Automobile Industry Gears Up For Cyber-Threat

Uploaded on 2015-07-27 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

car-hack.jpg

A year in the making, the automobile industry's new intelligence sharing and analysis center (ISAC) is now official and revving up to begin disseminating and exchanging cyber threat information later this year.

Heightened concerns over the safety of a rapidly emerging generation of networked vehicles initially led the Alliance of Automobile Manufacturers and the Association of Global Automakers to first begin mulling an ISAC in July of 2014, when they announced plans to address security weaknesses and vulnerabilities in vehicle automation and networking features that could put cars at risk of being hacked for sabotage or other purposes.
More than 60% of all new vehicles by 2016 are expected to be connected to the Internet, so the official launch of an automobile ISAC comes at a crucial time. Meanwhile, security researchers have been hacking away at networked cars to find bugs before the bad guys do, as the auto industry has remained relatively mum publicly on the topic of cybersecurity threats to their vehicles.
Officials from the Alliance of Automobile Manufacturers -- of which 12 major carmakers, such as BMW Group, Fiat Chrysler, Ford, General Motors, Mazda, and Toyota are members -- and the Association of Global Automakers -- which includes Honda, Nissan, Subaru, and others -- Booz Allen Hamilton, and SAE International, today announced that the auto industry's ISAC is now officially close to going live. Word of the ISAC came in conjunction with the 2015 SAE Battelle Cyber Auto Challenge in Detroit, where students work with automakers and government agencies on secure system design via hands-on cybersecurity activities.
Rob Strassburger, vice president of vehicle safety and harmonization for the Alliance of Automobile Manufacturers, said the ISAC will provide a central hub for cyber threat information and analysis, as well as vulnerabilities found in vehicles and their associated networks. "Automakers around the world will receive this information from the ISAC," he said.
The ISAC initially will not include suppliers from the auto industry, but it will extend to them as well as telecommunications and other technology providers as the ISAC matures, he said.
Meanwhile, the auto industry has been working on other cybersecurity initiatives aimed at locking down vehicle security and safety, according to Paul Scullion, safety manager with Association of Global Automakers. "An ISAC will bring insights on the threat landscape. Sharing of threats is just one piece," he said. Carmakers also are conducting research and development in "secure by design" features and functions, he said.
Several industry efforts also are underway, he noted: hackathons, a cybersecurity task force, and research with the National Institute of Standards and Technology (NIST), among other efforts, Scullion said. "OEMs are engaged with third-party security vendors and academia" to develop vehicle-specific technologies, he said.
Among the security technologies on the horizon for vehicles: enhanced network firewalls, software monitoring, and the ability to deny malicious traffic from bad guys to the car. "Privacy is another issue automakers are taking steps to address," Scullion said.
So just what type of intel would automakers share via the ISAC? Vulnerabilities and threats hitting them, for example, which of course likely will get anonymized. "Threat data could be nation-state, it could be a code vulnerability," said Jon Allen, principal for commercial solutions at Booz Allen Hamilton, the contractor who helped the auto industry set up the ISAC.
[Working group of federal agencies and private industry launched by the state of Virginia is studying car vulnerabilities and building tools to detect and protect against vehicle hacking and tampering. Read Hacking Virginia State Trooper Cruisers.]
Interestingly, the organizers of the ISAC have not contacted renowned car hacking researchers Charlie Miller and Chris Valasek for their input, according to Miller. Miller says he's glad to see the automotive industry addressing security issues, but it's difficult to tell just what progress they have made.
"I think they'll see at Black Hat/DEF CON this year that security researchers still have a lot to give of information to provide manufacturers," Miller says. "I'd really like to see more transparency about how automotive systems are designed to resist attack as well as how they detect and react to attacks. Right now it is possible, although I think unlikely, that manufacturers are doing a great job in this area in securing vehicles, but at this point there is no way for anyone outside of the industry to tell.  
"In my personal experience, it seems the auto industry has a ways to go in making automotive systems secure, resilient, and reactive to attacks," Miller says.
The challenge for automakers with their new ISAC will be both the trust factor among fierce competitors--true for nearly all ISACs when they first get up and running--and the fact that a vulnerability or threat may only affect a very specific make, model and year of a vehicle. Even so, the auto industry OEM ecosystem is such that most automakers use a lot of the same suppliers, so if the OEM products have bugs, so will many of the cars.
"Currently, every OEM has its own unique architecture and that will probably continue going forward. But with greater interconnection, that means by definition some greater commonality in features and functions on these networks," Strassburger said. "We're acting now to collect and share this [threat] information" and make it actionable, he said.
The chair of the Industrial Control Systems ISAC (ICS-ISAC), Chris Blask, says the "elephant in the room" for all information-sharing groups and ISACs today is the need for accepted standards in processes and policy for Intel-sharing. "There are massive gaps" in that piece of the puzzle for full Intel-sharing, Blask says.
Booz-Allen Hamilton's Allen noted that unlike other ISACs, the automobile ISAC is getting a jump-start on real attacks. "Many ISACs come after" their industries are hit with attacks, he said.
Dark Reading: http://ubm.io/1KtyNPu

