Frequently Asked Questions

About Us

What is an ISAC?

Information Sharing and Analysis Centers (ISACs) were created as a result of Presidential Decision Directive 63 (PDD-63) in 1998. The directive requested the public and private sector create a partnership to share information about threats, vulnerabilities, and events to help protect the critical infrastructure of the United States. PDD-63 was updated in 2003 with Homeland Security Presidential Directive 7 (HSPD-7) to reaffirm the partnership mission.

The National Infrastructure Protection Plan (NIPP) -- NIPP 2013: Partnering for Critical Infrastructure Security and Resilience -- outlines how government and private sector participants in the critical infrastructure community work together to manage risks and achieve security and resilience outcomes. NIPP 2013 represents an evolution from concepts introduced in the initial version of the NIPP released in 2006 and revised in 2009. The National Plan is streamlined and adaptable to the current risk, policy, and strategic environments. It provides the foundation for an integrated and collaborative approach to achieve the vision of: "[a] Nation in which physical and cyber critical infrastructure remain secure and resilient, with vulnerabilities reduced, consequences minimized, threats identified and disrupted, and response and recovery hastened."

NIPP 2013 meets the requirements of Presidential Policy Directive-21 (PPD-21) : Critical Infrastructure Security and Resilience, signed in February 2013. The Plan was developed through a collaborative process involving stakeholders from all 16 critical infrastructure sectors, all 50 states, and from all levels of government and industry. It provides a clear call to action to leverage partnerships, innovate for risk management, and focus on 

What does the Auto-ISAC stand for?

Automotive Information Sharing and Analysis Center.

What is the Auto-ISAC?

Auto-ISAC was formed in August 2015 by automakers to establish a global information sharing community to address vehicle cybersecurity risks. Auto-ISAC operates a central hub for sharing, tracking and analyzing intelligence about cyber threats, vulnerabilities and incidents related to the connected vehicle.

Currently, Auto-ISAC Members account for more than 99 percent of light-duty vehicles in North America, with over 30 global OEM and supplier Members. Building upon the success of this collaboration, Auto-ISAC recently expanded membership to heavy trucking OEMs and their suppliers, as well as the commercial vehicle sector—including fleets and carriers.

How long has the Auto-ISAC existed?

In 2015, 14 light-duty vehicle OEMs decided to come together to charter the formation of Auto-ISAC. Our prospectus acknowledged the international nature of the automotive industry and included participation of global international Members. Auto-ISAC was incorporated in August 2015 and became fully operational in January 2016. In 2016, we expanded our scope to allow light- and heavy-duty vehicle suppliers and heavy-duty vehicle OEMs as Members. In 2017, we once again expanded membership to include the Commercial Vehicle sector—including fleets and carriers.

Who manages the Auto-ISAC?

Auto-ISAC Board of Directors governs Auto-ISAC, and is comprised of leaders from across the automotive sector. There are currently 15 OEMs on the Board of Directors, as well as four non-OEM representatives. There is an Affiliate Advisory Board composed of our Gold and Platinum non-OEM Members. The Affiliate Chair and Vice Chair serve on the Board. Auto-ISAC Officers include a Chair, Vice Chair, Treasurer, and Secretary. The Executive Committee includes all four officer plus the Chair of the Affiliate Advisory Board. There is an Executive Director who manages the daily operations and is responsible for implementing Auto-ISAC mission and vision. Auto-ISAC also has an Operations Manager, Intelligence Coordinator, Recruiting Specialist and Systems Administrator, and we anticipate expanding our staffing over the next few years as the program matures

Who are the members of the Auto-ISAC?

  • Aisin
  • Allison Transmission
  • Analog Devices
  • Aptiv
  • AT&T
  • BMW Group
  • Bosch
  • Calsonic Kansei Corp
  • Continential
  • Cummins
  • Denso
  • FCA
  • Ford
  • Garrett
  • General Motors
  • Geotab
  • Harman
  • Hitachi
  • Honda
  • Hyundai
  • Infineon
  • Intel
  • Kia
  • Lear
  • LGE
  • LG Electronics
  • Magna
  • Mazda
  • Mercedes-Benz
  • Mitsubishi Electric
  • Mitsubishi Motors
  • Mobis
  • Navistar
  • Nissan
  • NXP
  • PACCAR
  • Panasonic
  • Subaru
  • Sumitomo
  • Toyota
  • Veoneer
  • Volkswagen
  • Volvo Cars
  • Volvo Group North America
  • Waymo
  • ZF

Membership

Why join the Auto-ISAC?

