ISACs, Information Sharing and Analysis Centers within vehicle cybersecurity issues

A report by the JRC and the European Union Agency for Cybersecurity (ENISA) has just been published (February 11). The report looks at cybersecurity risks connected to artificial intelligence (AI) in autonomous vehicles and provides recommendations for mitigating them. Also, it sheds light on the cybersecurity risks linked to the uptake of AI in autonomous cars and provides recommendations to mitigate them.

According to the report, the increased number of attacks in the automotive context that have been publicly reported over the last years have led to a relatively quick awareness of policy makers, regulatory bodies and the automotive industry for the security needs and the development of several cybersecurity regulations and initiatives, which aims to ensure properly secure vehicles. For example, in the international context the Automotive Information Sharing and Analysis Center (Auto-ISAC) and their Automotive Cybersecurity Best Practices is mentioned.

An Information Sharing and Analysis Center (ISAC) is an industry-specific organization that gathers and shares information on cybersecurity to critical infrastructure and provides two-way sharing of information between the private and public sector.

ISACs were established in the U.S.A. under a presidential directive in 1998 to enable critical infrastructure owners and operators to share cyber threat information and best practices. The U.S.A.’s National Council of ISACs currently lists 21 member ISACs including e.g., financial, automotive, energy, aviation, and communication sectors.

The Auto-ISAC is a global information sharing community which promote vehicle cybersecurity and was formed in August 2015 by automakers. Within the forum connected vehicle ecosystem stakeholders can securely share cyber information and analysis and collaborate to enhance their vehicle cyber capabilities. The members of Auto-ISAC can anonymously submit and receive information that helps them more effectively respond to cyber threats. Also, workshops, information exchange events, summits, and exercises, all related to the member’s vehicle cyber capabilities are offered by the forum.

A key action by the AUTO-ISAC is the publishing of the aforementioned Automotive Cybersecurity Best Practices guides. The published Best Practice Executive Summary within Automotive Cybersecurity, is a high-level document defining key cyber functions and best practices within organizational and technical aspects of vehicle cybersecurity. Currently, six guides are available to the public: awareness and training; collaboration and engagement; governance; incident response; risk assessment and management; and, threat detection, monitoring and analysis. Future Guides are in the development.

The American Auto-ISAC has a global representation and its members account for almost all light-duty vehicles on the road in North America. Also, more than 30 global OEM’s and their suppliers as well as heavy-duty vehicles, commercial fleets and carriers. The latest addition to Auto-ISAC is; Argo AI and Polaris Inc.

Argo AI is a technology platform company working with leading automakers to deliver a fully integrated self-driving system. It has more than a thousand employees and global headquarters in Pittsburgh, U.S.A. as well as offices in Germany.
Polar Inc., a global provider in powersports founded in 1954 and probably most familiar to Swedes for their snowmobiles.

Within EU, sectorial ISACs do exist but yet not any specific for the automotive sector with a cybersecurity organization for connected vehicles including automakers and parts suppliers. In parallel, later this year Japan plans to spin off their Japan Automotive ISAC (J-Auto-ISAC), now under the Japan Automobile Manufacturers Association, into an independent organization with an initial 21 members, including automakers as Toyota Motor and Honda Motor. If Eu will follow the trend and establish a dedicated ISAC for the automotive sector comprising a cybersecurity organization for connected vehicles, including OEM’s and their suppliers is yet to be seen? Or maybe it is something they already have considered. Associated work are presently conducted by organizations like the European Automobile Manufacturers’ Association (ACEA), The European Union Agency for Cybersecurity (ENISA) and The Joint Research Centre.

Written by Joakim Rosell