VSOC Vulnerability Management Fundamentals

VSOC Vulnerability Management Fundamentals

The risk of a connected vehicle being cyberattacked is the highest it has ever been, due to new systems’ public digital blueprint and entry points, and the growing sophistication of attackers. A VSOC (Vehicle SOC) is a key component in managing these risks, as it identifies vulnerabilities and takes action to dispose of them. Let’s look at the key requirements for a secure VSOC, to help you build one or choose the right VSOC vendor for your needs. But first, let’s understand what a VSOC is.

What is a VSOC (Vehicle SOC)?

A Vehicle SOC, also known as an automotive SOC (ASOC) or car SOC (CSOC) is a security operations center that monitors and manages vehicle security risk. The VSOC is the centralized operations center where all vehicle security data is aggregated and analyzed to create a mitigation strategy. The team operating in the VSOC monitors the data, investigates events and responds to incidents and alerts.

Vehicle data in the VSOC is aggregated from security devices in vehicles, from manufacturers and from threat intelligence sources. In addition, the VSOC team also runs its own research and tests on vehicles, like static code analysis, dynamic testing, fuzzing, penetration testing, and more. This data is then collected in a vulnerability database.

Advanced data analyses that run on the database detect anomalies or incidents. Such incidents could relate to new or existing vulnerabilities. When these vulnerabilities require action, the team in the VSOC is alerted. It then reacts or escalates the issue, according to predetermined policies and procedures that are defined in playbooks and workflows.

Vehicle vulnerabilities could put specific vehicle components at risk. Or, they might have a wide, cross-vehicle impact that sets the stage for a more complex attack chain that could ultimately pose a functional or safety risk to vehicle systems and users. For example, by hijacking the infotainment system and injecting manipulated data that creates safety problems for the driver.

VSOC services can be used by any organization that requires vehicle security monitoring, and is most commonly implemented by automotive OEMs and fleet managers.

Why Do We Need to Manage Vulnerabilities in the VSOC?

The growing number and sophistication of cyber attacks coupled with the technological advancement in car connectivity has made vehicles more vulnerable to attacks than ever. Automotive OEMs or fleet managers whose vehicles are breached run the risk of harming their brand, stock and business reputation, as well as dealing with legal implications.

By operating a VSOC and managing vulnerabilities in it, OEMs and fleet managers can monitor and remediate risks at any phase of the vehicle lifecycle – from the manufacturing line through testing and even after the vehicle is operative and on the road.

How to Manage Vulnerabilities in the VSOC

Here are seven key requirements for a VSOC that can help OEMs detect, analyze and mitigate vehicle risks.

1. Vulnerability Discovery
The first step of vulnerability management is identifying the risks. More precisely, this step identifies and flags potential risks that are relevant to the SBOM assets. To achieve this, the VSOC needs to aggregate information from intelligence feeds and combine it with internal research. The output of this phase is an alert each time a potential risk is discovered.

There are two main challenges during this phase. First, attempting to identify unreported or completely new vulnerabilities. Second, filtering out the vulnerabilities that do not have potential impact on the product.

2. Vulnerability Analysis
After classifying events as vulnerabilities, the analysis phase takes the data and turns it into actionable information. This means supporting (or disqualifying) the identification of a vulnerable item, calculating how exploitable it is and determining the probability of it occurring.

The outcome of this phase is the result of the following equation:
Potential Threat Scenario x Vulnerability Exploitability x Probability

3. Vulnerability Risk Assessment
Once a vulnerability has been classified and identified as exploitable and probable, the next step is assessing the impact of the cybersecurity risk on the business and the resources required to mitigate it. This will help determine whether to take action, and which course of action to take.

Different mitigation paths might be analyzed, according to the severity of the risk and the overall cost of the mitigation – from wide-scale recalls to an OTA (over-the-air) fix.

The outcome of this phase is the result of the following equation:
Potential Business Impact x Mitigation Effort x Business Containment Capability

4. Vulnerability Prioritization
If the vulnerability has been marked as having a high enough business impact and the mitigation has a high enough ROI, the next step is to prioritize mitigation actions for disposing the vulnerabilities. This prioritization will help determine which vulnerabilities will be mitigated first. The outcome of this phase is
The outcome is a mitigation action plan or program, based on the prioritization and risk acceptance criteria of the organization.

5. Vulnerability Mitigation & Containment Strategy
Now that the mitigation route has been decided upon, there is enough information to build the execution and monitoring strategy. This includes actions like patches, workarounds, replacements and acceptances.The strategy should also take into consideration the agreed upon “time-to-fix” SLA.

6. Mitigation Deployment
After the strategy, it’s time to track execution and make sure the vulnerability is mitigated in the fastest, most efficient way possible. This includes the verification process and controls monitoring.

7. Vulnerability Disclosure
When the vehicles are safe again, the last step in the vulnerability management process is to publicly alert about the vulnerability, to enable future mitigation. The company can either alert internal relevant stakeholders, like the company’s engineering team, or it can issue a public disclosure. In any case, the alert should include a report of the vulnerability, as well as mechanisms and processes for future mitigation efforts.

Next Steps

When building your VSOC or choosing a VSOC vendor, it’s important to ensure these key requirements appear in the VSOC responsibilities and workflows, according to the following key:

1-3: Vulnerability discovery, vulnerability analysis and vulnerability risk assessment – These steps are the VSOC’s main role and responsibility.

4-5: Vulnerability prioritization and vulnerability mitigation and containment strategy – The VSOC supports these phases and provides information and recommendations to business and product executives.

6: Mitigation deployment – The VSOC helps implement the decisions from phases 4-5.

7: Vulnerability disclosure – The VSOC can help legal and external and internal communications teams with this phase, if required.

Cybellum empowers OEMs to leverage vulnerability management operations in their VSOCs, providing the necessary data, context and automation needed to maintain vehicle security throughout its entire lifespan. Find out more.