This post was written with contributions from IBM Security’s Rob Dyson, Preston Futrell and Brett Drummond.

Let’s explore a day in the life of a vehicle security operations center (VSOC). An autonomous vehicle is transporting passengers to their destination. Inside the vehicle, they are patiently waiting to arrive at their destination and, in the meantime, are texting friends, completing some work and listening to music. In the background, computer systems are working away to safely drive the vehicle, until their behavior deviates from normal and the systems begin to receive anomalous signals. The weather is fine and road conditions are typical — what is going on?

Immediately, the VSOC notices this anomaly and begins its investigation. This is a race against time for safety. The team identifies the cause and concludes it is an active cyberattack. Actions are taken to successfully maintain the secure state of the vehicle.

The passengers are safely transported to their destination, and all vehicles of that model receive an update to patch the vulnerability.

Industry business drivers

Shared mobility with connectivity and autonomous technology will allow vehicles to become a platform for drivers and passengers to consume forms of media and service, therefore freeing up time for other activities. While fully autonomous vehicles are gradually catching up, the advanced driver assistance system will play a crucial role in preparing regulators, consumers and corporations for the production of future vehicles.

Aligned with the 2030 automotive vision for consumer and commercial vehicles, software-defined vehicle platforms are major factors driving innovation to meet demand. This is especially true as the market continues to make strides toward achieving the 2030 vision of connected, autonomous, shared and electrified (CASE) vehicles.

Engineering a cyber-safe vehicle

Vehicle safety is acknowledged by the industry as one of the most important motivators in vehicle development and production. Since vehicles are becoming ‘data centers on wheels’, the scope of safety extends to not only physical safety but also virtual safety. Therefore, before registering a vehicle for monitoring in the VSOC, measures need to be taken to secure a vehicle by design.

Some practices to implement security in the development and production phases include incorporating DevSecOps to achieve ‘software, safer, sooner’ and aligning with global security industry standards like IoXT for tier 1 and tier 2 suppliers and original equipment manufacturers (OEMs). These efforts to engineer a secure vehicle enable manufacturers to achieve a cybersecurity management system (CSMS). The CSMS is defined in United Nations Economic Commission for Europe (UNECE) WP.29 R.155, which is a mandatory cybersecurity compliance requirement in the EU, Japan and Korea for all new vehicles produced beginning in 2024. Additionally, it enables a smooth transition in vehicle and monitoring operations for the end-user and security team, respectively.

Bridging the gap between IT, OT and VSOC

VSOCs provide real-time visibility and insights into vehicle vulnerabilities and behaviors, in-car security incidents, events and conditions, and enable vehicle systems to identify threats that can lead to unsafe conditions for drivers.

The primary purpose and functional requirements of a VSOC are to maintain the safety, security and operations of the vehicle. However, the similarities with an information technology/operational technology security operations center (IT-OT SOC) end there. While it’s true that an IT-OT SOC can leverage similar people, processes and technology, the requirements for a VSOC are vastly different and require a unique operating model, skills, technology and processes.

A major area of difference is in the type of data ingested to identify threats, attacks and vulnerabilities. Vehicles have many sensors, computers and networks that communicate with each other, and these introduce threat vectors to a moving vehicle that traditional SOCs aren’t familiar with or prepared to support. For example, elements of an accident detection system must be able to verify the legitimacy of a series of event codes. In the case of electronic control unit (ECU) poisoning attacks, error and fault codes need to be understood to identify and register poisoning attempts. Finally, compromising infotainment systems is possible in several ways that produce codes that may not be straightforward for understanding.

All roads lead to a VSOC

The foundational elements of a VSOC build are critically important. A successful VSOC benefits from:

  • Faster discovery
  • Proactive and rapid response
  • Open communication
  • Co-located teams
  • Cross-functional engagement
  • Collaboration.

These benefits can be realized by key operating model considerations:

  • An integrated and risk-based approach
  • A programmatic approach
  • An adaptive model with nimble processes
  • Embracing technology changes
  • Supporting data aggregation functionalities.

This holistic approach to a VSOC operating model enables manufacturers to transform their capabilities and support monitoring, detection and response to cyber threats and cyberattacks on vehicles.

In addition to production operations, VSOC services are employed in the vehicle development stage. Requirements for testing, managing vulnerabilities and conducting risk assessments are an important part of the journey to CSMS certification. IBM’s X-Force Red Offensive Security services support the vehicle testing requirements of WP.29 R.155 by offering hardware security testing, supplier component testing, connected services testing and more.

IBM Security Threat Management teams have extensive knowledge and experience in the automotive industry. Security experts are available to assist with your vehicle security needs. From performing component security testing for vehicle systems to aligning your organization to exceed CSMS certification requirements and to building out a vehicle security operations strategy, learn more here.

Request a Consultation

More from Security Services

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today