 

« Hundreds of Thousands' of Vehicles At risk of Attack
Avoid Hiring a Cybercriminal: understand motivations & thoroughly vet employees »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ITQ

ITQ

ITQ is an IT consulting firm with a focus on the entire VMware-product portfolio with three main services: Professional Services, Support Services and Managed Services.

Arsenal Recon

Arsenal Recon

Arsenal Recon are digital forensics experts, providing consultancy services and powerful software tools to improve the analysis of electronic evidence.

Incognito Forensic Foundation Lab (IFF Lab)

Incognito Forensic Foundation Lab (IFF Lab)

IFF Lab is a premier cyber and digital forensics lab in India that offers forensic services and solutions, cyber security analysis and assessment, IT support, training and consultation.

Department of Justice & Equality - Cybercrime Division - Ireland

Department of Justice & Equality - Cybercrime Division - Ireland

The Cybercrime division is responsible for developing policy in relation to the criminal activity and coordinating a range of different cyber initiatives at national and international level.

Propelo

Propelo

Propelo (formerly LevelOps) is an engineering excellence platform that helps increase developer productivity and improve security with data-led insights and workflow automation.

Visium Technologies

Visium Technologies

Visium Analytics provides innovative data visualization, cybersecurity technologies and solutions to businesses to protect and secure their data assets.

Keysight Technologies

Keysight Technologies

Keysight is dedicated to providing tomorrow’s test technologies today, enabling our customers to connect and secure the world with their innovations.

SpiderOak

SpiderOak

SpiderOak's portfolio of Secure Communication & Collaboration products ensure the confidentiality, integrity, and availability of your most sensitive data in any environment.

Hushmesh

Hushmesh

Hushmesh is a start-up aimed at securing the world’s digital infrastructure by developing develop the Mesh, a global information space with automated security built in.

Amplix

Amplix

In the race to create value for your enterprise, Amplix is your best asset for making technology decisions and optimizing your IT infrastructure, cloud usage, and security posture.

Afripol

Afripol

AFRIPOL was set up to strengthen cooperation between the police agencies of AU member states in the prevention and fight against organized transnational crime, terrorism, and cybercrime.

Scalarr

Scalarr

Scalarr is an innovative, next-generation cyber security firm focused on automation and AI to detect and prevent threats in mobile and Edge/IoT infrastructures.

DeltaSpike

DeltaSpike

DeltaSpike empowers individuals and organizations worldwide through its comprehensive cybersecurity solutions.

SixMap

SixMap

SixMap is a continuous threat exposure management platform that automatically provides comprehensive enterprise visibility, contextual threat intelligence, and a suite of remediation actions.

Chorology

Chorology

Chorology is a leading provider of intelligently automated, data compliance and posture enforcement solutions.

Operant AI

Operant AI

Operant AI is the only Runtime AI Application Defense Platform that actively protects every layer of live cloud and AI applications from infra to APIs.