Auto-ISAC provides a unique global information sharing community to promote vehicle cybersecurity. Auto-ISAC is a forum for connected vehicle ecosystem stakeholders to securely share cyber information and analysis, and to collaborate to enhance their vehicle cyber capabilities. Auto-ISAC operates as a central hub for sharing, tracking and analyzing intelligence about potential cyber threats, vulnerabilities and incidents related to the connected vehicle; its secure intelligence sharing Portal allows Members to anonymously submit and receive information that helps them more effectively respond to cyber threats. In addition to intelligence sharing, Auto-ISAC is committed to enhancing Members’ vehicle cyber capabilities through workshops, information exchange events, summits, and exercises. We also have a Working Group focused on developing Best Practices for the industry. In 2016, we published our Automotive Cybersecurity Best Practices Executive Summary, which outlines Auto-ISAC’s informational guides that cover organizational and technical aspects of vehicle cybersecurity, including incident response, collaboration and engagement with appropriate third parties, governance, risk management, security by design, threat detection and protection, training and awareness.

What does the Auto-ISAC do?

Auto-ISAC is a unique community of practice for relevant security information sharing for the auto industry. Auto-ISAC enhances the ability of the automotive industry to prepare for and respond to security threats, vulnerabilities, and incidents so that connected vehicle ecosystem stakeholders can best manage their business risks.

Auto-ISAC gathers and disseminates information about cybersecurity risks facing connected vehicles around the world. Sources of information include Members, government agencies, academic sources, vendors, open source and other trusted sources. After analysis by our industry experts, we package the information into intelligence reports and share via our secure Auto-ISAC Portal.

In addition to our intelligence capability, Auto-ISAC conducts workshops, information exchange events, summits, and exercises. We are also working to develop a series of Best Practice Guides that cover organizational and technical aspects of vehicle cybersecurity, including incident response, collaboration and engagement with third parties, governance, risk management, security by design, threat detection and protection, training and awareness.

What is the cost to join?

Pricing for full membership varies depending on the revenue of the potential member. We also have a Strategic Partnership Program for solution providers, associations, academia/ and researchers. Please contact us for more details.

What information is provided to members on a cyber event?

Though alerts are unique to each event, they generally include a description of the threat or vulnerability, an assessment of severity and impact, and solutions for mitigation or future prevention.

How is the Auto-ISAC funded?

The Auto-ISAC is funded through membership dues, events, and support from members and partners.

Best Practices

What are the Best Practices?

The Automotive Cybersecurity Best Practices capture key considerations connected vehicle ecosystem stakeholders can consider when designing and operating their vehicle cybersecurity programs.

In July 2016, Auto-ISAC published an Executive Summary that captured high-level insights on Best Practices for automotive cybersecurity. We are now working through a series of seven Best Practice Guides that offer focused insights and implementation considerations for each of the functional areas identified in the Executive Summary. The seven functional topics are:

  1. Incident response
  2. Collaboration and engagement with appropriate third parties
  3. Governance
  4. Risk management
  5. Security by design
  6. Threat detection and protection
  7. Awareness and training

The Executive Summary and each of the Best Practice Guides are:

  • Not Required. Organizations have the autonomy and ability to select and voluntarily adopt practices based on their respective risk landscapes.
  • Aspirational. These practices are forward-looking, and voluntarily implemented over time, as appropriate.
  • Living. Auto-ISAC plans to periodically update this Guide to adapt to the evolving automotive cybersecurity landscape.

Why is the auto industry developing Best Practices for vehicle cybersecurity?

As advanced technology brings new capabilities and features to cars and trucks, stakeholders across the connected vehicle ecosystem are working to mitigate safety and privacy risks that could arise as a result of cyber threats or vulnerabilities. The Best Practices provide guidance as the industry moves forward on cybersecurity. The development of Best Practices and the formation of the Automotive Information Sharing and Analysis Center (“Auto-ISAC”) demonstrate the industry’s commitment to staying ahead of cyber challenges.

