Steven D’Antuono, assistant director for the FBI’s Washington field office, said such partnerships are among “the biggest tools” that law enforcement has to prevent cyber attacks.
The threat has become more apparent to the industry in recent years, said Josh Davis, Toyota Motor North America’s chief cybersecurity officer and chair of Auto-ISAC.
But communication between cybersecurity executives is improving as threats increasingly impact the supply chain and vehicle production, he added.
“The conversations have gotten a little easier, frankly, because we can draw directly from our own experience with suppliers being impacted,” Davis said.
Last year, a large-scale cyber attack cost German supplier Eberspaecher Group about $60 million and disrupted phone and email communication among its 10,000 employees for weeks.
A majority of attacks were “black hat” incidents for the first time in 2021, meaning they were carried out by malicious actors, according to Israeli cybersecurity company Upstream Security. Previously, attacks came from “white hat” hackers working with companies looking for vulnerabilities.
The rising threat prompted NHTSA to update its voluntary guidance for new vehicles for the first time since 2016. Issued earlier this month, the guidance covers best practices related to incident response, risk mitigation and information sharing.
It only takes one attack to shatter consumer confidence, Carlson said.
Still, companies are often hesitant to share data. Before supplier Robert Bosch shares, it first must understand how the information will be used and analyze the potential cost, said Tony Serventi, Bosch legal counsel. “It won’t ever be an easy analysis,” he said.
There is no “silver bullet” to addressing these concerns, said Jeremy Close, cybersecurity and privacy counsel at Kia America.
“We have big targets on our backs,” he said. “We operate in a very litigious environment. Everything you say outside of your company can and will be used against you.”
Companies need to find the balance between being transparent and protecting secrets.
As over-the-air updates to vehicle software proliferate, they open up new revenue sources for automakers. Upstream Security CEO Yoav Levy said this creates more potential exposure points. “This needs to be more of a continuous effort and a continuous process,” he said.
Upstream plans to open its first U.S. security operations center in Ann Arbor, Mich., west of Detroit, as it gears up for an expected rise in threats.
Companies should educate their employees from “the shop floor to the C-suite,” said Rebecca Faerber, manufacturing cybersecurity services manager at Ford Motor Co.
“I don’t pretend any of us are the same as the national electric grid, but we are critical infrastructure,” she said. “And I’m concerned we would make a great test bed for a smart and well-motivated group.”