SEPTEMBER 2017CIOAPPLICATIONS.COM9and alerts, through which vehicle information is collected and analyzed by GM to provide service information to customers.GM also has more than half a million enrolled in Insurance Discount programs. Protecting customer privacy is imperative, and in the connected vehicle context, GM does not collect or use personal information unless it receives appropriate consent to do so from the consumer.With such a vast array of data being exchanged, security becomes a primary concern. In the case of the connected vehicle ecosystem, authentication between the endpoints and encryption of data are major steps towards securing the vehicle and ensuring the customer's privacy. Authentication between the vehicles and the back office acts to mitigate unauthorized access to the communications channel. By leveraging industry best practices for security techniques and protocols, a balance between user experience and security can be achieved.A best practice is to use threat modeling and to adopt a risk-based methodology to identify assets and data that need protection, and to what degree. Understand the sensitivity and importance of the assets and data in the ecosystem. A risk-based approach will govern the amount of protection your assets and data need. Depending on its sensitivity and importance to the company and a hacker, the level of security is set to assure the confidentiality, integrity, and availability of the information or asset. The CIA triad is a tried and true model to guide your information security program.Another best practice is to use layers of protection, or a defense-in-depth strategy. No system is impenetrable given enough time and effort; therefore, the goal is to make it difficult for a hacker to break through by using a series of defensive measures so he or she moves on to an easier target. Or, in conjunction with a robust and well monitored intrusion detection system, an adversary can be quickly identified and thwarted.Next, the ability to recognize a security "event" is critical in your telematics system. You must have an Incident Response Plan (IRP) to help guide stakeholders in determining whether a "security incident" has occurred and if it requires special action. The IRP should call out the technical team members and business team members and their responsibilities. While it's certainly important to contain, asses root cause, and remediate the incident, it's also important to work in parallel with legal, communications, and public policy staff to determine if any communications are required for internal leaders, public officials, and customers. It is also likely a Cybersecurity IRP will call, and be called by, other IRP's within the broader organization.A security event may originate from many sources, including intelligence gathering from your Security Operations Center. Another source is academia and the research community. GM values the work of third-party researchers, and in early 2016 formally launched the GM Security Vulnerability Disclosure Program through which security researchers who find suspected security bugs or vulnerabilities can inform GM via a security website portal hosted by a trusted third party. The Program was developed with close attention to published standards related to disclosure, benchmarking of other disclosure programs, and direct interaction with the research community.Finally, cybersecurity must be a priority for top leadership. This is an organizational mindset to be driven top-down. GM takes cybersecurity very seriously, has devoted substantial resources to address it, and continues to do so. GM was the first auto manufacturer to create an integrated and dedicated global organization, Product cybersecurity, about three years ago. This organization consists of a growing team of internal experts who collaborate with outside specialists and third parties to ensure our products keep our customers' safety, security, and privacy at the center of everything we do. A best practice is to use threat modeling and to adopt a risk-based methodology to identify assets and data that need protection, and to what degreeKevin Baltes
< Page 8 | Page 10 >