Ben Lane, CIPRNA event manager, met Faye Francy who serves as the Executive director of the Automotive Information Sharing and Analysis Center (AUTO-ISAC)
Auto-ISAC is an industry-driven community designed to share and analyze intelligence about emerging cybersecurity risks to the vehicle, and to collectively enhance vehicle cybersecurity capabilities across the global automotive industry, including light- and heavy-duty vehicle OEMs, suppliers and the commercial vehicle sector.
This is a transcript of their conversation.
Ben Lane:
Hello Faye, good to have you here today. You will be joining us in Houston for CIPRNA 2025 where you will be speaking on the Transport Sector Symposium, see more at: https://ciprna-expo.com/session/transport-sector-symposium/ We look forward to hearing what you have to say. In the meantime, we have a few questions about your organization and its operations as a pre-cursor to the conference in Houston, March 11-13, 2025.
Faye Francy:
Thank you and good to meet you.
Ben Lane:
Can you briefly describe what led you to where you are now?
Faye Francy:
I worked most of my career at Boeing and retired in 2016 after I had built the Aviation ISAC. And from there I was contacted by the automotive industry to come and do the same here. So here I am!
Ben Lane:
Okay, that is great. Can you give us a brief overview of the Auto-ISAC? Where does it fit in terms of critical infrastructure?
Faye Francy:
The Auto-ISAC is a nonprofit organization focused on enhancing the cybersecurity resilience of the global automotive industry. It serves as a central hub, where automakers, suppliers, and connected vehicle manufacturers collaborate to share critical cybersecurity information, develop best practices, and foster collective defense strategies.
The ISAC model is sanctioned by the Department of Homeland Security, CISA – Cybersecurity and Infrastructure Security Agency. We have a cooperative agreement with the U.S. government to perform this mission. We have eighty member companies that are actively participating in sharing information in this collaboration.
And within the critical infrastructure, the Auto-ISAC is part of the Transportation Systems Sector, which is one of the sixteen (16) sectors that have been designated by DHS as critical infrastructure. This sector is vital for the secure and efficient movement of goods, services, and people, making it security vital to economic stability and of course national security.
The Auto-ISAC efforts directly contribute to the safety and security, as well as the resiliency of the automotive ecosystem. As vehicles become more connected and autonomous, their exposure to cyber threats and risks increases, elevating the need for coordinated response, again, across the industry.
We serve as a bridge between the automotive industry, private sector, as well as the government. We play a very pivotal role in aligning the sector with broader critical infrastructure protection efforts, ensuring safety and resilience across the connected transportation sector and across all sixteen sectors. We participate in the National Council of ISACs (NCIs) as one of its members. And we share our information with them as they do with us, daily.
Ben Lane:
Any other areas of collaboration and information sharing you would like to pick up on?
Faye Francy:
We collaborate across a number of different initiatives in the industry that support building a more secure and resilient automotive environment. We have a secure information sharing portal that we maintain for our membership. And that portal helps folks share threat intelligence, vulnerabilities, and mitigation strategies in near real time. This helps to foster transparency as well as proactively manage risk.
In addition to that very foundational element, we also have working groups and committees that specialize in doing what the members feel that they need. For instance, we have product and IT/OT working groups, educational and training standing committee, and many others that enable subject matter experts to address and collaborate on common challenges.
For instance, one of the areas that we focused on is developing an automotive SBOM, Software Bill of Materials, and finding a common way to support the approach to building automotive SBOMs. Additionally, we are developing an automotive attack threat matrix similar to what MITRE has done. And so, the working groups and committees develop these tools for our members to use. And when ready, we also share these tools with the wider industry.
And lastly, I will mention our best practice guides. We developed seven best practice guides in 2016 and 2017 before there was the standard ISO/SAE 21434 and before WP 29 and R-155, R-156. Those best practice guides are being revamped and will be released soon to the greater community, most likely in March when we get to Houston. They will be accessible on our public website for sharing across the whole industry.
Ben Lane:
Let us move on to the supply chain and the security of the supply chain being one of your big challenges. Where does Auto-ISAC, or where do you as a team see the main threats in the supply chain?
Faye Francy:
Well, you are right. The security of the supply chain is a critical concern for the automotive industry. Not only due to its complexity but also its global nature. We have identified several key threat areas that could impact cybersecurity such as third-party vulnerabilities.
A single compromised supplier can introduce vulnerabilities that could propagate across the entire ecosystem and really have an impact. So that is number one. Then there is software and hardware integrity. With increasing reliance on connected vehicle technologies, ensuring that integrity of software and hardware components throughout the supply chain is paramount.
We also look at ransomware and cyber extortion, as you can imagine, that can happen to a small company, and they could be severely affected. Disruptions, even for one supplier, can have cascading effects on manufacturing and delivery schedules.
