Sharing is key to combating cyberthreats

DETROIT—As cyberthreats to the auto industry grow, companies need to improve communication and cooperation to avoid hacks that could grind business to a halt, executives and regulators said at the Auto-ISAC cybersecurity summit in Dearborn, Mich.

"Hackers thrive when companies aren't sharing information, when colleagues don't talk and when private and public sectors don't communicate," said Faye Francy, executive director of Automotive Information Sharing and Analysis Center, organizer of the summit.

Sharing and communicating is easier said than done in an industry so hypercompetitive. Working with rivals doesn't "come naturally" for businesses, said Ann Carlson, chief counsel for NHTSA, in an address.

"It's critical we all work together to ensure cybersecurity is a priority every step of the way," said Carlson, who is about to take over as head of NHTSA.

The industry established the center in 2015 to encourage cooperation between automakers, suppliers and vendors in addressing cyberthreats. Member companies sharing information with Auto-ISAC is critical to that mission, executives said.

Steven D'Antuono, assistant director for the FBI's Washington field office, said such partnerships are among "the biggest tools" that law enforcement has to prevent cyber attacks.

The threat has become more apparent to the industry in recent years, said Josh Davis, Toyota Motor North America's chief cybersecurity officer and chair of Auto-ISAC.

But communication between cybersecurity executives is improving as threats increasingly impact the supply chain and vehicle production, he added.

"The conversations have gotten a little easier, frankly, because we can draw directly from our own experience with suppliers being impacted," Davis said.

Last year, a large-scale cyber attack cost German supplier Eberspaecher Group about $60 million and disrupted phone and email communication among its 10,000 employees for weeks.

A majority of attacks were "black hat" incidents for the first time in 2021, meaning they were carried out by malicious actors, according to Israeli cybersecurity company Upstream Security. Previously, attacks came from "white hat" hackers working with companies looking for vulnerabilities.

The rising threat prompted NHTSA to update its voluntary guidance for new vehicles for the first time since 2016. Issued earlier this month, the guidance covers best practices related to incident response, risk mitigation and information sharing.

It only takes one attack to shatter consumer confidence, Carlson said.

Still, companies are often hesitant to share data. Before supplier Robert Bosch shares, it first must understand how the information will be used and analyze the potential cost, said Tony Serventi, Bosch legal counsel. "It won't ever be an easy analysis," he said.

There is no "silver bullet" to addressing these concerns, said Jeremy Close, cybersecurity and privacy counsel at Kia America.

"We have big targets on our backs," he said. "We operate in a very litigious environment. Everything you say outside of your company can and will be used against you."

Companies need to find the balance between being transparent and protecting secrets.

As over-the-air updates to vehicle software proliferate, they open up new revenue sources for automakers. Upstream Security CEO Yoav Levy said this creates more potential exposure points. "This needs to be more of a continuous effort and a continuous process," he said.

Upstream plans to open its first U.S. security operations center in Ann Arbor, Mich., west of Detroit, as it gears up for an expected rise in threats.

Companies should educate their employees from "the shop floor to the C-suite," said Rebecca Faerber, manufacturing cybersecurity services manager at Ford Motor Co.

"I don't pretend any of us are the same as the national electric grid, but we are critical infrastructure," she said. "And I'm concerned we would make a great test bed for a smart and well-motivated group."

National cybersecurity risks are also on the rise. As vehicles become more connected to smartphones and infrastructure, they become more attractive targets for U.S. adversaries such as China, Russia and North Korea, D'Antuono said.

"Malicious actors" in China have stolen more U.S. personal and corporate data than all other nations combined, including proprietary secrets from businesses that allow the country's state-owned companies to compete "unfairly on the global stage," said D'Antuono.

He urged cooperation and transparency between companies and the government to combat that threat.

Davis is optimistic about increasing cooperation in the industry.

"You already see the industry coming together and collaborating," he said. "We're turning that corner together."