Auto ISAC—What is it and do we need one?

An Information Sharing and Analysis Center (ISAC) is essentially a trusted entity established by critical infrastructure owners and operators to share threat data. ISACs first emerged in 1998 when President Clinton issued Presidential Decision Directive 63, which identified the nation’s critical infrastructure that could be attacked either through physical or cyber means.

The disruption of this critical infrastructure, such as banking and finance, the electricity generation and distribution network, drinking water and treatment facilities, would have a profound effect on the nation’s economic well-being. To address these risks, the federal government worked with each industry sector to establish a sector-specific organization to share information about threats and best practices for developing defenses.

Today, ISACs have been established within most of the critical infrastructure sectors and new ISACs continue to emerge as needed. For example, in the retail space where we’ve seen a series of high profile attacks against retailers such as Target and Home Depot, that industry recently established a retail ISAC, called the Retail Cyber Information Sharing Center.

So why do we need an Auto ISAC?

While there are a couple of transportation specific ISACs focused on protecting critical infrastructure, such as roads, bridges, rail, and mass transit, there isn’t an organization that focuses on the vehicles that use the roads and bridges. And frankly, there really wasn’t a need until more recently. Modern day automobiles are complex machines that can contain various embedded systems, interfaces, and networks. Furthermore, autos are increasingly featuring modems and other wireless capabilities. These wireless capabilities can support a host of features including remote tire pressure monitoring, navigation, telematics, and keyless entry and ignition start. The prospects of vehicle autonomy, self-driving capabilities, and Vehicle-to-Vehicle communications also promise tremendous benefits for efficiency, comfort, and driving safety which may be on the near horizon. The continuing trend in vehicle safety is shifting toward more interconnected systems and a reliance on sensors to identify hazards and take appropriate action.

All of these features are great and provide tremendous safety benefits, but these features also create new attack vectors that will undoubtedly increase the risk that these systems can be compromised. And when the many different systems become interconnected, then potentially really bad things can happen. While we have not seen any real world exploits of cyber-vulnerabilities in automobiles in the wild, we do know that with the increasing level of research, testing, and demonstration, it’s certainly possible to remotely take over control of a vehicle and override all driver inputs.

In 2010, researchers from UC San Diego and the University of Washington briefed NHTSA on their research. However, in order to reach out to the auto industry to disseminate their findings, the researchers would have to request meetings with the right people at each of the different auto manufacturers. One can imagine how time consuming and inefficient such a process could be.

Furthermore, those manufacturers who weren’t directly affected may not have been interested to learn about it (i.e. it’s not my problem). Had an Auto ISAC existed then, it would have been the logical and ideal place to present the discoveries. The ISAC could have analyzed the data and ensured that the proper representatives at the different manufacturers were properly informed. This specific use case, along with emerging risks that come with the many benefits of the increasing connectivity, complexity, and reliance on electronics, led NHTSA to encourage the auto industry to consider creating an auto industry specific ISAC.

ISACs have unique capabilities to provide comprehensive threat analysis within the sector and have the ability to reach out to other sectors and with government to share critical information. An Auto ISAC will help the industry share information to identify and analyze threats, vulnerabilities, and incidents specific to motor vehicles and serve as a resource to analyze potential impacts of such concerns to the sector. An Auto ISAC would also provide the industry with access to collective intelligence accumulated across the network of existing ISACs in other industry sectors, as well as potentially intelligence from the US government.

In July 2014, the Alliance of Automobile Manufacturers and the Association of Global Automakers sent a joint letter to NHTSA indicating that the industry’s intent to pursue the development of an Auto ISAC. The auto industry the started working on identifying the appropriate elements necessary to establish and maintain an Auto ISAC. Below are the seven major elements they identified.

[LIST=1]