What topics do the Best Practices cover?

The Best Practices cover seven areas that impact connected vehicle cybersecurity. The areas are:

  1. Governance
  2. Risk assessment and management
  3. Security by design
  4. Threat detection and protection
  5. Incident response
  6. Awareness and training
  7. Collaboration and engagement with appropriate third parties

How do the Best Practices compare to similar efforts?

The Best Practices strongly align to guidance released by NHTSA and other relevant government agencies. They also align to cyber standards and frameworks created by the National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), SAE International, and other standards bodies; and are tailored to address connected vehicle cybersecurity challenges. However, our Best Practices are not intended to be used as standards; they are aspirational, not required, living documents.

What is the Best Practices’ scope?

The Best Practices are written for OEMs, suppliers and the commercial vehicle sector, and may be applicable to broader connected vehicle ecosystem stakeholders (e.g. dealers, aftermarket suppliers).

The Best Practices are aspirational—providing forward-looking considerations to prepare for future challenges. They do however, also consider steps that can be taken now to secure today’s vehicles. Automakers are committed to continuously improving the Best Practices to address ever-changing cyber threats.

What level of detail do the Best Practices provide?

The Best Practices Working Group is developing a series of work products at two different levels of detail:

  • An Executive Summary (released in July 2016) that provides a high-level overview of the Best Practices to-date.
  • Seven Best Practice Guides that provide implementation guidance for the seven functional areas identified in the Executive Summary.

The Executive Summary is publicly available on the Auto-ISAC website. Access to the Best Practice Guides is currently limited to Auto-ISAC Members.

Will Auto-ISAC be releasing the full set of Best Practices and implementation guides? If so, when will they be released?

The Auto-ISAC has released the Best Practices Executive Summary to offer non-members initial guidance to enhance their vehicle cybersecurity, and to provide consumers with insight into the industry’s ongoing collaboration to enhance vehicle cybersecurity.
There are two Best Practices Guides available to the public: Incident Response and Third Party Collaboration and Engagement. As other Guides are finalized, we will update this website to provide release information.

To whom are automakers accountable for following the Best Practices?

The Best Practices are not prescriptive and do not form a compliance framework or assessment. Adoption of any Practices is voluntary. The Best Practices are designed as aspirational considerations for organizations to tailor implementation to their unique risk landscape, systems, services, and organizational structures. Ultimately, our Members are committed to protecting consumers, and they may consult the Best Practices for ideas to design and operate a program that best fits their unique risk landscape.

When will automakers achieve these Best Practices?

The Best Practices are aspirational and will evolve over time to match the dynamic nature of the cyber landscape. Automakers, suppliers and commercial vehicle companies intend to use the Best Practices to guide the continuous improvement of their cyber posture, rather than to “check the box” against a static set of criteria. The Best Practices are living documents that will be periodically refreshed to allow for nimble and flexible cybersecurity advancements that match the speed of emerging technologies.

Other Questions

If I'm not a Member, can I still submit information to Auto-ISAC?

Although Auto-ISAC is not a coordinated disclosure or bounty-based organization, anyone can submit information to Auto-ISAC. Automotive cyber security researchers, academia and enthusiasts welcome. Contact us to tell us a little about yourself and submission topic and your discovery could end up as part of an Auto-ISAC Intelligence Report!

Who has access to the data that I submit?

Members have access to data for research and investigations. Our analysts use the database to establish trends, do research and investigations. Members can determine what data is shared when they submit. A key attribute of Auto-ISAC is the confidentiality that can be provided to the member if they choose to remain anonymous. All information shared is anonymized unless attributed by the Member. This is a voluntary process with the default being anonymization. Auto-ISAC Intelligence Coordinator works directly with each Member if there is an issue or concern and supports each Member if there are any questions about their submission of data.

Can the Government access the data that I submit?

No government agency or law enforcement has access to Member-submitted data without prior approval of the submitting Member. Auto-ISAC will provide appropriate government departments with sanitized data on a need-to-know basis and with approval of the Member submitting the data. The goal is to ensure all Member data is anonymized unless Members approve to self-identify.