Auto Industry Publishes Its First Set of Cybersecurity Best Practices

chicksdaddy quotes a report from Security Ledger: The Automotive industry's main group for coordinating policy on information security and "cyber" threats has published a "Best Practices" document, giving individual automakers guidance on implementing cybersecurity in their vehicles for the first time. The Automotive Information Sharing and Analysis Center (ISAC) released the Automotive Cybersecurity Best Practices document on July 21st, saying the guidelines are for auto manufacturers as well as their suppliers. The Best Practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response, training, and collaboration with appropriate third parties. Taken together, they move the auto industry closer to standards pioneered decades ago and embraced by companies like Microsoft. They call on automakers to design software to be secure from the ground up and to take a sober look at risks to connected vehicles as part of the design process. Automakers are urged to test for and respond to software vulnerabilities, to develop methods for assessing and fixing security vulnerabilities, to create training programs, promote cybersecurity awareness for both information technology and vehicle specific risks, and educate employees about security awareness. The document comes after a Kelly Blue Book survey that found that 62% of drivers think "connected cars will be hacked," and that 42% say they "want cars to be more connected."

Guido Lucsks

Rotsofruk Fuckers.

This is a great idea

[dwywit]

Pity they didn't think of it before now.

ah

[rmdingler]

... 62% of drivers think "connected cars will be hacked," and that 42% say they "want cars to be more connected."

Numbers may not lie, but they are occasionally insightful. If these two statements are true, and they represent the survey results of a similar control group, there is a minority report on an overlap that evidently admit cars will be hacked... but they like it, they love it, they want some more of it.

Re:ah

[PopeRatzo]

but they like it, they love it, they want some more of it.

Look at the number. A minority of drivers, "like it, they love it and want more of it".

I'm surprised anyone thinks "cybersecurity" when it comes to cars means anything beyond, "No, you cannot fix it yourself, you can't see what it's doing, and you definitely can't turn off data collection". Automobile manufacturers will be the Google/Facebook of the next ten years. You're nothing but the consumables.

Re:ah

[fustakrakich]

Just as good. Who wants the liability and maintenance headaches of owning a car anymore, especially when they go autonomous? With all the cameras and road rage out there, you just can't have fun anymore, except on the track. It's better to make them into a throwaway appliance.

If you need a vehicle, just get a 1970 3/4 ton Chevy out of the boneyard and put a sign on it saying, "Go rent a U-Haul you cheap bastard!" to warn off your neighbors.

Re:ah

[goose-incarnated]

an overlap that evidently admit cars will be hacked... but they like it, they love it, they want some more of it.

Makes perfect sense - there's only a small number of people who realise that if the cars software cannot be "hacked", then the only people who will be able to repair the car will be the dealership. These people presumably want aftermarket technicians to be able to fix their car.

Re:ah

[gtall]

Better to be a consumable than a have a company want an intimate and long lasting relationship with me.

Very few companies are set up for the loving care of their customers. Even Ben and Jerry's is distributing artery clogging fat globules and intent on separating you from your money, all the while shining their halos.

Re:ah

[PopeRatzo]

Even Ben and Jerry's is distributing artery clogging fat globules and intent on separating you from your money, all the while shining their halos.

You should pay more attention to science. Eating fat doesn't clog arteries.

About the best they can do...

... given the "guidance" available from the "computer security industry" s'kiddies.

Anyhow, given the myriad topics you have to "best practice" and you'll still end up with something trivially pwnable, you're better off sticking to what you're good at and produce cars that aren't connected to world+dog. Connectivity implies complexity implies security problems no matter what you do. Better make sure the connectivity serves a clear useful purpose other than "convenience" or "because we can", something that's actually worth the complexity trade-off.

If my grandmother had wheels she'd be a wagon

I'd rather just not have networked anything in my car. There, problem solved.

Re:If my grandmother had wheels she'd be a wagon

[PopeRatzo]

If my grandmother had wheels she'd be a wagon

You mean she'd be red and fun to ride?

Re:If my grandmother had wheels she'd be a wagon

[0100010001010011]

If you have a car build after the early 90s you already have a car with a network. If it's newer than 2003 it's CAN.

Here's a cheat sheet: http://canbusacademy.com/resou...

Re:If my grandmother had wheels she'd be a wagon

and so therefore.... what?

Re:If my grandmother had wheels she'd be a wagon

That joke's a bit off color for someone who's such a staunch feminist 'ally.'

