Shifting into High Gear: How Automakers are Approaching Cybersecurity
Cars these days are more than just a mechanical collection of metals and gears. Sure, autonomous vehicles are the buzz, but even the humble hatchbacks and family minivans are jammed with advanced infotainment systems, always-on connectivity, and telematics systems, not to mention Bluetooth connections, USB ports, and much more.
There are plenty of potential security gaps across modern vehicles, but manufacturers aren’t turning away from the risks. Instead, the automotive industry is fast becoming a model for how a traditional industry can quickly shift to understand and advance their security posture.
To learn more, we had Faye Francy, Executive Director of Auto-ISAC, and Kevin Tierney, Director of Vehicle Cybersecurity at General Motors, speak at our Security@ conference in a panel moderated by Gizmodo senior reporter, Kate Conger. The panel covered everything from sharing security information across a highly-competitive industry to changing corporate cultures to the right of tinkerers to hack their own vehicles.
Faye began by explaining the concept behind Auto-ISAC, which stands for Automotive Information Sharing and Analysis Center. “It’s a model based around public-private sharing of information,” Faye explained. “Fourteen OEMs came together and decided it was really important...to share threats and vulnerabilities.”
For General Motors specifically, Kevin explained they recognized a few years ago that all of the latest technologies were also potential attack paths. What’s more, the attack surface in vehicles is only expanding, and both Auto-ISAC and the individual OEMs, like GM, are working hard to identify and address threats before they can be exploited.
“We want the newest whizbang features in the cars and customers are demanding that as well,” Kevin said. “It goes back to making sure you have a risk-based approach and that you’re looking at security from the start, everything from putting it into your process to having contracts with your suppliers so that they are working security into their products.”
Kate asked about vulnerability disclosure policies (VDP) and the cultural changes needed to implement VDPs at a company like GM. Kevin explained that it was important to be ready, have a plan to staff it (or leverage expert triage services) to ensure they were ready to review and respond to incoming reports, and that IT and the product teams were ready to react.
“We ultimately decided on HackerOne because it’s a great platform and the community already existed,” Kevin said. “We launched and have had a public program for almost two years and it’s been a great learning experience. It’s taken us to the next level.”
Watch the full “Shifting into High Gear” session to learn more about how the automotive industry is elevating cybersecurity to the boardroom and recognizing the need to get ahead of their security threats.