It’s finally time for automotive cybersecurity to shine. The impending introduction of new regulations and standards, as well as the expanding scale of automotive cyberattacks, are prioritizing the establishment of cybersecurity operations among the world's leading OEMs. OEMs are rising to the challenge, many of which are already operating or in the process of establishing their Vehicle Security Operations Centers (VSOCs).
There's nothing new about VSOC -- except for the V part of the acronym. The holy trinity of the SOC—people, process, and technology—ensuring that IT systems are safe and secure is also relevant to the VSOC.
People operate the actual centers, using processes and playbooks that give them precise instructions on how they should respond to different scenarios. Finally, technologies such as artificial intelligence and machine learning reduce the burden on SOC personnel by automating manual processes and reducing information overload.
1. Whose SOC is it?
The introduction of VSOC raises new questions about organizational ownership. CISOs claim that their existing SOCs can extend beyond IT to incorporate cybersecurity into automotive products. On the other hand, the product security team tasked with embedding strong cyber defenses in the vehicle development process argues that VSOC extends their jurisdiction into post-production and wants this new capability under their authority.
In fact, while automotive cybersecurity and IT cybersecurity share many similarities, I believe they should be treated as distinct functions. While the Holy Trinity still holds true in a VSOC, the people, processes and technologies that make it run are different than those used to run an IT SOC. For this reason—and others we'll dive into shortly—VSOCs should be operated by experts versed in vehicle product safety.
3. 5 reasons why VSOC should be separated from IT SOC
The way connected vehicles are built and operated is fundamentally different from IT systems, which require a different approach to ongoing, post-production monitoring and incident response.
1. Non-overlapping domains: Vehicle systems are fundamentally different from IT systems. They rely on embedded systems with different technology ecosystems, such as special hardware architectures and different operating systems (OS), including real-time operating systems for mission-critical components, which creates a huge knowledge gap that hinders the integration of IT Programs in the SOC utilize VSOC. Furthermore, while one might think that experts in the field of IT cybersecurity could easily be retooled for automotive cybersecurity, this is not the case. It is possible for a Tier 1 or even Tier 2 security specialist to tackle both IT SOC and VSOC if they have the right playbook and technology available. However, the key Level 3 Product Security Incident Response Teams (PSIRTs) responsible for understanding the different protocols, operating systems, hardware architectures and threats in the automotive domain are highly specialized. It is highly unlikely, if not entirely impossible, to acquire talent with relevant expertise in these two fields.
2. Different cyber risks: 90% of IT cyber attacks are phishing attempts ; however, the cyber threat map for connected vehicles is much more complex, including ransomware and DoS attacks. What's more, the technical attack vectors differ significantly between the two, as does the potential impact of a successful attack.
3. Incompatible threat intelligence sources: Threat intelligence sources provide a wealth of expertise on known attack vectors and the mitigations that should be taken. In the IT world, there is a strong community of networking professionals who share knowledge and wisdom with one another (for example, the MITER ATT&CK framework ). However, these sources of intelligence are not specific to the automotive industry. More automotive-centric data sources, such as Auto-ISAC, provide more relevant intelligence.
4. Incident Response: Forced patching (security updates deployed specifically to eliminate vulnerabilities) is a standard remediation technique for IT SOCs. In the automotive industry, where vehicles are only connected when they are actually running, this technology is only feasible through integration with external systems that support over-the-air (OTA) updates. Furthermore, while it is their right to deploy patches for an organization's proprietary IT systems and equipment, this does not apply when the patches are applied to systems that are now private consumers.
5. IT environments are built to handle big data: In IT networks, near-infinite bandwidth means that there is little financial cost to continuously sending, storing, and processing large volumes of data. Nodes have "dumb" adapters installed that push large amounts of raw data and logs to the SIEM. Tens of millions of connected cars connect to the cloud using costly cellular data -- each car generates an average of 25 gigabytes of data per hour -- an approach that isn't feasible in the automotive industry. This problem can be solved by adding intelligence to the vehicle so that only critical and relevant data is pushed out.
3. Main point: upgrade SOC to VSOC
A well-designed VSOC will also include the following features:
1. Automotive Situational Awareness: The VSOC must be able to understand the threats in the vehicle's context, its complex architecture, and its unique technology ecosystem. This is where network digital twin (CDT) technology can be leveraged to quickly assess the exploitability and severity of threats, minimize irrelevant alerts, and enable rapid root cause analysis in the event of a true security incident.
2. Integrated response: Closing the safety loop quickly and efficiently requires integration of VSOC with asset management systems, OTA update systems, SIEM with telematics data from vehicles (if available), etc.
3. Impact Analysis: The potentially catastrophic consequences and high risks associated with vehicle security issues require timely analysis of each threat across the organization to determine the impact on other vehicles/components and prevent vulnerabilities from becoming incidents. Here, too, CDT can come into play by expediting impact analysis across the entire asset base.
No matter where you see the VSOC in the corporate hierarchy, ensuring that automotive domain experts, processes and technology are in place is critical to success.