Frequently Asked Questions
What is an ISAC?
Information Sharing and Analysis Centers (ISACs) were created as a result of Presidential Decision Directive 63 (PDD-63) in 1998. The directive requested the public and private sector create a partnership to share information about threats, vulnerabilities, and events to help protect the critical infrastructure of the United States. PDD-63 was updated in 2003 with Homeland Security Presidential Directive 7 (HSPD-7) to reaffirm the partnership mission.
The National Infrastructure Protection Plan (NIPP) -- NIPP 2013: Partnering for Critical Infrastructure Security and Resilience -- outlines how government and private sector participants in the critical infrastructure community work together to manage risks and achieve security and resilience outcomes. NIPP 2013 represents an evolution from concepts introduced in the initial version of the NIPP released in 2006 and revised in 2009. The National Plan is streamlined and adaptable to the current risk, policy, and strategic environments. It provides the foundation for an integrated and collaborative approach to achieve the vision of: "[a] Nation in which physical and cyber critical infrastructure remain secure and resilient, with vulnerabilities reduced, consequences minimized, threats identified and disrupted, and response and recovery hastened."
NIPP 2013 meets the requirements of Presidential Policy Directive-21 (PPD-21) : Critical Infrastructure Security and Resilience, signed in February 2013. The Plan was developed through a collaborative process involving stakeholders from all 16 critical infrastructure sectors, all 50 states, and from all levels of government and industry. It provides a clear call to action to leverage partnerships, innovate for risk management, and focus on outcomes.
What does Auto-ISAC stand for?
Automotive Information Sharing and Analysis Center.
What is Auto-ISAC?
Auto-ISAC was formed in August 2015 by automakers to establish a global information sharing community to address vehicle cybersecurity risks. Auto-ISAC operates a central hub for sharing, tracking and analyzing intelligence about cyber threats, vulnerabilities and incidents related to the connected vehicle.
Currently, Auto-ISAC Members account for more than 99 percent of light-duty vehicles in North America, with over 30 global OEM and supplier Members. Building upon the success of this collaboration, Auto-ISAC recently expanded membership to heavy trucking OEMs and their suppliers, as well as the commercial vehicle sector—including fleets and carriers.
Why join Auto-ISAC?
Auto-ISAC provides a unique global information sharing community to promote vehicle cybersecurity. Auto-ISAC is a forum for connected vehicle ecosystem stakeholders to securely share cyber information and analysis, and to collaborate to enhance their vehicle cyber capabilities. Auto-ISAC operates as a central hub for sharing, tracking and analyzing intelligence about potential cyber threats, vulnerabilities and incidents related to the connected vehicle; its secure intelligence sharing Portal allows Members to anonymously submit and receive information that helps them more effectively respond to cyber threats. In addition to intelligence sharing, Auto-ISAC is committed to enhancing Members’ vehicle cyber capabilities through workshops, information exchange events, summits, and exercises. We also have a Working Group focused on developing Best Practices for the industry. In 2016, we published our Automotive Cybersecurity Best Practices Executive Summary, which outlines Auto-ISAC’s informational guides that cover organizational and technical aspects of vehicle cybersecurity, including incident response, collaboration and engagement with appropriate third parties, governance, risk management, security by design, threat detection and protection, training and awareness.
What does Auto-ISAC do?
Auto-ISAC is a unique community of practice for relevant security information sharing for the auto industry. Auto-ISAC enhances the ability of the automotive industry to prepare for and respond to security threats, vulnerabilities, and incidents so that connected vehicle ecosystem stakeholders can best manage their business risks.
Auto-ISAC gathers and disseminates information about cybersecurity risks facing connected vehicles around the world. Sources of information include Members, government agencies, academic sources, vendors, open source and other trusted sources. After analysis by our industry experts, we package the information into intelligence reports and share via our secure Auto-ISAC Portal.
In addition to our intelligence capability, Auto-ISAC conducts workshops, information exchange events, summits, and exercises. We are also working to develop a series of Best Practice Guides that cover organizational and technical aspects of vehicle cybersecurity, including incident response, collaboration and engagement with third parties, governance, risk management, security by design, threat detection and protection, training and awareness.
How long has Auto-ISAC existed?
In 2015, 14 light-duty vehicle OEMs decided to come together to charter the formation of Auto-ISAC. Our prospectus acknowledged the international nature of the automotive industry and included participation of global international Members. Auto-ISAC was incorporated in August 2015 and became fully operational in January 2016. In 2016, we expanded our scope to allow light- and heavy-duty vehicle suppliers and heavy-duty vehicle OEMs as Members. In 2017, we once again expanded membership to include the Commercial Vehicle sector—including fleets and carriers.
What is the cost to join?
Pricing for full membership varies depending on the revenue of the perspective member. We also have a community membership open to everyone at no cost. Community Members participate in a monthly Town Hall where we provide monthly situational awareness into key topics for the automotive industry. Community Members may participate in the monthly virtual town hall meetings. This is your community and we ask each member to participate in sharing and collaboration. We are also working to formalize Partnership programs for vendors, academia, and researchers. We currently have a Partnership program in place for industry associations and government agencies. Please contact us for more details
Who manages Auto-ISAC?
Auto-ISAC Board of Directors governs Auto-ISAC, and is comprised of leaders from across the automotive sector. There are currently 15 OEMs on the Board of Directors, as well as four non-OEM representatives. There is an Affiliate Advisory Board composed of our Gold and Platinum non-OEM Members. The Affiliate Chair and Vice Chair serve on the Board. Auto-ISAC Officers include a Chair, Vice Chair, Treasurer, and Secretary. The Executive Committee includes all four officer plus the Chair of the Affiliate Advisory Board. There is an Executive Director who manages the daily operations and is responsible for implementing Auto-ISAC mission and vision. Auto-ISAC also has an Operations Manager, Intelligence Coordinator, Recruiting Specialist and Systems Administrator, and we anticipate expanding our staffing over the next few years as the program matures
Who has access to the data that I submit?
Members have access to data for research and investigations. Our analysts use the database to establish trends, do research and investigations. Members can determine what data is shared when they submit. A key attribute of Auto-ISAC is the confidentiality that can be provided to the member if they choose to remain anonymous. All information shared is anonymized unless attributed by the Member. This is a voluntary process with the default being anonymization. Auto-ISAC Intelligence Coordinator works directly with each Member if there is an issue or concern and supports each Member if there are any questions about their submission of data.
If I’m not a Member, can I still submit information to Auto-ISAC?
Although Auto-ISAC is not a coordinated disclosure or bounty-based organization, anyone can submit information to Auto-ISAC. Automotive cyber security researchers, academia and enthusiasts welcome. Contact us to tell us a little about yourself and submission topic and your discovery could end up as part of an Auto-ISAC Intelligence Report!
Can the Government access the data that I submit?
No government agency or law enforcement has access to Member-submitted data without prior approval of the submitting Member. Auto-ISAC will provide appropriate government departments with sanitized data on a need-to-know basis and with approval of the Member submitting the data. The goal is to ensure all Member data is anonymized unless Members approve to self-identify.