The Importance of an Up-to-Date Information Security Plan for Automotive OEMs and Dealerships

For OEMs and dealerships, a written information security plan is essential for protecting sensitive data, securing networked vehicle systems, ensuring regulatory compliance and preparing for potential security incidents. But merely having a plan in place isn’t enough—here’s why it should be an updated, dynamic document if you really want to reduce risks from increased cyber threats. 

Rising Automotive Cyber Threats 

A recent survey of automotive dealerships found almost one-fifth of them experienced a cyberattack or incident within the last year. Moving a step up to the OEM level, broader research on manufacturers by the World Economic Forum reported a 15% increase in cyberattacks on companies in the sector.  

An information security plan helps to identify potential threats, establish preventive measures and outline your responses to security incidents. It’s the very foundation of being able to reduce your risk exposure to growing cyber threats in the industry.   

Why to Regularly Update Your Information Security Plan 

Information security plans in the automotive industry should not be static documents that are written once and then considered complete or neglected for a few years. They must be regularly updated to reflect the industry’s dynamic and rapidly evolving nature, general technological changes, and the fast-moving threat landscape. Here are a few compelling reasons to update your plan often. 

Complying with regulations like the FTC Safeguards Rule 

The FTC Safeguards Rule requires financial institutions, which includes most automotive dealerships, to develop, implement and maintain a comprehensive information security program. This program must include administrative, technical and physical safeguards to protect customer information. A key component of complying with the Safeguards Rule is having a written incident response plan that outlines the procedures for responding to a security event. Regularly updating your information security plan ensures that your incident response protocols align with the latest Safeguards Rule requirements. 

Get FTC Safeguards Rule Support 

Protecting connected vehicle data 

Modern vehicles are no longer just mechanical constructs; they are complex systems interconnected through various networks. Telematics, infotainment systems and autonomous driving technologies all collect and process vast amounts of information. A static security policy cannot adjust to the constantly changing landscape of these technologies and the corresponding threats. An up-to-date plan ensures that as your vehicle technologies evolve, so do your protections against data breaches and cyberattacks.  

Being able to respond to other tech advancements

The connected vehicle is just one technological shift that introduces the potential for different attack vectors and types for OEMs and dealerships to prepare for. Other ongoing changes include the rapid integration of IoT devices, Vehicle-to-Everything (V2X) communication and over-the-air (OTA) updates. Think about V2X for a moment—it continues to improve the convenience and mobility of vehicles. However, security researchers have described plausible attack scenarios on V2X, like ghost nodes that cause unwanted behaviors on the network. A static policy can’t account for these developments.  

Mitigating supply chain security risks

Automotive OEMs and dealerships face high levels of risk from the ongoing general trend of increased supply chain cybersecurity risks. Both work with a vast chain of suppliers and partners, within which one link can quickly become a potential vulnerability.  

To take a hypothetical scenario: imagine a supplier of an OEM’s electronic control units (ECUs) recently underwent corporate restructuring that saw them outsourcing software development to a new vendor in another country to save costs. This change could potentially increase the risk of ECU vulnerabilities if the outsourced company doesn’t have the same rigorous cybersecurity standards as the original supplier.  

Static security policies fail to account for or even notice the dynamic nature of these supply chain risks. An updated security plan includes proactive measures to assess the security practices of your supply chain partners, while also keeping an accurate inventory of those third parties so no risks go unnoticed. 

Dealing with an ever-expanding attack surface 

The integration of IT and OT within automotive environments has led to increased efficiency and innovation but also created new security challenges. One such challenge is that devices previously isolated away from the network now face potential exposure from internet-facing threats. This is especially true in cases where the growing convergence between IT and OT isn’t adequately addressed from a security standpoint.  

Static policies lack the flexibility to address the nuances of these interconnected environments. Also, without updates, incident response plans based on static information security plans won’t account for the latest threats or vulnerabilities targeting this IT/OT integration and its increasing attack surface.  

Get Your Plan Right with Executive Advisory Services and Incident Response Readiness 

To effectively manage changing risks, OEMs and dealerships need dynamic and expert-driven security strategies, starting with developing and updating your information security plan. Nuspire’s Executive Advisory Services provide the specialized expertise to develop a good plan, offering tailored guidance and continuous support to ensure your security measures evolve alongside the threat landscape. 

But having a plan is only half the battle – you also need to ensure your team is prepared to execute it effectively. Nuspire’s Incident Response Readiness Service fortifies your cyber defense by simulating real-world cyber threats through dynamic, scenario-based training and comprehensive post-exercise analysis. This service integrates seamlessly with your existing cybersecurity framework, helping meet compliance requirements and cyber insurance policies by ensuring your incident response plan is robust, up-to-date, and thoroughly practiced. 

Have you registered for our next event?