Introducing the First Virtual Conference for Product Security - Left to Our Own Devices: The Conference.
Introducing the First Virtual Conference for Product Security - Left to Our Own Devices: The Conference.

SOC Versus VSOC: Same But Different

SOC Versus VSOC: Same But Different

Originally published on Forbes, August 4th, 2021


Automotive cybersecurity is finally getting its time to shine. The upcoming launch of new regulations and standards, alongside the ever-increasing scale of automotive cyberattacks, is prioritizing the establishment of cybersecurity operations among leading OEMs across the world. And OEMs are rising to the challenge, with many either already operating, or in the process of setting up, their vehicle security operations center (VSOC).

There’s nothing new under the sun about VSOCs — that is except for the V part of the acronym. The holy trinity of SOCs — people, processes and technology — that keep IT systems safe and secure are also relevant in the VSOC.

People operate the actual center, using processes and playbooks that provide them with precise instructions regarding how they should respond to different scenarios. Finally, technology like AI and machine learning eases the burden on SOC personnel by automating manual processes and reducing information overload.

Whose SOC Is It Anyway?

The introduction of VSOCs raises new questions regarding organizational ownership. CISOs claim that their existing SOCs can expand beyond IT to incorporate cybersecurity for automotive products. On the other hand, product security teams tasked with embedding robust cyber defenses during the vehicle’s development argue that the VSOC extends their jurisdiction into post-production and want this new function under their authority.

The reality is while automotive cybersecurity shares many similarities with IT cybersecurity, I believe that they should be handled as an entirely different function. Although the holy trinity still holds true in VSOCs, the people, processes and technology that make it run diverge from those that are leveraged to operate an IT SOC. For this reason — and a few more that we’re about to dive into — VSOCs should be operated by experts knowledgeable in vehicle product security.

5 Reasons Why VSOCs Should Be Separated From IT SOCs

Connected vehicles are built and operate in ways that are fundamentally different from IT systems, which mandates a different approach to ongoing, post-production monitoring and incident response.

1. Domains Do Not Overlap: Vehicle systems are fundamentally different from IT systems. They rely on embedded systems with a different technology ecosystem such as special hardware architectures and different operating systems (OS), including real-time OSs for mission-critical components, creating a significant knowledge gap that hampers any attempt to leverage procedures from IT SOCs into the VSOC. In addition, while it may be tempting to assume that IT cybersecurity domain experts can be easily retooled for automotive cybersecurity, this simply is not the case. Level 1 and maybe even Level 2 security experts can, if they have the right playbooks and technology available, potentially handle both IT SOCs and VSOCs simultaneously. However, the critical Level 3 product security incident response team (PSIRT) that is responsible for understanding the different protocols, operating systems, hardware architectures and threats in the automotive world are highly specialized. Sourcing such talent with expertise relevant to both domains is extremely unlikely, if not entirely impossible.

2. Different Cyber Risks: 90% of IT cyberattacks are phishing attempts; however, the cyber threat map for connected vehicles is much more complex and includes ransomware and DoS attacks. What’s more, technical attack vectors between the two differ greatly, as do the potential repercussions of successful attacks.

3. Threat Intelligence Sources Are Incompatible: Threat intelligence sources offer a wealth of know-how regarding known attack vectors and the steps that should be taken to mitigate them. In the IT world, there is a robust community of cyber professionals who share their knowledge and intelligence with each other (for example, the MITRE ATT&CK framework). However, these intelligence sources are not specific to the automotive industry. More automotive-focused data feeds like Auto-ISAC provide intelligence that is much more relevant.

4. Incident Response: Forced patches (security updates deployed specifically to eliminate a vulnerability) are the standard remediation technique of IT SOCs. In the automotive industry, where vehicles are only connected when they’re actually operating, this technique is only feasible by integrating with external systems that enable over-the-air (OTA) updates. Additionally, while deploying a patch to an organization’s proprietary IT systems and devices is within their rights, this doesn’t hold true when the patch is for systems that now belong to private consumers.

5. IT Environments Were Built To Handle Big Data: In IT networks, near-limitless bandwidth means that there’s almost no financial cost to continuously sending, storing and processing huge amounts of data. Nodes are installed with “dumb” adaptors that push huge amounts of raw data and logs to the SIEM. With tens of millions of connected vehicles using cost-prohibitive cellular data to connect to the cloud — and each car creating on average 25 gigabytes/hour — this approach is not feasible in the automotive industry. This issue can be resolved by adding intelligent capabilities in the vehicle so that only critical, relevant data is pushed out.

Key Takeaways: Upgrading The SOC Into A VSOC

A well-designed VSOC will also include the following capabilities:

1. Automotive Context-Awareness: VSOCs must be capable of understanding threats in the context of the vehicle, its complex architecture and its unique technology ecosystem. This is where cyber digital twins (CDTs) technology can be leveraged to quickly assess the exploitability and severity of a threat, minimize irrelevant alerts and support quick root-cause analysis in the event of real security incidents.

2. Integrated Response: Closing the security loop quickly and efficiently requires that VSOCs integrate with asset-management systems, OTA update systems, SIEM with telematics data from the vehicle (if and when available) and others.

3. Impact Analysis: The potential catastrophic results and high risk associated with vehicle security issues mandate the timely analysis of each threat across the organization to identify the impact on other vehicles/components and prevent vulnerabilities from turning into incidents. Here, too, CDTs can play a role by expediting impact analysis across your entire asset base.

Regardless of where you see the VSOC situated in the company hierarchy, ensuring that you put automotive domain experts, processes and technology in place is critical to success.