U.S. Homeland Security Signs Agreement with Auto-ISAC

The Auto-ISAC has signed a Cooperative Research and Development Agreement (CRADA) with the U.S. Department of Homeland Security (DHS) to collaborate and improve vehicle cyber-threat information sharing and analysis.

Private sector companies sign a CRADA with DHS to participate in the Cyber Information Sharing and Collaboration Program (CISCP), the department’s flagship program for public-private multi-directional cybersecurity information sharing and analytic collaboration about cyber threats, incidents and vulnerabilities.

 “This relationship with DHS provides our cybersecurity experts the opportunity to work with their counterparts in the federal government to increase information sharing and analysis,” said Jeff Massimila of General Motors, who also serves as the Auto-ISAC’s Chair.

The agreement could facilitate access to DHS’ National Cybersecurity and Communication Integration Center (NCCIC), a security operations watch center. The agreement also provides ISAC personnel with eligibility for security clearances to view classified threat information.

“CISCP is a bi-directional information sharing program providing increased value for our Auto-ISAC members,” says Faye Francy, Auto-ISAC Executive Director and AUTO Connected CAR News’ Tech CARS award nominee.

“As the automotive industry continues to prepare for an increasingly interconnected future, the ability to collaborate with DHS and other private sector companies markedly increases our ability to detect and prevent vehicle cybersecurity threats,” continued Francy.

The Auto-ISAC joins other Information Sharing and Analysis Centers (ISACs) and private sector companies already working with DHS to tackle today’s cybersecurity challenges.

CISCP partners voluntarily submit indicators of observed cyber threats and information about cyber incidents and identified vulnerabilities, done in an anonymized, aggregated fashion. Data submitted to CISCP falls under the Protected Critical Infrastructure Information Program and are statutorily exempt from regulatory use or any disclosure under the Freedom of Information Act or state Sunshine Laws.

One key component of the agreement is the ability of representatives of the Auto-ISAC to sit side-by-side with government, other ISAC partners and companies to share and analyze information and block cyber threats before damaging compromises occur. CISCP analysts examine the submission in collaboration with both government and industry partners and produce accurate, relevant, timely and actionable analytical products. There are a number of valuable products available to the partners through the program to include: Indicator Bulletins, Analysis Report, Priority Alert, and Recommended Practices.  In addition, CISCP hosts analyst-to-analyst technical threat exchanges and analyst training events that allow for classified and unclassified briefings.

Vehicle cybersecurity is a critical foundation for the future of the connected vehicle. Through the establishment of Auto-ISAC, there is a central hub for members to share, track and analyze intelligence about potential cyber threats, vulnerabilities and incidents related in and around the connected vehicle.

The Auto-ISAC facilitates sharing of timely and actionable information pertaining to cybersecurity threats affecting the automotive industry. It enhances the ability of the automotive industry to prepare for and respond to cyberthreats, deal with vulnerabilities and incidents, and raise awareness across the community to reduce business risks.

Auto-ISAC was established in 2015, when Global Automakers, the Alliance of Automobile Manufacturers and 15 automakers joined forces to establish a global community to foster collaboration that creates a safe, efficient, secure and resilient connected vehicle ecosystem. Auto-ISAC shares and analyzes timely and actionable intelligence about emerging cybersecurity risks to the vehicle. It also works to develop and mature vehicle cybersecurity capabilities across the industry through initiatives like its Best Practices and information exchanges.

Membership is open to light- and heavy-duty vehicle OEMs and suppliers, and commercial vehicle sector (e.g. fleets, carriers). Partnerships are open to security solutions providers, industry associations, research consortia, government agencies and academia.

Background on DHS’s CISCP

Information shared via CISCP allows all participants to better secure their own networks and helps support the shared security of CISCP partners. Further, CISCP provides a collaborative environment where analysts learn from each other to better understand emerging cybersecurity risks and effective defenses. CISCP is based upon a community of trust in which all participants seek mutual benefit from robust information sharing and collaboration. CISCP is voluntary, free of charge and provides value to all members. Therefore, all companies with an interest in multi-directional cybersecurity information sharing and robust analytic collaboration between the government and the private sector should consider joining CISCP.