The Automotive Cybersecurity Industry Consortium (ACIC) recently partnered with SBD Automotive and Pen Test Partners to publish a new study to identify industry best practices and technical requirements for successfully enabling and securing Vehicle Security Operations Centers (VSOCs). The ACIC is a public-private partnership that provides a collaborative mechanism and framework for automotive OEMs to pool resources, leverage them with government funding and resources, and conduct cooperative “pre-competitive research” to improve the level of cybersecurity in automobiles.

The ACIC sought to document good practice and technical requirements for an automotive domain specific Vehicle Security Operations Center (VSOC) capable of ingesting and processing vehicle data based on approaches taken by a range of industries with greater experience in the use of SOCs. The ACIC study focused on documenting best practices and technical requirements for an automotive domain SOC capable of handling vehicle data. The VSOC best practices and technical requirements were derived from market research into product SOCs from other domains with equally complex and constrained environments, including aviation, defense, healthcare, industrial control systems (ICS), and mobile devices. SBD Automotive also explored and defined technical considerations for an automotive specific VSOC gathered through OEM interviews. This helped define requirements for a VSOC and gain a better understanding of what best practices from the cross-domain research are most applicable to the unique constraints of the automotive domain.

Connected vehicles have been on roads for years – some would say successfully, and without significant incident. Connected Vehicle Platform (CVP) providers generally provide a level of security monitoring and process to secure the standard remote access and control functionality from misuse. But with manufacturers launching vehicles that connect 24/7, and with fleets and associated service infrastructure passing billions of data points daily to support user services, and with increasing amounts of user data available, the opportunity for unauthorized access to sensitive data or systems is rapidly increasing.

The latest generation of connected vehicles provides malicious actors with new opportunities for attempting a range of different attacks on vehicles and their associated ecosystems. Other industries have addressed the monitoring of similarly connected products and systems, and the detection of cybersecurity events, by implementing Security Operations Centers.

“VSOCs are a critical tool in the automotive industry’s cyber arsenal” says Kurt Dusterhoff, Consulting Manager at SBD Automotive. “As vehicles become increasingly connected to the outside world, manufacturers are racing to implement device-monitoring capabilities to protect their end-users from malicious actors. VSOCs will be key to deploying timely responses to live cybersecurity incidents as well as helping manufacturers issue preventative measures as vulnerabilities and threats emerge.”

Graphical user interface, text, application

Description automatically generated
Figure 1 – Modern Connected Vehicle – Always On, Always Connected

This new report brings together best practices from six leading industries that vehicle manufacturers, or fleet owners, can apply to a VSOC or similar sub-organizations within a wider cybersecurity system. Researchers from SBD Automotive and Pen Test Partners interviewed more than 30 SOC and cybersecurity solution experts about their experiences of SOC Ecosystems, SOC Management, SOC Data Handling, and SOC Event Handling.

Graphical user interface, text, application

Description automatically generated
Figure 2 – Vehicles Connect to Users Through More Channels & Services Than Ever

The research team compiled analyses of the interviews and survey responses into a set of organizational and technical considerations. By examining these recommendations, in relation to a range of potential attacks against connected vehicles, the authors have created a set of recommendations that an organization can use to build the foundation for applying good SOC practice to their specific connected vehicle environment. Each vehicle manufacturer, VSOC provider, or fleet operator can apply these recommendations to meet their specific circumstances.

Figure 3 – Three Options for Positioning the VSOC Within a Wider Organization

You can read the full recommendations in the VSOC Best Practices and Technical Requirements report and briefing on the ACIC website on a complimentary basis.