Of course, the one thing that keeps me up at night are the nation state actors. Geopolitical tensions are elevated on the world stage, and they target supply chains to have an impact. It could be intellectual property theft, espionage, or sabotage and using vehicles for nefarious results.
There are also data breaches and IP theft that we all deal with daily. Supporting the smaller suppliers is something that we do work on to help them be cyber vigilant and resilient. And so, supporting them and how they can address breaches at any point, whether it is intellectual property, or competitive disadvantages is a must.
We try to address all these challenges by fostering collaboration, so we know what is happening. If they are hitting one, they are more than likely hitting more than one. And then through the efforts of sharing threat intelligence, we try to deliver and tailor best practices for third-party risk management.
We are also just standing up a third-party risk, enterprise cybersecurity working group. This group is going to focus on the enterprise, but we hope that this activity will also build best practices across the board for all of our supply chain.
Ben Lane:
How is the sector coping with the current skill shortage? And how are you dealing with that as an organization?
Faye Francy:
Well, it is industry wide. It is cross industries as well, but this challenge is particularly pressing given the rapid digitization and connectivity of vehicles. And that really requires specialized expertise in embedded systems and engineering.
We are building numerous strategies. First one is up-skilling and training. Many organizations are investing in internal training programs to up-skill existing employees. And we have built something called the Automotive Cybersecurity Training, or ACT program. This helps equip professionals, like embedded systems engineers with the knowledge and skills to address the industry cybersecurity challenges.
We also support key activities like the Auto and Truck Challenges, and Capture the Flag events. These are programs that play a vital role in inspiring and training the next generation of cybersecurity professionals. The Capture the Flag event brings together students, educators, industry leaders, and architects to highlight the exciting career opportunities in this field.
We also collaborate with academia. We have partnerships with several universities and technical schools. And we are providing them with our ACT program. If they want to take the program that we developed, thanks to NHTSA (National Highway Safety Transportation Administration) and the Cooperative Grant, they may have the courseware at no cost! We allow them to take that and embed that into their current university program.
And cross-industry collaboration is also important, if you will, learning from others. As part of the National Council of ISACs, we can leverage some of the other industries that are a little bit more mature than we are, like financial services, to see what they have done. And we have looked at that and they have helped us tremendously in building out our program. The ISAC community is very helpful and collaborative, helping to build a stronger infrastructure.
So, the skill shortage is real. It is long-term. It is not easily fixed, but the sector recognizes the need for that training. And many of our member companies also do a great deal of training internally. Please go to our website to learn more about the ACT program.
Ben Lane:
I like the way the ISACs in North America share and help each other out for best practice. That seems like a positive thing.
Faye Francy:
Well, NCI meets monthly, and we meet in person once a quarter. I can share that anytime I have a need, I will go out to the ISACs, and asked “Hey, has anyone done this? And if so, what have you done?” And the other Directors always share their best practices and lessons learned.
NCI is a tremendous community and a great learning opportunity for me. And I would not be where I am without the National Council of ISACs and many of the directors that lead other ISACs in support, in mentoring, and in training. So, it has been a learning experience.
Ben Lane:
What do you see is going to happen in the next three to five years? There is a new government in place now, so how do you see the short- to mid-term future planning out for you as an ISAC?
Faye Francy:
That is a great question. I mean, obviously no one has that crystal ball, but I think with the change in administration, we are very curious about what that means from a regulatory perspective. Certainly, our members are focused on that. We do not engage in regulations or policy discussions, but obviously that remains a priority for governments worldwide. So, what does that mean here?
It is important for the ISAC to be prepared to help our members navigate those changes and maintain compliance.
The next trending perspective are advancements in connected and autonomous vehicles will continue to happen over the next three to five years, albeit a bit slowed, as we have seen with EVs. We are committed to staying ahead of that curve and supporting the industry in addressing emerging threats. Continuous examination of the unique challenges of the very new technologies that are being entered into is an imperative.
We already talked about supply chain resilience, building that up. I think ISACs are the great neutralizer, in that we have large OEMs, but we also have some small, lower-level tier suppliers. We need to support both. And we can help some of those lower-level tiers that need some additional support, like best practice guidance. So, we keep that up.
Then I always get asked about AI and automation in cybersecurity. The integration of AI with machine learning, will revolutionize how the industry approaches not only threat detection, incident response, and risk management. Auto-ISAC expects members to increasingly adopt these technologies while continuing to address associated risks, such as algorithmic vulnerabilities.
In this dynamic environment, Auto-ISAC remains committed to its mission of enhancing cybersecurity and resilience across the automotive sector. By staying agile and fostering collaboration, we can help members anticipate and adapt to future challenges effectively.
Ben Lane:
Great. Well, obviously you will have more time in Houston next year to explore in detail those ideas. So, we are very thankful to you today and giving us the time to introduce these topics, but there will be more to come! Thank you. See you in Houston, TX, March 11-13, 2025.
Faye Francy:
Thanks, see you next year!