Faye Francy is executive director of Auto-ISAC, an industry-operated organization created to enhance cybersecurity awareness and collaboration across the global automotive industry. Their members include light- and heavy-duty vehicle manufacturers, and also extend to suppliers and commercial vehicle manufacturers.
ISAC stands for “Information Sharing and Analysis Center,” and the concept was created by a Presidential Decision Directive in 1998 to share information about security threats, vulnerabilities, and events. There are about 20 ISACs across many industries, but with automobiles being so ubiquitous in our everyday lives, and with the explosion of technology within cars, Auto-ISAC might be the first ISAC most people have heard of.
Faye was a panelist at our Security@ San Francisco event this past October as part of the
Shifting into High Gear session (watch the replay here), but we wanted to learn more about the work Auto-ISAC is doing to make all of our vehicles more secure. Here’s what she had to say.
What is Auto-ISAC and what’s your mission?
Automakers proactively joined together in 2015, and formed a global information sharing community, the Auto-ISAC, to address vehicle cybersecurity risks. It is the industry’s leading voice for cybersecurity, giving members a seat at the table when industry best practices and future federal requirements are shaped.
The focus of Auto-ISAC is to foster collaboration that creates a safe, efficient, secure, and resilient global connected vehicle ecosystem. One company’s detection of a potential attack may mean another company’s prevention of a security breach.
The mission of the Auto-ISAC is to serve the industry as an unbiased information broker in addressing cybersecurity threats. We are a member-driven organization whose objective is to help assure the resilience and continuity of the global automotive industry. We work with private businesses to reduce the risks of cyber acts that might impact the automotive sector. The Auto-ISAC is currently collaborating with key industry leaders in developing Best Practices Guidelines for vehicle cybersecurity.
How is cybersecurity viewed by auto industry executives and boards? Is it a boardroom issue or just an issue for IT and product teams?
As a best practice, cybersecurity is in most, and should be in all, cases a boardroom issue. This is a business risk for any organization.
Vehicle connectivity is transforming the automotive industry. As consumers demand new capabilities and enhanced connectivity, the automotive industry is becoming more vulnerable to an increasingly complex set of cybersecurity challenges. Recent news headlines, coupled with the heightened interest in vehicle cybersecurity from regulators and lawmakers, reinforce the need for an industry-wide approach to vehicle cybersecurity. Automakers collectively took the first step towards addressing the emerging threat landscape with the creation of Auto-ISAC.
Should industrial/manufacturing companies, who traditionally didn’t need to think about security, start to elevate cybersecurity in their organizations?
That is exactly why the automotive industry proactively joined together in 2015 and formed a global information sharing community, the Auto-ISAC, to address vehicle cybersecurity risks.
The elevation of the cybersecurity issue is vital for any industry, including automotive, to thrive and grow. The automobile industry, while facing unprecedented changes, is working to address the challenges that cyber threats present. This is reflected in the industry proactively coming together to build best practices and establishing the Auto-ISAC, in a collaborative manner to address the challenge of cybersecurity.
Cybersecurity is frequently considered a software issue, and while automobiles are typically looked at as hardware, they contain a ton of software. What’s driving the cybersecurity topic in the automotive industry?
Connectivity and autonomy are enabling safer, cleaner, more fuel efficient, and smarter vehicles. This connectivity also introduces cyber risk and protecting drivers from cyber threats is a relatively new challenge for the automotive industry—one that differs from traditional safety, quality, compliance, and reliability challenges.
Auto safety is the industry’s top priority. With cyber, there’s an adaptive adversary, which means you can’t simply engineer out the problems, so automakers are committed to strong cybersecurity protections in the global connected vehicle ecosystem. This includes implementing security features in every stage of the design and manufacturing process, collaborating with public and private research groups to share solutions, and participating in multiple cyber forums on emerging issues.
Individual companies have long supported their efforts to safeguard their customers by engaging with third party security technologists, non-profit organizations, government programs and working groups, universities, and Science Technology Engineering and Mathematics (STEM) initiatives to address the emerging cybersecurity concerns.
Autonomous vehicles get a lot of media coverage, but the reality of auto cybersecurity is probably much more mundane. What are some of the current areas of focus for security in your industry?
In general, the automotive industry is considering privacy/protecting personal data including location data, theft of vehicles, ransomware attacks, and others. In particular, automakers believe that strong consumer data privacy protections are essential to maintaining the trust of our customers, which is why the industry adopted a set of Privacy Principles that reflect a major step in protecting personal information collected in the vehicle.
What do you see as the top trends in 2018 for cybersecurity in general, and within the automotive industry specifically?
For the scope of automotive cybersecurity, I see the trend to be even more collaboration and information sharing. Whereas, tremendous progress has been made over the recent years to get comfortable with information sharing, the industry has also recognized that there needs to be a redoubling of efforts in order to stay ahead of the ever-growing threats in order to detect and mitigate.
What’s one thing you’d like to see happen in 2018 with respect to cybersecurity in general?
We are focused on socializing the value of information sharing and strengthening our collaboration with government, researchers, academia, and other organizations. In addition, we are promoting that our members establish vulnerability disclosure programs as these can be invaluable to organizations to help detect vulnerabilities and potential mitigation techniques. It is a business best practice that improves the overall cybersecurity health of the automotive industry. We, at the Auto-ISAC, encourage security researchers to reach out to share information directly with the affected company or the Auto-ISAC as part of our partnership model.
What initiatives are you most excited about at Auto-ISAC for 2018?
We continue to work to increase collaboration and sharing across the membership. This shall include analyst’s workshops with tabletop exercises and developing our requirements for our secure portal and sharing mechanisms. We are also planning our 2nd annual summit September 25-26 in Detroit. Lastly, we have doubled our intelligence support to membership this year to support more robust sharing and analytics. We continue to work on our Best Practice Guide development and plan on increased engagement across the community.