The Automotive Cybersecurity Industry Consortium (ACIC) is a public-private partnership that provides a collaborative mechanism and framework for automotive original equipment manufacturers (OEMs) to pool resources, leverage them with government funding and resources, and conduct cooperative “pre-competitive research” to improve the level of cybersecurity in automobiles.
Modern day automobiles are extremely complex, containing up to 100 embedded electronic control units (ECUs), a wide range of infotainment/telematics networks to support these units, and an ever-increasing number of wired and wireless interfaces. With this increased connectivity comes a higher risk of cybercriminals exploiting automotive cybersecurity vulnerabilities.
ACIC is a voluntary, technology-oriented partnership among automotive OEMs that is supported by the Department of Homeland Security Science and Technology Directorate (DHS S&T), the Department of Transportation Volpe National Transportation Systems Center (DOT Volpe Center), and nonprofit research center SRI International. The consortium identifies, prioritizes and conducts pre-competitive research projects that address critical cybersecurity challenges in automobiles. The consortium engages subject matter experts, consultants and researchers who provide the best-possible technical support for the project. Different projects require different skillsets and ACIC allows the flexibility to choose the best resources. The consortium promotes the interests of the automotive sector while maintaining impartiality, independence of the participants, and vendor neutrality. A “hub” organization, Bucciero & Associates, oversees the day-to-day operations of the ACIC, acquisition of technical resources based on project requirements, and administers all business issues among ACIC members and with project performers.
ACIC’s primary goal is to conduct proactive research to address critical automotive cybersecurity gaps and solutions. The research projects identified and selected by consortium members provide mutual benefit to all members and the nation by reducing the threat of cybersecurity risks in automobiles. The combined resources of the consortium members and the federal government increases both the capacity and quality of the research results. Members also benefit from DHS S&T and DOT Volpe Center broad access to government-funded research and researchers throughout the cybersecurity community. ACIC is focused on technology research and development, which does not have regulatory constraints and issues.
ACIC focuses on technology research, which complements other automotive industry efforts such as the Automotive Information Sharing and Analysis Center (Auto-ISAC), created to enhance cybersecurity awareness and share best practices, and SAE International, a global professional association and standards development organization for engineering professionals in various industries, including automotive.
Current Status and Next Steps
ACIC is in its sixth year and has completed research projects on tools and testing, threat assessment, testing frameworks, automotive ethernet security, vehicle security operations centers, and tuner motivations and techniques. In addition, it engaged the DOT Volpe Center on projects in telematics device cybersecurity testing and ECU cybersecurity mitigations. The consortium has initiated a new automotive cybersecurity adoption study. It will continue to execute on these projects, as well as identify, prioritize and conduct future research projects to improve cybersecurity in automobiles.
For More Information
President, Bucciero & Associates, P.C.
Program Manager, DHS S&T
ACIC Summary Datasheet and Overview Briefing
Automotive Industry Cybersecurity Adoption Survey
Automotive Industry Cybersecurity Adoption Survey
In January 2022, the ACIC and its partners, SBD Automotive and Pinsent Masons, plan to invite automotive OEMs and suppliers to participate in an Automotive Industry Cybersecurity Adoption Survey designed to help individual companies understand current cybersecurity practices and technology and rank their own against the industry. The secure, controlled, blind self-assessment survey will facilitate the gathering, collating, and analysis of industry-wide cybersecurity adoption trends and allow individual companies to provide input and position themselves. The survey will take approximately 45 minutes to complete.
Survey focus areas include current and future maturity assessment of cyber governance, cyber processes, cyber ecosystem, and cyber features and control.
Target participants include automotive OEMs and suppliers, connected vehicle security managers, cybersecurity engineers, and information technology security leads.
While most vehicle manufacturers and suppliers understand what steps should be taken to improve their cybersecurity posture, many automotive stakeholders do not understand where the industry is heading and whether they are leading, following, or in the pack, making it difficult to accurately plan and prioritize.
All participants will receive a complimentary copy of aggregate survey results with instructions on how to benchmark themselves against anonymized industry metrics.
CHECK BACK IN JANUARY 2022 FOR A LINK
TO THE SURVEY!!
ACIC Public Reports
Project 4: Vehicle Security Operations Center Best Practices and Technical Requirements, Public Report and Briefing, September 29, 2021.
The ACIC sought to document good practice and technical requirements for an automotive domain specific Security Operations Center (SOC) capable of ingesting and processing vehicle data based on approaches taken by a range of industries with greater experience in the use of SOCs. The ACIC contracted with SBD Automotive and its partner, Pen Test Partners, to study and document best practices and technical requirements for an automotive domain SOC capable of handling vehicle data. The VSOC best practices and technical requirements were derived from market research into product SOCs from other domains with equally complex and constrained environments, including aviation, defense, healthcare, industrial control systems (ICS), and mobile devices. SBD also explored and defined technical considerations for an automotive specific VSOC gathered through OEM interviews. This helped define requirements for a VSOC and gain a better understanding of what best practices from the cross-domain research are most applicable to the unique constraints of the automotive domain.
© 2021 Automotive Cybersecurity Industry Consortium. All rights reserved.