In today’s digital age, the importance of cybersecurity readiness and resilience is critical. This is true for all industries but is particularly important in the automotive and smart mobility IoT sector. Organizations must be proactive in their approach to cybersecurity. Training teams through exercises that leverage real-life incident expertise is beneficial in ensuring readiness and enables teams to effectively prepare teams to handle real-world scenarios.
The rise in cyber-driven data breaches
In recent years, data leaks have become a prominent pressure tactic used by threat actors. The large amount of PII collected by organizations along with impact to supply chains, has made mobility and automotive players a prime target. With the growing expansion of SIM-enabled IoT devices, which offer connectivity to these sectors, stakeholders in IoT are now targets as well. The likelihood of a third-party compromise affecting multiple assets is high. An example is the data breach of a major Tier-1 supplier in, which impacted dozens of automotive OEMs.
Ransomware groups are a significant force behind these breaches. Their persistence highlights the need to enhance Product Security Incident Response Team (PSIRT) capabilities and address product-specific aspects of data breaches. In recent years, there have been numerous data breach incidents affecting Tier-1 suppliers, OEMs, IoT vendors and other players in the automotive and mobility ecosystem. Sharing insights, practices, and lessons learned from these experiences can be valuable for other organizations.
Data breaches add unique challenges to product cybersecurity posture
Data breaches are not new, and many law firms and Digital Forensics and Incident Response (DFIR) firms have established methodologies and best practices for handling common aspects of breaches, such as Personally Identifiable Information (PII), commercial data, and communications. However, product-related aspects of data breaches, particularly in the automotive and mobility ecosystem, pose unique challenges and require industry-specific knowledge.
Scale: identifying the breach’s impact and taking mitigation measures in product-centric organizations involves engaging multiple business units and functions, representing a significant portion of the organization.
Focus and prioritization: with recent breaches encompassing terabytes of leaked data, conducting a full deep-dive analysis of all breached data is nearly impossible. Prioritizing efforts and identifying key focus areas are imperative.
Practical DFIR aspects: identifying the right tools and techniques for investigation is crucial. Moreover, determining the appropriate keywords, file types, and analysis methods is essential for effective investigation.
The anatomy of a data breach often includes Controller Area Network (CAN) network captures, schematics, source code, and media files, all of which can contain intellectual property and security-related information posing a risk to the organization.
Triaging product aspects of a data breach
How to prioritize?
- Immediate action (“DO NOW”): Identify and mitigate any directly compromising artifacts with an externally facing attack surface. These include credentials for remotely available resources, digital certificates, API secret keys, etc.
- Nearly immediate action (“DO NEXT”): Analyze and address cybersecurity-related product artifacts and findings that could be exploited for product impact. Examples include Software Bill of Materials (sBOM), vulnerability assessment, penetration test results, and backdoor access mechanisms.
- Medium and long-term action (“DO LATER”): Conduct further analysis of artifacts that may have long-term product cybersecurity implications. This includes a business impact analysis of intellectual property loss, product schematics and diagrams, source code, configuration files, network traffic captures (e.g., CAN), firmware images, etc.
Improving PSIRT capabilities and readiness
- Familiarity with third-party and supply-chain risk management: ensure PSIRT is well-versed in organizational third-party and supply-chain risk management processes and information.
- Cyber Threat Intelligence Monitoring: use cyber threat intelligence to monitor the deep and dark web for potential breaches affecting your organization and supply chain.
- Tabletop Exercises: conduct dedicated tabletop exercises to simulate a data breach affecting your product. This helps understand existing capabilities, highlight areas for improvement, and involve relevant stakeholders (e.g., safety, legal, compliance, public relations, investor relations) who would be part of a real incident response.
- PSIRT maturity assessment: Perform regular PSIRT maturity assessments to ensure your capabilities align with industry best practices.
- Regular training sessions: conduct frequent training sessions to improve awareness of evolving cybersecurity threats and risks.
By adopting these practices and continually enhancing PSIRT capabilities, organizations in the automotive and mobility ecosystem, including those utilizing IoT devices with SIM connectivity, can improve their ability to respond to cybersecurity threats and improve their posture and resilience.