In July 2016, the nonprofit Automotive Information Sharing and Analysis Center (“Auto-ISAC”) released a series of auto cybersecurity best practices to collectively address cyber threats that could pose unreasonable risks to safety or security in internet-enabled vehicles.
The principles cover governance, risk management, security by design, threat detection, incident response, training, and collaboration with third parties. The issue of threats to vehicle security first garnered significant attention last year when two cybersecurity experts remotely hacked into a 2014 Jeep Cherokee driven by a journalist who was traveling at 70 mph in downtown St. Louis, demonstrating that they could access and control the car’s air conditioning, radio, accelerator, and transmission. In response, Fiat Chrysler issued a recall for 1.4 million vehicles.
Previous car hacking attempts, though not as well-publicized, prompted the Alliance of Automobile Manufacturers Inc. and the Association of Global Automakers, Inc. to form the Auto-ISAC in July 2014. The consortium seeks to share intelligence about vehicle cybersecurity risks and to update the framework of best practices to safeguard against and respond to such threats.
As technology in cars evolves rapidly, including with the advent of self-driving vehicles, the auto industry is signaling its desire to keep pace also with safety measures, through industry collaboration. The release of Auto-ISAC’s best practices this summer parallels an increased focus on regulatory compliance, along with an emphasis on disclosing cybersecurity risks to consumers.
The activists who hacked the Jeep Cherokee last year put on a new demonstration at the Black Hat USA conference in August 2016, showing that the same vehicle remains vulnerable to new and potentially more dangerous threats. Fiat Chrysler insisted that this year’s hack could not have been performed remotely, due to the fixes made after last year’s vehicle recall. However, the manufacturer also just launched its first “bug bounty” program, offering up to $2,500 to hackers who inform the company about cybersecurity flaws in its vehicles.
