This post was written with contributions from IBM Security’s Rob Dyson, Preston Futrell and Brett Drummond.
Let’s explore a day in the life of a vehicle security operations center (VSOC). An autonomous vehicle is transporting passengers to their destination. Inside the vehicle, they are patiently waiting to arrive at their destination and, in the meantime, are texting friends, completing some work and listening to music. In the background, computer systems are working away to safely drive the vehicle, until their behavior deviates from normal and the systems begin to receive anomalous signals. The weather is fine and road conditions are typical — what is going on?
Immediately, the VSOC notices this anomaly and begins its investigation. This is a race against time for safety. The team identifies the cause and concludes it is an active cyberattack. Actions are taken to successfully maintain the secure state of the vehicle.
The passengers are safely transported to their destination, and all vehicles of that model receive an update to patch the vulnerability.
Industry business drivers
Shared mobility with connectivity and autonomous technology will allow vehicles to become a platform for drivers and passengers to consume forms of media and service, therefore freeing up time for other activities. While fully autonomous vehicles are gradually catching up, the advanced driver assistance system will play a crucial role in preparing regulators, consumers and corporations for the production of future vehicles.
Aligned with the 2030 automotive vision for consumer and commercial vehicles, software-defined vehicle platforms are major factors driving innovation to meet demand. This is especially true as the market continues to make strides toward achieving the 2030 vision of connected, autonomous, shared and electrified (CASE) vehicles.
Engineering a cyber-safe vehicle
Vehicle safety is acknowledged by the industry as one of the most important motivators in vehicle development and production. Since vehicles are becoming ‘data centers on wheels’, the scope of safety extends to not only physical safety but also virtual safety. Therefore, before registering a vehicle for monitoring in the VSOC, measures need to be taken to secure a vehicle by design.
Some practices to implement security in the development and production phases include incorporating DevSecOps to achieve ‘software, safer, sooner’ and aligning with global security industry standards like IoXT for tier 1 and tier 2 suppliers and original equipment manufacturers (OEMs). These efforts to engineer a secure vehicle enable manufacturers to achieve a cybersecurity management system (CSMS). The CSMS is defined in United Nations Economic Commission for Europe (UNECE) WP.29 R.155, which is a mandatory cybersecurity compliance requirement in the EU, Japan and Korea for all new vehicles produced beginning in 2024. Additionally, it enables a smooth transition in vehicle and monitoring operations for the end-user and security team, respectively.
Bridging the gap between IT, OT and VSOC
VSOCs provide real-time visibility and insights into vehicle vulnerabilities and behaviors, in-car security incidents, events and conditions, and enable vehicle systems to identify threats that can lead to unsafe conditions for drivers.
The primary purpose and functional requirements of a VSOC are to maintain the safety, security and operations of the vehicle. However, the similarities with an information technology/operational technology security operations center (IT-OT SOC) end there. While it’s true that an IT-OT SOC can leverage similar people, processes and technology, the requirements for a VSOC are vastly different and require a unique operating model, skills, technology and processes.
A major area of difference is in the type of data ingested to identify threats, attacks and vulnerabilities. Vehicles have many sensors, computers and networks that communicate with each other, and these introduce threat vectors to a moving vehicle that traditional SOCs aren’t familiar with or prepared to support. For example, elements of an accident detection system must be able to verify the legitimacy of a series of event codes. In the case of electronic control unit (ECU) poisoning attacks, error and fault codes need to be understood to identify and register poisoning attempts. Finally, compromising infotainment systems is possible in several ways that produce codes that may not be straightforward for understanding.
All roads lead to a VSOC
The foundational elements of a VSOC build are critically important. A successful VSOC benefits from:
- Faster discovery
- Proactive and rapid response
- Open communication
- Co-located teams
- Cross-functional engagement
- Collaboration.
These benefits can be realized by key operating model considerations:
- An integrated and risk-based approach
- A programmatic approach
- An adaptive model with nimble processes
- Embracing technology changes
- Supporting data aggregation functionalities.
This holistic approach to a VSOC operating model enables manufacturers to transform their capabilities and support monitoring, detection and response to cyber threats and cyberattacks on vehicles.
In addition to production operations, VSOC services are employed in the vehicle development stage. Requirements for testing, managing vulnerabilities and conducting risk assessments are an important part of the journey to CSMS certification. IBM’s X-Force Red Offensive Security services support the vehicle testing requirements of WP.29 R.155 by offering hardware security testing, supplier component testing, connected services testing and more.
IBM Security Threat Management teams have extensive knowledge and experience in the automotive industry. Security experts are available to assist with your vehicle security needs. From performing component security testing for vehicle systems to aligning your organization to exceed CSMS certification requirements and to building out a vehicle security operations strategy, learn more here.
Request a Consultation
Global Threat Management Associate Partner, IBM Security