Overview
The Automotive Cybersecurity Industry Consortium (ACIC) is a public-private partnership that provides a collaborative mechanism and framework for automotive original equipment manufacturers (OEMs) to pool resources, leverage them with government funding and resources, and conduct cooperative “pre-competitive research” to improve the level of cybersecurity in automobiles.
Need
Modern day automobiles are extremely complex, containing up to 100 embedded electronic control units (ECUs), a wide range of infotainment/telematics networks to support these units, and an ever-increasing number of wired and wireless interfaces. With this increased connectivity comes a higher risk of cybercriminals exploiting automotive cybersecurity vulnerabilities.
Approach
ACIC is a voluntary, technology-oriented partnership among automotive OEMs that is supported by the Department of Homeland Security Science and Technology Directorate (DHS S&T), the Department of Transportation Volpe National Transportation Systems Center (DOT Volpe Center), and nonprofit research center SRI International. The consortium identifies, prioritizes and conducts pre-competitive research projects that address critical cybersecurity challenges in automobiles. The consortium engages subject matter experts, consultants and researchers who provide the best-possible technical support for the project. Different projects require different skillsets and ACIC allows the flexibility to choose the best resources. The consortium promotes the interests of the automotive sector while maintaining impartiality, independence of the participants, and vendor neutrality. A “hub” organization, Bucciero & Associates, oversees the day-to-day operations of the ACIC, acquisition of technical resources based on project requirements, and administers all business issues among ACIC members and with project performers.
Benefits
ACIC’s primary goal is to conduct proactive research to address critical automotive cybersecurity gaps and solutions. The research projects identified and selected by consortium members provide mutual benefit to all members and the nation by reducing the threat of cybersecurity risks in automobiles. The combined resources of the consortium members and the federal government increases both the capacity and quality of the research results. Members also benefit from DHS S&T and DOT Volpe Center broad access to government-funded research and researchers throughout the cybersecurity community. ACIC is focused on technology research and development, which does not have regulatory constraints and issues.
ACIC focuses on technology research, which complements other automotive industry efforts such as the Automotive Information Sharing and Analysis Center (Auto-ISAC), created to enhance cybersecurity awareness and share best practices, and SAE International, a global professional association and standards development organization for engineering professionals in various industries, including automotive.
Current Status and Next Steps
ACIC is in its seventh year and has completed research projects on tools and testing, threat assessment, testing frameworks, automotive ethernet security, vehicle security operations centers, tuner motivations and techniques, and an automotive cybersecurity adoption survey. In addition, it engaged the DOT Volpe Center on projects in telematics device cybersecurity testing and ECU cybersecurity mitigations. The consortium has initiated a new survey of emerging automotive threats. It will continue to execute on these projects, as well as identify, prioritize and conduct future research projects to improve cybersecurity in automobiles.
For More Information
Gloria Bucciero
President, Bucciero & Associates, P.C.
gbucciero@buccierocpa.com
Alex Karr
Program Manager, DHS S&T
alex.karr@hq.dhs.gov
ACIC Summary Datasheet and Overview Briefing
ACIC Public Reports
Project 7: Automotive Industry Cybersecurity Adoption Study, Public Report, August 10, 2022.
ACIC sought an accurate and objective market assessment of current (and future) adoption of advanced automotive cybersecurity features and controls, as well as cyber governance, processes, and ecosystem to help OEMs and suppliers benchmark their own cyber adoption maturity vs. the overall automotive industry. While most vehicle manufacturers and suppliers understand what steps should be taken to improve their cybersecurity posture, many automotive stakeholders do not understand where the industry is heading and whether they are leading, following, or in the pack, making it difficult to accurately plan and prioritize. The ACIC contracted with SBD Automotive and its partner, Pinsent Masons, to conduct an Automotive Industry Cybersecurity Adoption Survey to help individual companies understand current cybersecurity practices and technology and rank their own against the industry. A secure, controlled, blind self-assessment survey facilitated the gathering, collating & analysis of industry-wide cybersecurity adoption trends to allow individual companies to provide input and position themselves.
Project 4: Vehicle Security Operations Center Best Practices and Technical Requirements, Public Report and Briefing, September 29, 2021.
The ACIC sought to document good practice and technical requirements for an automotive domain specific Security Operations Center (SOC) capable of ingesting and processing vehicle data based on approaches taken by a range of industries with greater experience in the use of SOCs. The ACIC contracted with SBD Automotive and its partner, Pen Test Partners, to study and document best practices and technical requirements for an automotive domain SOC capable of handling vehicle data. The VSOC best practices and technical requirements were derived from market research into product SOCs from other domains with equally complex and constrained environments, including aviation, defense, healthcare, industrial control systems (ICS), and mobile devices. SBD also explored and defined technical considerations for an automotive specific VSOC gathered through OEM interviews. This helped define requirements for a VSOC and gain a better understanding of what best practices from the cross-domain research are most applicable to the unique constraints of the automotive domain.
© 2022 Automotive Cybersecurity Industry Consortium. All rights reserved.