Reflecting on AUTO-ISAC: 3 Automotive Product Security Takeaways

AUTO-ISAC is a group of automotive cybersecurity professionals who come together a few times a year to discuss the latest trends, tools, and technologies dedicated to securing the connected vehicles of today and tomorrow. This exclusive gathering serves as a pivotal platform for experts in the automotive industry to share knowledge and insights about the evolving landscape of vehicle security.

Unsurprisingly, generative-AI was top of mind for most product security professionals who wondered how to properly go about building threat models when your adversary may just well be another computer. It was a perfect time to announce our partnership with Itemis, which combines Itemis’ TARA (threat analysis and risk assessment) solution with Cybellum’s Product Security Platform, including SBOM and vulnerability management, compliance validation and incident response. 

It will not only help teams develop threat models but it will be a significant step on their way to a full Cyber Security Management Systems (CSMS). 

We had the privilege of joining our peers in the automotive cybersecurity community to contribute to this essential dialogue. Our presentation ‘Back to the Future Part 2: Generative AI Meets Product Security,’ delved into the intersection of generative AI and product security, shedding light on the inherent security challenges it introduces.

A significant topic of discussion at AUTO-ISAC was the impact of generative AI (GenAI) on automotive cybersecurity. This powerful technology has become the talk of the town in the industry for all the right reasons. GenAI has the potential to expand the attack surface of Connected Autonomous Shared and Electric (CASE) platforms, introducing new complexities to the cybersecurity landscape. Notably, there are already instances of GenAI being weaponized against CASE systems, highlighting its potential to enhance hacker effectiveness.

Furthermore, GenAI is on the verge of becoming a staple in the automotive sector. Its ability to automate aspects of the software development lifecycle presents both opportunities and challenges. As our presentation emphasized, product security teams must align their people, processes, and technology (PPT) with the PPT of engineering teams to effectively mitigate the security risks associated with GenAI.

The AUTO-ISAC event also witnessed discussions on the importance of context in automotive cybersecurity. The Software Bill of Materials (SBOM) working group showcased success stories that emphasized the need for improved transparency in the industry. In this context, we proudly announced our partnership with Itemis, a significant stride toward integrating critical security platforms with the essential context required for effective decision-making.

By continually enriching full system architectures and sharing vital information through software bill of materials, the industry is bringing us closer to the security promise of WP.29 & ISO/SAE 21434. This holistic perspective of vehicle systems empowers cybersecurity professionals to proactively identify vulnerabilities and strengthen defenses against potential threats.

In the midst of the discussions on automotive cybersecurity challenges, it was evident that software development within the automotive industry is progressing at an unprecedented pace. New business models prioritize secure products, and automotive Original Equipment Manufacturers (OEMs) view these secure products as a competitive advantage. They strive to cater to a broad range of consumers by continually introducing new features and enhancements.

While software development in the automotive industry has become remarkably fast, it is crucial to acknowledge that the inability to secure it properly introduces a significant level of risk to your product. A full product lifecycle approach is essential from the outset if companies want to keep rolling out innovations and pushing the market forward.

In this ever-evolving landscape where connectivity and automation are revolutionizing the automotive industry, its inspiring to see how product remains a top priority.