This post was written with contributions from IBM Security’s Rob Dyson, Preston Futrell and Brett Drummond.

Let’s explore a day in the life of a vehicle security operations center (VSOC). An autonomous vehicle is transporting passengers to their destination. Inside the vehicle, they are patiently waiting to arrive at their destination and, in the meantime, are texting friends, completing some work and listening to music. In the background, computer systems are working away to safely drive the vehicle, until their behavior deviates from normal and the systems begin to receive anomalous signals. The weather is fine and road conditions are typical — what is going on?

Immediately, the VSOC notices this anomaly and begins its investigation. This is a race against time for safety. The team identifies the cause and concludes it is an active cyberattack. Actions are taken to successfully maintain the secure state of the vehicle.

The passengers are safely transported to their destination, and all vehicles of that model receive an update to patch the vulnerability.

Industry business drivers

Shared mobility with connectivity and autonomous technology will allow vehicles to become a platform for drivers and passengers to consume forms of media and service, therefore freeing up time for other activities. While fully autonomous vehicles are gradually catching up, the advanced driver assistance system will play a crucial role in preparing regulators, consumers and corporations for the production of future vehicles.

Aligned with the 2030 automotive vision for consumer and commercial vehicles, software-defined vehicle platforms are major factors driving innovation to meet demand. This is especially true as the market continues to make strides toward achieving the 2030 vision of connected, autonomous, shared and electrified (CASE) vehicles.

Engineering a cyber-safe vehicle

Vehicle safety is acknowledged by the industry as one of the most important motivators in vehicle development and production. Since vehicles are becoming ‘data centers on wheels’, the scope of safety extends to not only physical safety but also virtual safety. Therefore, before registering a vehicle for monitoring in the VSOC, measures need to be taken to secure a vehicle by design.

Some practices to implement security in the development and production phases include incorporating DevSecOps to achieve ‘software, safer, sooner’ and aligning with global security industry standards like IoXT for tier 1 and tier 2 suppliers and original equipment manufacturers (OEMs). These efforts to engineer a secure vehicle enable manufacturers to achieve a cybersecurity management system (CSMS). The CSMS is defined in United Nations Economic Commission for Europe (UNECE) WP.29 R.155, which is a mandatory cybersecurity compliance requirement in the EU, Japan and Korea for all new vehicles produced beginning in 2024. Additionally, it enables a smooth transition in vehicle and monitoring operations for the end-user and security team, respectively.

Bridging the gap between IT, OT and VSOC

VSOCs provide real-time visibility and insights into vehicle vulnerabilities and behaviors, in-car security incidents, events and conditions, and enable vehicle systems to identify threats that can lead to unsafe conditions for drivers.

The primary purpose and functional requirements of a VSOC are to maintain the safety, security and operations of the vehicle. However, the similarities with an information technology/operational technology security operations center (IT-OT SOC) end there. While it’s true that an IT-OT SOC can leverage similar people, processes and technology, the requirements for a VSOC are vastly different and require a unique operating model, skills, technology and processes.

A major area of difference is in the type of data ingested to identify threats, attacks and vulnerabilities. Vehicles have many sensors, computers and networks that communicate with each other, and these introduce threat vectors to a moving vehicle that traditional SOCs aren’t familiar with or prepared to support. For example, elements of an accident detection system must be able to verify the legitimacy of a series of event codes. In the case of electronic control unit (ECU) poisoning attacks, error and fault codes need to be understood to identify and register poisoning attempts. Finally, compromising infotainment systems is possible in several ways that produce codes that may not be straightforward for understanding.

All roads lead to a VSOC

The foundational elements of a VSOC build are critically important. A successful VSOC benefits from:

  • Faster discovery
  • Proactive and rapid response
  • Open communication
  • Co-located teams
  • Cross-functional engagement
  • Collaboration.

These benefits can be realized by key operating model considerations:

  • An integrated and risk-based approach
  • A programmatic approach
  • An adaptive model with nimble processes
  • Embracing technology changes
  • Supporting data aggregation functionalities.

This holistic approach to a VSOC operating model enables manufacturers to transform their capabilities and support monitoring, detection and response to cyber threats and cyberattacks on vehicles.

In addition to production operations, VSOC services are employed in the vehicle development stage. Requirements for testing, managing vulnerabilities and conducting risk assessments are an important part of the journey to CSMS certification. IBM’s X-Force Red Offensive Security services support the vehicle testing requirements of WP.29 R.155 by offering hardware security testing, supplier component testing, connected services testing and more.

IBM Security Threat Management teams have extensive knowledge and experience in the automotive industry. Security experts are available to assist with your vehicle security needs. From performing component security testing for vehicle systems to aligning your organization to exceed CSMS certification requirements and to building out a vehicle security operations strategy, learn more here.

Request a Consultation

More from Security Services

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

39% of MSPs report major setbacks when adapting to advanced security technologies

4 min read - SOPHOS, a leading global provider of managed security solutions, has recently released its annual MSP Perspectives report for 2024. This most recent report provides insights from 350 different managed service providers (MSPs) across the United States, United Kingdom, Germany and Australia on modern cybersecurity tools solutions. It also documents newly discovered risks and challenges in the industry.Among the many findings of this most recent report, one of the most concerning trends is the difficulties MSPs face when adapting their service…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today