Auto Industry Publishes Its First Set of Cybersecurity Best Practices

chicksdaddy quotes a report from Security Ledger: The Automotive industry's main group for coordinating policy on information security and "cyber" threats has published a "Best Practices" document, giving individual automakers guidance on implementing cybersecurity in their vehicles for the first time. The Automotive Information Sharing and Analysis Center (ISAC) released the Automotive Cybersecurity Best Practices document on July 21st, saying the guidelines are for auto manufacturers as well as their suppliers. The Best Practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response, training, and collaboration with appropriate third parties. Taken together, they move the auto industry closer to standards pioneered decades ago and embraced by companies like Microsoft. They call on automakers to design software to be secure from the ground up and to take a sober look at risks to connected vehicles as part of the design process. Automakers are urged to test for and respond to software vulnerabilities, to develop methods for assessing and fixing security vulnerabilities, to create training programs, promote cybersecurity awareness for both information technology and vehicle specific risks, and educate employees about security awareness. The document comes after a Kelly Blue Book survey that found that 62% of drivers think "connected cars will be hacked," and that 42% say they "want cars to be more connected."

I fear a big fiasco

[knorthern+knight]

GM can shut down any Onstar-equipped vehicle anywhere. Currently, it's being heralded as a good thing http://www.autobytel.com/auto-...

But, as Aldredge Ames and Jonathon Pollard proved, there will always be turncoats willing to sell extremely sensitive info. So you're Al Qaeda or ISIS, with connections to Saudi oil money. Or China or Russia or whoever. You need to buy, or blackmail, the info on how it's done. Here's a doomsday scenario...

The date is a December or January in the next few years. The forecast calls for major snowstorm in the US Northeast, followed by a brutal cold front. 6-to-10 hours before the storm is due to hit, the bad guys throw the switch in the middle of afternoon rush hour. The roads are clogged with stalled cars. There are so many stalled cars, that any "immune" vehicles wouldn't be able to get anywhere anyways. The smart drivers get out and try to find shelter in stores/hotels/wherever. The slower thinkers freeze to death in their cars.

Because the roads are clogged with dead cars, and the US is heavily into JIT (Just-In-Time) supply chains, grocery stores, supermarkets, convenience stores, etc, are soon running out of goods. Minor issues in the power grid go unfixed, because utility workers can't get from home to the dispatch site to the problem area. More and more of the US Northeast loses electricity, and people start freezing and starving to death. The president declares martial law, but thousands, if not millions, of people die in the ensuing chaos before order is restored.

Similar scenarios apply to anything that can be shut down "from the cloud". Imagine if Microsoft's authentication systems suddenly decided that your copy of Windows, and everybody else's, was bogus. The US shuts down. Taking over Nest thermostats durning a cold spell or a heat wave could also cause many thousands of casualties, and major chaos. It's eff-ing stupid to allow any one authority that much power, because they *WILL* get hacked, and the power *WILL* be used for evil. It's only a matter of time.