Information Sharing and Analysis Centers (ISACs) were created as a result of Presidential Decision Directive 63 (PDD-63) in 1998. The directive requested the public and private sector create a partnership to share information about threats, vulnerabilities, and events to help protect the critical infrastructure of the United States. PDD-63 was updated in 2003 with Homeland Security Presidential Directive 7 (HSPD-7) to reaffirm the partnership mission.

The National Infrastructure Protection Plan (NIPP) -- NIPP 2013: Partnering for Critical Infrastructure Security and Resilience -- outlines how government and private sector participants in the critical infrastructure community work together to manage risks and achieve security and resilience outcomes. NIPP 2013 represents an evolution from concepts introduced in the initial version of the NIPP released in 2006 and revised in 2009. The National Plan is streamlined and adaptable to the current risk, policy, and strategic environments. It provides the foundation for an integrated and collaborative approach to achieve the vision of: "[a] Nation in which physical and cyber critical infrastructure remain secure and resilient, with vulnerabilities reduced, consequences minimized, threats identified and disrupted, and response and recovery hastened."

NIPP 2013 meets the requirements of Presidential Policy Directive-21 (PPD-21) : Critical Infrastructure Security and Resilience, signed in February 2013. The Plan was developed through a collaborative process involving stakeholders from all 16 critical infrastructure sectors, all 50 states, and from all levels of government and industry. It provides a clear call to action to leverage partnerships, innovate for risk management, and focus on outcomes.

Automotive Information Sharing and Analysis Center.

Auto-ISAC was formed in August 2015 by automakers to establish a global information sharing community to address vehicle cybersecurity risks. Auto-ISAC operates a central hub for sharing, tracking and analyzing intelligence about cyber threats, vulnerabilities and incidents related to the connected vehicle.

Currently, Auto-ISAC Members account for more than 99 percent of light-duty vehicles in North America, with over 70 global OEM and supplier Members. Building upon the success of this collaboration, Auto-ISAC recently expanded membership to heavy trucking OEMs and their suppliers, as well as the commercial vehicle sector—including fleets and carriers.

In 2015, 14 light-duty vehicle OEMs decided to come together to charter the formation of Auto-ISAC. Our prospectus acknowledged the international nature of the automotive industry and included participation of global international Members. Auto-ISAC was incorporated in August 2015 and became fully operational in January 2016. In 2016, we expanded our scope to allow light- and heavy-duty vehicle suppliers and heavy-duty vehicle OEMs as Members. In 2017, we once again expanded membership to include the Commercial Vehicle sector—including fleets and carriers.

Auto-ISAC Board of Directors governs Auto-ISAC and is comprised of leaders from across the automotive sector and includes OEM's, Suppliers, Affinity Groups, and Regions. Currently, the Auto-ISAC Board is comprised of greater than 50% Designated Representatives of OEMs and greater than or equal to 30% Designated Representatives of non-OEMs resulting in total of 10 Board seats. The Board seats includes four (4) Officers- Chair, Vice Chair, Secretary, Treasurer, the Chair of each Affinity Groups (2)- Supplier Affinity Group (SAG), Commercial Vehicle Affinity Group (CAG), the Chair of each Regional Steering Committee (1) and three (3) At-Large Directors. Board of Directors serves 2-year terms and elections are held every 2-years.

The Board of Directors is the governing body of the Auto-ISAC and manages organizational strategy, oversight, and accountability.

There is an Executive Director who manages the daily operations and is responsible for implementing Auto-ISAC mission and vision.

In 2021, a European Regional Director was appointed to establish a regional Auto-ISAC presence in Europe by shepherding close coordination and alignment with European-based Auto-ISAC members and other automotive companies. This included crafting alliances with key partners including the European Automobile Manufacturer Association (ACEA) and the European Association of Automotive Suppliers (CLEPA), as well as government agencies such as the European Union Agency for Cybersecurity (ENISA).

A list of current members is available here.

Auto-ISAC provides a unique global information sharing community to promote vehicle cybersecurity. Auto-ISAC is a forum for connected vehicle ecosystem stakeholders to securely share cyber information and analysis, and to collaborate to enhance their vehicle cyber capabilities. Auto-ISAC operates as a central hub for sharing, tracking and analyzing intelligence about potential cyber threats, vulnerabilities and incidents related to the connected vehicle; its secure intelligence sharing Portal allows Members to anonymously submit and receive information that helps them more effectively respond to cyber threats. In addition to intelligence sharing, Auto-ISAC is committed to enhancing Members’ vehicle cyber capabilities through workshops, information exchange events, summits, and exercises. We also have a Working Group focused on developing Best Practices for the industry. In 2016, we published our Automotive Cybersecurity Best Practices Executive Summary, which outlines Auto-ISAC’s informational guides that cover organizational and technical aspects of vehicle cybersecurity, including incident response, collaboration and engagement with appropriate third parties, governance, risk management, security by design, threat detection and protection, training and awareness.

Auto-ISAC is a unique community of practice for relevant security information sharing for the auto industry. Auto-ISAC enhances the ability of the automotive industry to prepare for and respond to security threats, vulnerabilities, and incidents so that connected vehicle ecosystem stakeholders can best manage their business risks.

Auto-ISAC gathers and disseminates information about cybersecurity risks facing connected vehicles around the world. Sources of information include Members, government agencies, academic sources, vendors, open source and other trusted sources. After analysis by our industry experts, we package the information into intelligence reports and share via our secure Auto-ISAC Portal.

