HackerOne

Q&A with Faye Francy: How Auto-ISAC Puts Security in the Driver’s Seat

Security hardware chip

Faye Francy is executive director of Auto-ISAC, an industry-operated organization created to enhance cybersecurity awareness and collaboration across the global automotive industry. Their members include light- and heavy-duty vehicle manufacturers and also extend to suppliers and commercial vehicle manufacturers.

ISAC stands for “Information Sharing and Analysis Center,” and the concept was created by a Presidential Decision Directive in 1998 to share information about security threats, vulnerabilities, and events. There are about 20 ISACs across many industries, but with automobiles being so ubiquitous in our everyday lives, and with the explosion of technology within cars, Auto-ISAC might be the first ISAC most people have heard of.

Let's hear what Faye had to say about the work Auto-ISAC is doing to make all of our vehicles more secure.

Q: What is Auto-ISAC, and what’s your mission?

Automakers proactively joined together in 2015, and formed a global information-sharing community, the Auto-ISAC, to address vehicle cybersecurity risks. It is the industry’s leading voice for cybersecurity, giving members a seat at the table when industry best practices and future federal requirements are shaped.

The focus of Auto-ISAC is to foster collaboration that creates a safe, efficient, secure, and resilient global connected vehicle ecosystem. One company’s detection of a potential attack may mean another company’s prevention of a security breach.

The mission of the Auto-ISAC is to serve the industry as an unbiased information broker in addressing cybersecurity threats. We are a member-driven organization whose objective is to help assure the resilience and continuity of the global automotive industry. We work with private businesses to reduce the risks of cyber acts that might impact the automotive sector. The Auto-ISAC is currently collaborating with key industry leaders in developing Best Practices Guidelines for vehicle cybersecurity.

Q: How is cybersecurity viewed by auto industry executives and boards? Is it a boardroom issue or just an issue for IT and product teams?

As a best practice, cybersecurity is in most and should be in all cases a boardroom issue. This is a business risk for any organization.

Vehicle connectivity is transforming the automotive industry. As consumers demand new capabilities and enhanced connectivity, the automotive industry is becoming more vulnerable to an increasingly complex set of cybersecurity challenges. Recent news headlines, coupled with the heightened interest in vehicle cybersecurity from regulators and lawmakers, reinforce the need for an industry-wide approach to vehicle cybersecurity. Automakers collectively took the first step towards addressing the emerging threat landscape with the creation of Auto-ISAC.

Q: Should industrial/manufacturing companies, who traditionally didn’t need to think about security, start to elevate cybersecurity in their organizations?

That is exactly why the automotive industry proactively joined together in 2015 and formed a global information-sharing community, the Auto-ISAC, to address vehicle cybersecurity risks.

The elevation of the cybersecurity issue is vital for any industry, including automotive, to thrive and grow. The automobile industry, while facing unprecedented changes, is working to address the challenges that cyber threats present. This is reflected in the industry proactively coming together to build best practices and establishing the Auto-ISAC, in a collaborative manner to address the challenge of cybersecurity.

Q: Cybersecurity is frequently considered a software issue, and while automobiles are typically looked at as hardware, they contain a ton of software. What’s driving the cybersecurity topic in the automotive industry?

Connectivity and autonomy enable safer, cleaner, more fuel-efficient, and smarter vehicles. This connectivity also introduces cyber risk, and protecting drivers from cyber threats is a relatively new challenge for the automotive industry — one that differs from traditional safety, quality, compliance, and reliability challenges.

Auto safety is the industry’s top priority. With cyber, there’s an adaptive adversary, which means you can’t simply engineer out the problems, so automakers are committed to strong cybersecurity protections in the global connected vehicle ecosystem. This includes implementing security features in every stage of the design and manufacturing process, collaborating with public and private research groups to share solutions, and participating in multiple cyber forums on emerging issues.

Individual companies have long supported their efforts to safeguard their customers by engaging with third-party security technologists, non-profit organizations, government programs and working groups, universities, and Science Technology Engineering and Mathematics (STEM) initiatives to address the emerging cybersecurity concerns.   

Q: Autonomous vehicles get a lot of media coverage, but the reality of auto cybersecurity is probably much more mundane. What are some of the current areas of focus for security in your industry?

In general, the automotive industry is considering privacy/protecting personal data, including location data, vehicle theft, ransomware attacks, and others. In particular, automakers believe that strong consumer data privacy protections are essential to maintaining the trust of our customers, which is why the industry adopted a set of Privacy Principles that reflect a major step in protecting personal information collected in the vehicle.

Q: What do you see as the top trends for cybersecurity within the automotive industry?

For the scope of automotive cybersecurity, I see the trend to be even more collaboration and information-sharing. While tremendous progress has been made over recent years to get comfortable with information sharing, the industry has also recognized that there needs to be a redoubling of efforts in order to stay ahead of, detect, and mitigate the ever-growing threats.

Q: What’s one thing you’d like to see happen with respect to cybersecurity in general?

We are focused on socializing the value of information-sharing and strengthening our collaboration with government, researchers, academia, and other organizations. In addition, we are promoting that our members establish vulnerability disclosure programs, as these can be invaluable to organizations to help detect vulnerabilities and potential mitigation techniques. It is a business best practice that improves the overall cybersecurity health of the automotive industry. We encourage security researchers to reach out to share information directly with the affected company or the Auto-ISAC as part of our partnership model.

Q: What initiatives are you most excited about at Auto-ISAC?

We continue to work to increase collaboration and sharing across the membership. This includes analyst workshops with tabletop exercises and developing our requirements for our secure portal and sharing mechanisms. We have also doubled our intelligence support to membership this year to support more robust sharing and analytics. We continue to work on our Best Practice Guide development and plan on increased engagement across the community.

The 7th Annual Hacker-Powered Security Report

Hacker-Powered Security Report