If Your Fleet Was Held for Ransom, What Would You Do?

How seriously can cybersecurity affect fleets? One fleet manager had his vehicles hacked and received a demand of $18 million to release them.

“How would you react to that?” asked Faye Francy, Executive Director of Auto-ISAC, in Washington, D.C.

As deeply competitive as OEMs are, there is at least one area where they are cooperative partners: cybersecurity.

They come together at Auto-ISAC, which is a community that shares emerging threat intelligence against the automotive sector. ISACs, or Information Sharing and Analysis Centers, were created from a presidential directive that requested the public and private sectors create partnerships to share information about threats, vulnerabilities, and events to help protect the critical infrastructure of the U.S.

“As the mantra goes, an attack on one is an attack on all of us, so we come together,” said Geoffrey Wood, Director of Cybersecurity Business Development North America at Harman, who is also Chair of Auto-ISAC’s Affiliate Advisory Board. “We realized we need a security design lifecycle imbedded with product development…to make a quality and secure product.”

The organization – which presented the session Automotive Industry Panel on Cybersecurity at NAFA’s 2019 Institute & Expo – is among those at the forefront of data security in vehicles and counts many OEMs and their suppliers as members. When a cybersecurity threat emerges against the coalition members, it’s quickly shared among members to counter the threat.

However, auto cybersecurity isn’t well-regulated. “Autonomous (features) have potential to spread to all vehicles,” Wood said, therefore the vacuum of regulations is important to the organization. “When legislation does come, it will probably be less than what we’re already using.”

The organization uses a variety of methods, including white-hat hackers, to assess vehicle security, said Tobias Gaertner, Vehicle Cybersecurity Specialist, for BMW of North America. “We also have tabletop exercises to simulate crises…It’s a small community so we see each other often.”

When OEMs look at threats, they assess the entire vehicle, even down to the level of car alarms, Gaertner added. Auto-ISAC’s incident response team includes professionals from legal, purchasing, and more.

Greg Reynolds, Director of the Information Security Office for Enterprise Holdings, said the organization’s work has significant impact on fleet. “We lean on each other for the information we are getting…The things we put in place around monitoring, response, and employee awareness programs, all tie into the fleet policies we create.”