In addition to our intelligence capability, Auto-ISAC conducts workshops, information exchange events, summits, and exercises. We are also working to develop a series of Best Practice Guides that cover organizational and technical aspects of vehicle cybersecurity, including incident response, collaboration and engagement with third parties, governance, risk management, security by design, threat detection and protection, training and awareness.

Pricing for full membership varies depending on the revenue of the potential member. We also have a Strategic Partnership Program for solution providers, associations, academia/ and researchers. Please contact us for more details.

Though alerts are unique to each event, they generally include a description of the threat or vulnerability, an assessment of severity and impact, and solutions for mitigation or future prevention.

The Auto-ISAC is funded through membership dues, events, and support from members and partners.

The Automotive Cybersecurity Best Practices capture key considerations connected vehicle ecosystem stakeholders can consider when designing and operating their vehicle cybersecurity programs.

In July 2016, Auto-ISAC published an Executive Summary that captured high-level insights on Best Practices for automotive cybersecurity. We are now working through a series of seven Best Practice Guides that offer focused insights and implementation considerations for each of the functional areas identified in the Executive Summary. The seven functional topics are:

1. Incident Response

2. Collaboration & Engagement with Appropriate 3rd Parties

3. Governance

4. Risk Assessment & Management

5. Awareness & Training

6. Threat Detection, Monitoring & Analysis

7. Security Development Lifecycle

The Executive Summary and each of the Best Practice Guides are:

• Not Required. Organizations have the autonomy and ability to select and voluntarily adopt practices based on their respective risk landscapes and organizational structures.

• Aspirational. These practices are forward-looking, and voluntarily implemented over time, as appropriate.

• Living. The Auto-ISAC plans to periodically update this Executive Summary and Best Practices content to adapt to the evolving automotive cybersecurity landscape.

As advanced technology brings new capabilities and features to cars and trucks, stakeholders across the connected vehicle ecosystem are working to mitigate safety and privacy risks that could arise as a result of cyber threats or vulnerabilities. The Best Practices provide guidance as the industry moves forward on cybersecurity. The development of Best Practices and the formation of the Automotive Information Sharing and Analysis Center (“Auto-ISAC”) demonstrate the industry’s commitment to staying ahead of cyber challenges.

The Best Practices cover seven areas that impact connected vehicle cybersecurity. The areas are:

1. Incident Response

2. Collaboration & Engagement with Appropriate 3rd Parties

3. Governance

4. Risk Assessment & Management

5. Awareness & Training

6. Threat Detection, Monitoring & Analysis

7. Security Development Lifecycle

The Best Practices strongly align to guidance released by NHTSA and other relevant government agencies. They also align to cyber standards and frameworks created by the National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), SAE International, and other standards bodies; and are tailored to address connected vehicle cybersecurity challenges. However, our Best Practices are not intended to be used as standards; they are aspirational, not required, living documents.

The Best Practices are written for OEMs, suppliers and the commercial vehicle sector, and may be applicable to broader connected vehicle ecosystem stakeholders (e.g. dealers, aftermarket suppliers).

The Best Practices are aspirational—providing forward-looking considerations to prepare for future challenges. They do however, also consider steps that can be taken now to secure today’s vehicles. Automakers are committed to continuously improving the Best Practices to address ever-changing cyber threats.

The Best Practices Working Group is developing a series of work products at two different levels of detail:

• An Executive Summary (released in July 2016) that provides a high-level overview of the Best Practices to-date.

• Seven Best Practice Guides that provide implementation guidance for the seven functional areas identified in the Executive Summary.

The Executive Summary is publicly available on the Auto-ISAC website. Access to the Best Practice Guides is currently limited to Auto-ISAC Members.

The Best Practices are not prescriptive and do not form a compliance framework or assessment. Adoption of any Practices is voluntary. The Best Practices are designed as aspirational considerations for organizations to tailor implementation to their unique risk landscape, systems, services, and organizational structures. Ultimately, our Members are committed to protecting consumers, and they may consult the Best Practices for ideas to design and operate a program that best fits their unique risk landscape.

The Best Practices are aspirational and will evolve over time to match the dynamic nature of the cyber landscape. Automakers, suppliers and commercial vehicle companies intend to use the Best Practices to guide the continuous improvement of their cyber posture, rather than to “check the box” against a static set of criteria. The Best Practices are living documents that will be periodically refreshed to allow for nimble and flexible cybersecurity advancements that match the speed of emerging technologies.

Although Auto-ISAC is not a coordinated disclosure or bounty-based organization, anyone can submit information to Auto-ISAC. Automotive cyber security researchers, academia and enthusiasts welcome. Contact us to tell us a little about yourself and submission topic and your discovery could end up as part of an Auto-ISAC Intelligence Report!

Members have access to data for research and investigations. Our analysts use the database to establish trends, do research and investigations. Members can determine what data is shared when they submit. A key attribute of Auto-ISAC is the confidentiality that can be provided to the member if they choose to remain anonymous. All information shared is anonymized unless attributed by the Member. This is a voluntary process with the default being anonymization. Auto-ISAC Intelligence Coordinator works directly with each Member if there is an issue or concern and supports each Member if there are any questions about their submission of data.

No government agency or law enforcement has access to Member-submitted data without prior approval of the submitting Member. Auto-ISAC will provide appropriate government departments with sanitized data on a need-to-know basis and with approval of the Member submitting the data. The goal is to ensure all Member data is anonymized unless Members approve to self-identify.

You can learn more about the Automotive Cybersecurity Training (ACT) Program by either selecting the menu button to the left and selecting ACT or you can check out this link.