Primarius Webinar Banner 1
WP_Term Object
(
    [term_id] => 95
    [name] => Automotive
    [slug] => automotive
    [term_group] => 0
    [term_taxonomy_id] => 95
    [taxonomy] => category
    [description] => 
    [parent] => 0
    [count] => 544
    [filter] => raw
    [cat_ID] => 95
    [category_count] => 544
    [category_description] => 
    [cat_name] => Automotive
    [category_nicename] => automotive
    [category_parent] => 0
)

Auto ISAC—What is it and do we need one?

Auto ISAC—What is it and do we need one?
by Chan Lieu on 12-03-2015 at 12:00 pm

An Information Sharing and Analysis Center (ISAC) is essentially a trusted entity established by critical infrastructure owners and operators to share threat data. ISACs first emerged in 1998 when President Clinton issued Presidential Decision Directive 63, which identified the nation’s critical infrastructure that could be attacked either through physical or cyber means.

The disruption of this critical infrastructure, such as banking and finance, the electricity generation and distribution network, drinking water and treatment facilities, would have a profound effect on the nation’s economic well-being. To address these risks, the federal government worked with each industry sector to establish a sector-specific organization to share information about threats and best practices for developing defenses.

Today, ISACs have been established within most of the critical infrastructure sectors and new ISACs continue to emerge as needed. For example, in the retail space where we’ve seen a series of high profile attacks against retailers such as Target and Home Depot, that industry recently established a retail ISAC, called the Retail Cyber Information Sharing Center.

So why do we need an Auto ISAC?

While there are a couple of transportation specific ISACs focused on protecting critical infrastructure, such as roads, bridges, rail, and mass transit, there isn’t an organization that focuses on the vehicles that use the roads and bridges. And frankly, there really wasn’t a need until more recently. Modern day automobiles are complex machines that can contain various embedded systems, interfaces, and networks. Furthermore, autos are increasingly featuring modems and other wireless capabilities. These wireless capabilities can support a host of features including remote tire pressure monitoring, navigation, telematics, and keyless entry and ignition start. The prospects of vehicle autonomy, self-driving capabilities, and Vehicle-to-Vehicle communications also promise tremendous benefits for efficiency, comfort, and driving safety which may be on the near horizon. The continuing trend in vehicle safety is shifting toward more interconnected systems and a reliance on sensors to identify hazards and take appropriate action.

All of these features are great and provide tremendous safety benefits, but these features also create new attack vectors that will undoubtedly increase the risk that these systems can be compromised. And when the many different systems become interconnected, then potentially really bad things can happen. While we have not seen any real world exploits of cyber-vulnerabilities in automobiles in the wild, we do know that with the increasing level of research, testing, and demonstration, it’s certainly possible to remotely take over control of a vehicle and override all driver inputs.

In 2010, researchers from UC San Diego and the University of Washington briefed NHTSA on their research. However, in order to reach out to the auto industry to disseminate their findings, the researchers would have to request meetings with the right people at each of the different auto manufacturers. One can imagine how time consuming and inefficient such a process could be.

Furthermore, those manufacturers who weren’t directly affected may not have been interested to learn about it (i.e. it’s not my problem). Had an Auto ISAC existed then, it would have been the logical and ideal place to present the discoveries. The ISAC could have analyzed the data and ensured that the proper representatives at the different manufacturers were properly informed. This specific use case, along with emerging risks that come with the many benefits of the increasing connectivity, complexity, and reliance on electronics, led NHTSA to encourage the auto industry to consider creating an auto industry specific ISAC.

ISACs have unique capabilities to provide comprehensive threat analysis within the sector and have the ability to reach out to other sectors and with government to share critical information. An Auto ISAC will help the industry share information to identify and analyze threats, vulnerabilities, and incidents specific to motor vehicles and serve as a resource to analyze potential impacts of such concerns to the sector. An Auto ISAC would also provide the industry with access to collective intelligence accumulated across the network of existing ISACs in other industry sectors, as well as potentially intelligence from the US government.

In July 2014, the Alliance of Automobile Manufacturers and the Association of Global Automakers sent a joint letter to NHTSA indicating that the industry’s intent to pursue the development of an Auto ISAC. The auto industry the started working on identifying the appropriate elements necessary to establish and maintain an Auto ISAC. Below are the seven major elements they identified.

[LIST=1]

  • Governance—Board of Directors, Committees, Task Forces, etc.
  • Membership—Eligibility, restrictions, vetting, fee structure, external partners
  • Policy—Operating framework- submission protocols, information dissemination protocols, rules of use, operating requirements
  • Technology and Supporting Infrastructure—Underlying infrastructure technology components, data analytics, communications support
  • Legal—Articles of Incorporation, Bylaws, Charter, Member Agreement, Operating Rules
  • Culture—Development of cultural framework necessary to establish and maintain a secure and trusted environment for sharing cybersecurity related information
  • Budget—Estimation of the start-up and recurring costs for operating an Auto ISAC

    Once this foundational work was complete, the auto industry announced in July that they would be launching the Auto ISAC. The Auto ISAC should be up and running in the coming months, and the timing couldn’t be better given the recent news about researchers remotely taking control of a vehicle.


  • Comments

    0 Replies to “Auto ISAC—What is it and do we need one?”

    You must register or log in to view/post comments.