomy and ability to select and voluntarily adopt practices based on their respective risk landscapes and organizational structures.
These practices are forward-looking and voluntarily implemented over time, as appropriate. Auto-ISAC plans to periodically update this Guide to adapt to the evolving automotive cybersecurity landscape.