When it comes to tackling cyber threats, it has to be a group effort. That’s the theory behind the Automotive Information Sharing Analysis Centre (Auto-ISAC), which is ramping up activities and expanding its membership.
The consortium, dedicated to sharing information on automotive industry cyber threats and vulnerabilities, is based in a Booz Allen Hamilton facility in Washington DC. “We at Booz Allen have been doing all the strategy work, positioning many of the chess pieces on the board for our clients these past few years. Now it is time to operationalise,” commented Jonathan Allen, head of Booz Allen’s commercial transportation practice.
Allen previously served as interim Executive Director at Auto-ISAC but handed over the reins to Faye Francy last year. Before this appointment Francy served as the Executive Director of the Aviation-ISAC and previously led the Boeing Commercial Airplanes (BCA) Cyber ONE engineering team. While she doesn’t come from an automotive background, her cyber experience will prove valuable. “She has experience in running an ISAC, which is very important, and in trying to develop a culture of trust in an environment that is very competitive. Having organisations talk about vulnerabilities is a big challenge,” said Allen. “She also has the cyber pedigree and was part of Boeing’s R&D cyber programmes. Some of the challenges that you see in aviation are very similar to what is going on in automotive.”
A holistic approach
When it comes to tackling cyber threats, pooling resources and information is pivotal. “An attack on one is an attack on all,” Allen told Automotive World. “Information sharing today is even more important because there are very similar vulnerabilities across vehicles, whether they are in the software library or the hardware.”
The situation is exacerbated when OEMs share Tier 1 suppliers, as they frequently do. “If you find a vulnerability from a supplier that is on a vehicle, chances are it could impact other brands as well. As we identify a vulnerability, all manufacturers need to respond to it through their incident response programmes,” he explained. For some companies, this could constitute a quick response to verify they do not have that specific version of a component on their vehicle, and thus do not have to take action.
At that point they could still consider the attack vector taken by the adversary, which could be exploited in another way through a different supplier. “This whole idea of information sharing has enabled the industry to take a holistic look at it,” he added.
The responsibility for cyber protection is not limited to the OEMs any more. “We are starting to see specific security-by-design or testing requirements for suppliers coming from the vehicle manufacturers,” noted Allen. “Before, they would demand that suppliers just provide a certain capability but now they are taking it a step further to include testing and remediation. If you find a vulnerability, you also have to remedy it.” This is not always easy for the suppliers, which he concedes are “being squeezed.”
Heavy-duty concerns
About a year ago, ISAC began inviting suppliers to join. The next step is the heavy vehicle manufacturers, which are now being included as well. Details on the CV members that are joining have not yet been released but should come out in the near future. It is this segment that could emerge at the vanguard in the race towards autonomy. “Some of the heavy trucking industry works in a more closed environment, such as construction sites or in farming, and they are moving out quicker in the autonomous world. At the same time there are lessons we can learn from heavy trucking that impact light duty vehicles,” insisted Allen.
The links between the two segments are not always direct, but there are still opportunities to learn from each other. Data is one such example. “Fleets do not necessarily anonymise the data coming off a vehicle, because they want to know about that individual driver in the fleet,” he pointed out. “The data in light vehicles is anonymised much more because drivers do not always want a large OEM to know their driving patterns. It is a different challenge in the privacy side, but some of the things they are doing are very well connected between the two. Every day I see another connection I never realised before.”
Defence roots
For Booz Allen, its work on cyber security benefits from strong roots in the defence industry. “We are primarily involved in defence intelligence, and 98% of our business is in the government space. I can tap into that talent,” he commented. “We have some very skilled cyber technical people who have primarily worked on the government side for years. They understand how the adversary operates in these networks.”
This year, the focus for Allen and his team will be acting as a third party tester for the vehicle manufacturers. “We are looking to help our clients to evaluate the vehicles that are coming out, to validate and help them understand the vulnerabilities of the vehicles,” he elaborated. “It was good luck and timing that we started this effort three and a half years ago, and now we are in the middle of it all. It is going to be a very crowded market in about five years, and we are lucky to be in there right now.”
Jonathan Allen will be speaking at the upcoming Connected Car Detroit event on 14 March. To register for this event, please go to https://automotivemegatrends.com/connected-car-detroit/
