Start Your Engines | Auto ISAC Summit
Start Your Engines | Auto ISAC Summit
Annual Summit
Save the Date: Dec 13-14, 2017
Annual Summit
Dec 13-14, 2017

Best Practices FAQs

What are the Best Practices?

The Automotive Cybersecurity Best Practices capture key considerations connected vehicle ecosystem stakeholders can consider when designing and operating their vehicle cybersecurity programs.

In July 2016, Auto-ISAC published an Executive Summary that captured high-level insights on Best Practices for automotive cybersecurity. We are now working through a series of seven Best Practice Guides that offer focused insights and implementation considerations for each of the functional areas identified in the Executive Summary. The seven functional topics are:

  1. Incident response
  2. Collaboration and engagement with appropriate third parties
  3. Governance
  4. Risk management
  5. Security by design
  6. Threat detection and protection
  7. Awareness and training

The Executive Summary and each of the Best Practice Guides are:

  • Not Required. Organizations have the autonomy and ability to select and voluntarily adopt practices based on their respective risk landscapes.
  • Aspirational. These practices are forward-looking, and voluntarily implemented over time, as appropriate.
  • Living. Auto-ISAC plans to periodically update this Guide to adapt to the evolving automotive cybersecurity landscape.

Why is the auto industry developing Best Practices for vehicle cybersecurity?

As advanced technology brings new capabilities and features to cars and trucks, stakeholders across the connected vehicle ecosystem are working to mitigate safety and privacy risks that could arise as a result of cyber threats or vulnerabilities. The Best Practices provide guidance as the industry moves forward on cybersecurity. The development of Best Practices and the formation of the Automotive Information Sharing and Analysis Center (“Auto-ISAC”) demonstrate the industry’s commitment to staying ahead of cyber challenges.

What topics do the Best Practices cover?

The Best Practices cover seven areas that impact connected vehicle cybersecurity. The areas are:

  1. Governance
  2. Risk assessment and management
  3. Security by design
  4. Threat detection and protection
  5. Incident response
  6. Awareness and training
  7. Collaboration and engagement with appropriate third parties

How do the Best Practices compare to similar efforts?

The Best Practices strongly align to guidance released by NHTSA and other relevant government agencies. They also align to cyber standards and frameworks created by the National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), SAE International, and other standards bodies; and are tailored to address connected vehicle cybersecurity challenges. However, our Best Practices are not intended to be used as standards; they are aspirational, not required, living documents.

What is the Best Practices’ scope?

The Best Practices are written for OEMs, suppliers and the commercial vehicle sector, and may be applicable to broader connected vehicle ecosystem stakeholders (e.g. dealers, aftermarket suppliers).

The Best Practices are aspirational—providing forward-looking considerations to prepare for future challenges. They do however, also consider steps that can be taken now to secure today’s vehicles. Automakers are committed to continuously improving the Best Practices to address ever-changing cyber threats.

What level of detail do the Best Practices provide?

The Best Practices Working Group is developing a series of work products at two different levels of detail:

  • An Executive Summary (released in July 2016) that provides a high-level overview of the Best Practices to-date.
  • Seven Best Practice Guides that provide implementation guidance for the seven functional areas identified in the Executive Summary.

The Executive Summary is publicly available on the Auto-ISAC website. Access to the Best Practice Guides is currently limited to Auto-ISAC Members.

Will Auto-ISAC be releasing the full set of Best Practices and implementation guides? If so, when will they be released?

Auto-ISAC has released the Best Practices Executive Summary to offer non-members initial guidance to enhance their vehicle cybersecurity; and to provide consumers with insight into the industry’s ongoing collaboration to enhance vehicle cybersecurity.

The full set of Best Practice Guides are not currently available outside of Auto-ISAC membership. We do intend to make the Guides available to other connected vehicle ecosystem stakeholders over time. We will periodically update this website to provide release information as we finalize the detailed Guides.

To whom are automakers accountable for following the Best Practices?

The Best Practices are not prescriptive and do not form a compliance framework or assessment. Adoption of any Practices is voluntary. The Best Practices are designed as aspirational considerations for organizations to tailor implementation to their unique risk landscape, systems, services, and organizational structures. Ultimately, our Members are committed to protecting consumers, and they may consult the Best Practices for ideas to design and operate a program that best fits their unique risk landscape.

When will automakers achieve these Best Practices?

The Best Practices are aspirational and will evolve over time to match the dynamic nature of the cyber landscape. Automakers, suppliers and commercial vehicle companies intend to use the Best Practices to guide the continuous improvement of their cyber posture, rather than to “check the box” against a static set of criteria. The Best Practices are living documents that will be periodically refreshed to allow for nimble and flexible cybersecurity advancements that match the speed of emerging technologies.

About Auto-ISAC:

Auto-ISAC was formed in July 2015 in a collective effort by the auto industry to establish a secure platform for sharing, tracking and analyzing intelligence about cyber threats and potential vulnerabilities. Auto-ISAC operates as a central hub that allows Members to anonymously submit and receive information to help them more effectively counter cyber threats in real time. Currently, Auto-ISAC Members account for more than 99 percent of light-duty vehicles on the road in North America. Auto-ISAC is open to light-duty and heavy-duty vehicle OEMs and suppliers, and the commercial vehicle sector—including fleet managers and carriers.