Re:If my grandmother had wheels she'd be a wagon

[PopeRatzo]

That joke's a bit off color for someone who's such a staunch feminist 'ally.'

I think you are a little mixed up.

Re:If my grandmother had wheels she'd be a wagon

[drinkypoo]

I'd rather just not have networked anything in my car.

There's nothing stopping you from keeping and maintaining a classic made before cars had networks. But the truth is that the newer cars are a lot better in every way other than reliability of accessories.

Re:If my grandmother had wheels she'd be a wagon

[goose-incarnated]

I'd rather just not have networked anything in my car.

There's nothing stopping you from keeping and maintaining a classic made before cars had networks. But the truth is that the newer cars are a lot better in every way other than reliability of accessories.

There's going to be a gap in the market for newer cars with older tech. Probably already happening in some countries - a cheap car that can be cheaply kept on the road for decades regardless of what breaks. I'll start a business selling "perpetually-maintainable" cars, with parts based on popular existing mechanicals.

Used to be once upon a time if you needed to swap an engine out you could with only mechanical changes (adapter plates, etc). Now you can't take (for example) a v8 off an Audi in a scrapyard and drop it into your Ford without first getting all the electronics correct (missing gearbox, wheels sensors, etc). I think that in a few years a car manufacturer advertising "This car will take any engine, any gearbox, any braking system, from any other car" will get more than a few takers.

Re:If my grandmother had wheels she'd be a wagon

[drinkypoo]

Now you can't take (for example) a v8 off an Audi in a scrapyard and drop it into your Ford without first getting all the electronics correct (missing gearbox, wheels sensors, etc).

Well, that's true and untrue. For $150 I can get my PCM hacked to be properly reflashable and it will come with a stock 6MT tune from a rare euro V8. You don't need any wheel sensors for that. The antique Bosch ME5 which comes with the 32V V8s can be written with an MPPS cable, but it cannot be read without modification. You can still tune without a hack, but you need a dump before you can start. You can also remove the immobilizer via software. Apparently the ME7 PCM which comes with the 40V is much easier to deal with, and you can read and write it with MPPS without any hacking.

I think that in a few years a car manufacturer advertising "This car will take any engine, any gearbox, any braking system, from any other car" will get more than a few takers.

The number of people qualified to do anything with such is vanishingly small, as in, small and getting smaller. As it is, though, there are a number of options for people willing to build their own car. You can start with a kit and do as much or as little of the work as you like.

Yet's see dealer only sevice and forced ecu swaps

[Joe_Dragon]

Yet's see dealer only sevice and forced ecu swaps. Say your can't run car os 2018 so for only $500 + labor we can upgrade it to a new one and wave the $150 software update fee or you can get a good deal on a NEW CAR. If you say no your car may enter limb mode and will be locked out of some auto drive roads.

Needs to be free software updates for 7-12 years

[Joe_Dragon]

Needs to be free software updates for 7-12 years and no BS like after 1-2 years want that bug fix BUY A NEW CAR!

Rule #1

[Snotnose]

Is rule #1 along the lines of "thou shalt not allow traffic between the entertainment system and the actual driving the car system to occur"? Cuz if not, it's a fail from the beginning.

Exception being car system saying "oh holy fuck, slam on the brakes, this could be bad, turn off the music".

Re:Rule #1

I work on security in the auto industry. Boy, you just solved it! The Rule #1! and an exception all in one breath. Boy, this security stuff is easy! I'd better start updating my resume.

Re:Needs to be free software updates for 7-12 year

[drinkypoo]

Needs to be free software updates for 7-12 years and no BS like after 1-2 years want that bug fix BUY A NEW CAR!

It needs to be free software updates for the life of the vehicle. Get these dickheads thinking about standardizing their interfaces now so they can upgrade your PCM if they want to abandon it.

I fear a big fiasco

[knorthern+knight]

GM can shut down any Onstar-equipped vehicle anywhere. Currently, it's being heralded as a good thing http://www.autobytel.com/auto-...

But, as Aldredge Ames and Jonathon Pollard proved, there will always be turncoats willing to sell extremely sensitive info. So you're Al Qaeda or ISIS, with connections to Saudi oil money. Or China or Russia or whoever. You need to buy, or blackmail, the info on how it's done. Here's a doomsday scenario...

