“We’ve seen a sense of urgency, and the players – in a break with past industry tradition – are willing to share knowledge and best practices,” said David Barzilai, cofounder of Karamba Security, a company that makes security programs to protect automotive software.
There are at least some political leaders who believe it will take a push from government to get automakers to address their vulnerabilities, much like it took legislation to require safety features like seat belts and airbags.
U.S. Sen. Ed Markey (D-Mass), who released a report in February 2015 titled, “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” also filed legislation last year, called the "SPY Car Act of 2015," to require the National Highway Traffic Safety Administration (NHTSA) to issue rules to require “reasonable” protections for the physical security and privacy of those in connected cars. The report noted that, “today’s cars and light trucks contain more than 50 separate electronic control units (ECU) that collect driver information and are also vulnerable to attack.
But that bill never went beyond a referral to committee. Markey’s staff did not respond to questions on the status of the bill.
The Automotive Information Sharing and Analysis Center’s (Auto ISAC) “Best Practices” guide, according to the group, expands on the Framework for Automotive Cybersecurity Best Practices published in January 2016 by the Alliance of Automobile Manufacturers and the Association of Global Automakers.
The group says it, “emphasizes risk management, including the identification of risks and implementation of reasonable risk-reduction measures.
However, “Best Practices do not form an assessment or compliance framework, and do not mandate prescriptive requirements. Each automaker will determine if and/or how to apply the Best Practices internally,” the group said.
The Best Practices include seven Functions, including:
- Security by design
- Risk assessment and management
- Threat detection and protection
- Incident response
- Collaboration and engagement with appropriate third parties, including industry bodies such as Auto-ISAC itself, the Auto Alliance, governmental entities like the National Highway Traffic Safety Administration, NIST, Department of Homeland Security and FBI.
- Awareness and training
And experts generally argue that legislation would not be as effective as various private sector pressures. One of the most obvious problems is the difficulty with defining "reasonable."
Barzilai said automakers are already under major pressure to improve the software security of their products for two reasons: “To avoid brand damage that may harm sales of their current models, and to make sure cyber security is an enabler for autonomous cars.”
Autonomous cars and ride-sharing, “are seen as the industry’s two main growth engines in the coming years,” he said, adding that if there are significant and successful hacks of vehicles, “growth and sales expectations will be negatively affected.”
Sign up for CIO Asia eNewsletters.