Saturday, July 23, 2016

Automotive ISAC cybersecurity recommendations

On Thursday the automotive ISAC released recommendations for increasing automotive cybersecurity.  What can we learn from this?  A lot it turns out - some good, some bad.  It turns out that automotive cybersecurity isn't much different from cybersecurity anywhere else, so these recommendations are pretty universally applicable.

I'll focus mostly on section 4.0, titled "Best Practices Overview."  The document focuses on a number of high level items, including:

  1. Governance
  2. Risk Assessment
  3. Security by Design
  4. Threat Detection and Protection
  5. Incident Response and Recovery
  6. Training and Awareness

I'll probably do some follow up posts, but for the moment the ones I want to focus on most are Security by Design and Threat Detection and Protection.  Both of these contain very solid advice for most organizations, automotive or not.  For instance, Security by Design focuses on the following areas:

None of these are bad and in fact few organizations I work with are considering all of these points.  But the number one thing I see missing here is the lack of any recommendation/requirement for third party security testing.  Ask a developer if they've written secure code and you know what answer you're likely to get.  Internal testing teams are often incentivized to not make waves when reporting vulnerabilities.  Even when there's no pressure, they often operate in an echo chamber and that's no good.  Outside testers bring experience from other industries and manufacturers to bear against your product.  And they're much more likely to bring the skills that real testers (i.e. hackers) will bring to your product later.

As for Threat Detection and Protection, the outlook is a little better.

Not surprisingly for an ISAC, we see the recommendation to report threats to appropriate third parties.  This is a good recommendation in general and totally self serving for an ISAC.

But my favorite recommendation here is to identify how to manage vulnerability disclosure from third parties.  Entities outside the organization can and will discover vulnerabilities in our products.  If the security department can't effectively deal with these disclosures, we are doomed to fail.  I have multiple recommendations that I share with Rendition Infosec customers, including:

  • Ensure that you have a security reporting point of contact on the website
  • Operators who answer the general "contact us" phone and email must know where to route security inquiries
  • Once the security department is notified, they should engage public relations 
  • Develop a timeline for response and communicate that timeline with the entity reporting the vulnerability
  • Stick to the developed response/remediation timeline. If deviations are a must, clearly communicate that with the submitter.

This isn't a comprehensive list, but will get you a long way towards good.

I'll leave this here for now.  Let me know on Twitter or in the comments if there's interest in more review of this document and I'll post a follow up.  Overall, we should commend the Automotive ISAC for their security processes.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.