The date is a December or January in the next few years. The forecast calls for major snowstorm in the US Northeast, followed by a brutal cold front. 6-to-10 hours before the storm is due to hit, the bad guys throw the switch in the middle of afternoon rush hour. The roads are clogged with stalled cars. There are so many stalled cars, that any "immune" vehicles wouldn't be able to get anywhere anyways. The smart drivers get out and try to find shelter in stores/hotels/wherever. The slower thinkers freeze to death in their cars.

Because the roads are clogged with dead cars, and the US is heavily into JIT (Just-In-Time) supply chains, grocery stores, supermarkets, convenience stores, etc, are soon running out of goods. Minor issues in the power grid go unfixed, because utility workers can't get from home to the dispatch site to the problem area. More and more of the US Northeast loses electricity, and people start freezing and starving to death. The president declares martial law, but thousands, if not millions, of people die in the ensuing chaos before order is restored.

Similar scenarios apply to anything that can be shut down "from the cloud". Imagine if Microsoft's authentication systems suddenly decided that your copy of Windows, and everybody else's, was bogus. The US shuts down. Taking over Nest thermostats durning a cold spell or a heat wave could also cause many thousands of casualties, and major chaos. It's eff-ing stupid to allow any one authority that much power, because they *WILL* get hacked, and the power *WILL* be used for evil. It's only a matter of time.

Re:I fear a big fiasco

[AchilleTalon]

You are nuts. GM can shut down OnStar vehicles and can restart them as well.

Re: I fear a big fiasco

[emil]

...even if the main database servers are down with a bad case of cryptolocker? ...and the backups have been quietly copying from/to /dev/null for the last three months?

Re: I fear a big fiasco

...and the backups have been quietly copying from/to /dev/null for the last three months?

What kind of chump backup administrator ever designs a backup system that doesn't include regular test restores??

Published? Where?

[jrumney]

If this Automotive industry's main group for coordinating policy on information security and "cyber" threats has published anything, where is it? All the website has is an "Executive Summary". All this seems to be is a single consultancy company, whose sole revenue is government consulting, launching a marketing website to gather automotive execs' contact details so they can widen their customer base.

Bricks on the Highway

Between malware, ransomware, bad or false updates, targeted advertising trackers and every three-letter-acronym-agency trying to weasel their way in for reasons no less sinister...

I have a hard time believing the advantages to we consumers outweigh the loss of security and liberty that cheap "IoT" additions will bring our cars, most especially when the security we give up is then used as a reason for why we need to give up something else for more security...

I mean, sure you could have entirely separate closed systems where the onboard computer and engine controls are entirely separate, and that would be perfectly fine...

But they won't do that, will they.

I see a contradiction

[Teun]

standards pioneered decades ago and embraced by companies like Microsoft. They call on automakers to design software to be secure from the ground up

I believe there is a conflict between the statement and the call.

But as further networking of cars seems unavoidable I wish them success.

things to look for in a survey

[Gravis+Zero]

The document comes after a Kelly Blue Book survey that found that 62% of drivers think "connected cars will be hacked," and that 42% say they "want cars to be more connected."

the real concern should be the percentage of people that despite thinking "connected cars will be hacked," still "want cars to be more connected," and then laughed maniacally. ;)

Re:Yet's see dealer only sevice and forced ecu swa

[symes]

That is pretty much in line with my expectations for the car trade. Fortunately, it is also my experience that with a bit of effort it is always possible to find someone to do the same work for next to nothing.

Re:Yet's see dealer only sevice and forced ecu swa

[goose-incarnated]

That is pretty much in line with my expectations for the car trade. Fortunately, it is also my experience that with a bit of effort it is always possible to find someone to do the same work for next to nothing.

Not if they ever get security correct. Correct security means that they *will* effectively lock out everyone that is not them. After all, any exploit used by a aftermarket tech can also be used by a thief/hacker.

A jury surely has...

[emil]

...and Toyota settled with utmost haste after they were found guilty. http://www.safetyresearch.net/... Software like this CANNOT be connected to larger networks safely.

62 + 42 = 104% (I can maht)

Wut?

SAE J3061 was first

This is not the first. SAE J3061: Cybersecurity Guidebook for Cyber-Physical Vehicle Systems was published in January!

country is broke

and they want their hands on the ability to turn off your car. justified of course by "it's for your safety".

Three Laws, Documentation

[jraff2]

Isaac Asimov Three Laws of Robotics must be MANDATORY! Anything less and your'e just asking for trouble! The documentation for the device resides IN the device and is EASILY accessible to the user. I've seen way too many devices that require intricate complicated instructions that are no where to be found when something needs fixing or modifying. IE wrist watch time setting.