While there are unique aspects of automotive cybersecurity, cybersecurity is not unique to the automotive industry. To help deepen our shared knowledge of cybersecurity technologies and best practices, automakers engage with the cybersecurity community, including, government, private-sector firms, standards organizations, academia, research and testing facilities, cyber challenges, and more.
As motor vehicles become increasingly connected and interconnected to the broader transportation ecosystem, the auto industry is focused on developing security solutions across the entire vehicle lifecycle - from the first stages of design and production to long after the vehicle is sold.
As cars and other forms of transportation increasingly rely on sophisticated hardware and software, digital architectures and connectivity to help with everything from safety to navigation, cybersecurity is among the industry’s top priorities. This is a constantly evolving field and the auto industry is working continuously to adapt, evolve and enhance vehicle security features in accordance with best practices.
One of the first initiatives of the Automotive Information Sharing and Analysis Center (Auto-ISAC) following its launch in 2015 was to bring together the best minds in automotive cybersecurity to develop Best Practices for this sector.
The Automotive Cybersecurity Best Practices cover organizational and technical aspects of vehicle cybersecurity in the seven function areas below. Find out more about best practices here.
Auto-ISAC Collaboration starts with the auto sector. In 2015, automakers worked with government stakeholders to proactively launch the Automotive Information Sharing and Analysis Center (Auto-ISAC). Comprised of global automakers, suppliers, and commercial vehicles, the Auto-ISAC provides a forum to share information, as well as partner with vendors, associations, researchers, government and academia to build relationships beyond the membership. This broad reach and stakeholder community contributed to the development of the industry Best Practices and provides a diverse set of partners to drive continuous improvement across the sector. Through the National Council of ISACs, the Auto-ISAC coordinates with many of the other 20 ISACs for sectors like surface transportation, communications and information technology.
Government Automakers work closely with the Department of Homeland Security (DHS) through the Cybersecurity and Infrastructure Security Agency (CISA) to help the industry identify current risks while working collaboratively to develop the tools and capabilities necessary to secure future technologies. Within the Department of Transportation, automakers coordinate with the National Highway Traffic Safety Administration (NHTSA), charged with automotive safety including cybersecurity. In DOT’s Intelligent Transportation Systems Office, automakers are working on cybersecurity and connected vehicles. The auto industry also works with partners at the Department of Commerce, including the National Institute of Standards and Technology (NIST) on a cybersecurity framework, as well as the National Telecommunications and Information Administration (NTIA) on their Multi-stakeholder Collaboration engagements. For example, automakers work with NTIA on Vulnerability Research Disclosure, which aims to improve coordination between industry cybersecurity stakeholders and the valuable work being done by security researchers.
Standards Organizations Experts at the world’s largest automotive standards bodies – the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE) – have joined forces to develop a unified international standard for automotive cybersecurity. This first of its kind, joint- international standard will provide all global automotive stakeholders a baseline of risk management and security practices to management vehicle security from concept to decommissioning. This important effort builds on prior work by both organizations. For example, SAE developed the Cybersecurity Guidebook for Cyber-Physical Vehicle Systems and formed a Vehicle Electrical System Security Committee to help ensure electronic control system safety. SAE also updated the OBD standard to harden vehicles against potentially compromised external devices or connections to the OBD II connector.
Public-Private Partnerships Through the Automotive Cybersecurity Industry Consortium (ACIC), automakers work with the DHS Science and Technology Directorate –which monitors threats and develops solutions — and DOT's Volpe National Transportation Systems Center, on cooperative pre-competitive research to improve the cybersecurity in automobiles.
Private-sector Firms. While automakers individually work with companies providing cybersecurity products and services, the industry's Auto-ISAC partners with leading solutions provider companies like HackerOne, Red Balloon Security and Karamba Security.
Academia. Automakers also work closely with academic institutions across the country to leverage their research and capabilities, as well as encourage future generations to pursue careers in cybersecurity.
Testing Facilities. The University of Michigan's Mcity Test Facility in Ann Arbor, MI is the first purpose-built proving ground for testing connected and automated vehicles and technologies in simulated driving environments. Cybersecurity is one focus of the many automakers and suppliers who are partners in Mcity.
Cyber Challenges. Automaker engage in hackathons such as the annual SAE CyberAuto Challenge, as well as other cybersecurity events such as the DEF CON and Black Hat Conferences.