Lessons Learned from the Automotive Industry’s Approach to Cybersecurity

Cybersecurity needs to be part of the supply chain.

The automotive industry’s cyber threat information sharing organization, Auto-ISAC, recently announced its best practices for cybersecurity measures for automobiles. The best practices are intended for all manufacturers and suppliers in the automotive industry, regardless of size. The organization states they built in flexibility for implementation by a range of companies.

Auto-ISAC is a member of the National Council of Information Sharing and Analysis Centers (ISACs). ISACs were created for various critical infrastructure industries after a presidential directive in 1998. The directive asked key critical infrastructure sectors to establish organizations that would share information about threats and vulnerabilities within their specific industry. Auto-ISAC is owned and operated by automotive manufacturers and suppliers.

The Auto-ISAC’s best practices are categorized by functions:

  • Governance
  • Risk assessment and management
  • Security by design
  • Threat detection and protection
  • Incident response
  • Awareness and training
  • Collaboration and engagement with appropriate third parties

One lesson learned from the risk assessment and management category is the acknowledgement that cybersecurity needs to be part of the supply chain. The best practices recommend including the supply chain in risk assessments as well as developing a process to confirm compliance by critical suppliers to verify security requirements, guidelines, and training. A manufacturer can’t ensure final security without including all key suppliers.

Another lesson that can be learned from the automotive industry is its recognition that cybersecurity in the industry is about safety, not a competitive advantage. The best practices call out specifically the need for sharing of information with third parties such as Auto-ISAC, peers, researchers and government agencies. Collaboration is important among stakeholders to defend against cyber-attacks.

Billington Cybersecurity, a media company that produces a variety of events on cybersecurity, hosted a conference last week for the automotive industry. The Cyber Wire covered the conference in detail and noted that the large manufacturers are taking collaboration and sharing seriously.

The conference was attended by the Department of Transportation, auto manufacturers and suppliers. Participants seem to be highly interested in how other critical industries such as aerospace and defense are handling cybersecurity. A further lesson learned for small businesses is that increasingly, industries realize cyber-attacks need to be discussed among industry players and best practices shared.

Small businesses have an opportunity in many of their industries to be part of cybersecurity conversations and industry cybersecurity initiatives. Small businesses have as much to lose in cyber-attacks as do large businesses. Small business voices should be expressed to ensure their needs are represented.