A year ago, a duo of hackers gave a reporter what had to be one of the wildest rides of his life when they managed to kill the engine of his Jeep while he was driving it. Anyone who drives a late-model car had to be concerned about the security of their connected vehicle after reading that report.
Now, the Automotive Information Sharing and Analysis Center (ISAC) and others in the automotive industry are stepping up to do something about it.
For starters, the Auto ISAC — the industry’s point organization for developing information security policies — has published a paper that aims to provide automakers with guidelines to develop secure network connections and software for their automobiles.
The Auto-ISAC best practices guide was released last week and covers organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response, training and collaboration with appropriate third parties.
According to the Auto ISAC, automakers approach their electrical architectures, connected services and development and engineering efforts differently. The ISAC hopes that best practices guidance can be applied as automakers need it and will be updated over time.
A couple weeks prior to this, the European Union Agency for Network and Information Security (ENISA) went public with a goal to study potential security controls that could make smart cars more safe. The agency’s currently in dialogue with those in the automotive supply chain.
“The objective of this project is to establish a comprehensive list of cyber security policies, tools, standards, measures and provide recommendations to enhance the level of security of smart cars. The study focuses on the assets inside the cars as well as on data exchanges related to safety,” the ENISA said.
Also in July, automaker Fiat Chrysler announced a “bug bounty” program. A bug bounty program, simply put, is a program that pays external security researchers for discovering and reporting flaws. Fiat Chrysler will pay bounties of up to $1,500 for exploitable software vulnerabilities. “It’s a very big move,” Casey Ellis, the CEO of Bugcrowd, told Wired. “This is basically creating normalcy around the dialogue between hackers and vehicle manufacturers for the purposes of making vehicles safer,” he said.
The auto industry aims to make autos more secure as they grow more connected, and that’s certainly a good thing. I can’t help but think that the software industry has been trying to achieve a higher level of security when it comes to enterprise apps, and by most objective measures has fallen short.
Let’s hope the auto industry has learned a few things and does manage to steer toward a better, safer future with secure software and device development. With this move toward establishing best practices, seeking industry support in those efforts and embracing bug bounties, I’d say it’s off to a better start.