汽車網絡安全現狀的本質:可以杜絕絕大多數網絡事件,但不可能完全杜絕。
Charles River Assoc 公司司法與網絡調查副總裁 Bill Hardin 表示,“你可以盡情采取各種預防措施,但網絡安全事件要發生終究還會發生。公司需要面對的真正問題是“你將如何響應?”
Hardin 與其他幾位最近接受SAE《國際汽車工程(AEI)》雜志采訪的網絡安全專家均強調了制定一套網絡攻擊響應方案的重要性。通常來說,該方案的制定應由公司的法律總顧問、首席信息安全官和外部法律顧問共同負責。
Hardin 表示,“該方案可能只有一頁紙,上列響應團隊的主要負責人、需要開展的行動,以及具體的執行人等。”
響應團隊必須隨時立刻注意到各種網絡病毒、勒索或任何其他形式的網絡攻擊,并相互配合積極進行處理。
Dawda, Mann, Mulcahy& Sadler PLC 律師事務所成員 Brian Balow 建議,客戶在出現網絡安全問題的情況下,應避免通過郵件和短信進行溝通。
“在討論解決方案時,客戶應采用面對面或電話會議的形式。”Brian Balow 表示,“只有當你已經做出決定后,接著才可以將這些決定用書面形式記錄下來。”
在遭受網絡攻擊后,保證公司 IT 系統的完整性非常重要。“如果可以的話,應隨時對 IT 系統進行備份。這是因為如果沒有備份,IT 系統在遇到網絡安全問題時,可能需要重新構建數據庫,而重建意味著你將失去大量服務器的日志信息。”Balow 表示,“這些歷史信息本可以用來幫助我們了解所發生的情況,并確定有多少人受到了影響。”
Willis Towers Watson 公司的 Brian Warszona 表示,用戶在遇到問題時只想重啟電腦的沖動,可能會讓情況更加復雜。“如果你沒有相關知識,那真的不應該隨意采取行動。這也可能只是一個電腦故障,”Warszona 表示,“不要驚慌,直接咨詢你們公司指定的響應機制負責人。”
貿然下結論是毫無意義的,尤其是在并非所有的網絡安全事件都可以追溯到黑客的情況下。Hardin 表示,“這些壞人是怎么攻入系統的?他們到底有沒有攻入系統?這會不會只是一行錯誤代碼?這取決于你所在的組織做出決定、保存證據,并采取必要措施限制影響擴大的能力。”
與此同時,經常就網絡攻擊響應場景進行“演習”,可以讓公司時刻做好準備。Warszona建議,“比方說,有一家公司非常關注網絡勒索。那么,這家公司的響應團隊及外部法律顧問可以做一些演練,看看是否存在任何流程上的漏洞。”
在網絡安全事件發生之前制定相關機制和政策,就如同對員工進行網絡安全培訓一樣重要。 Balow 表示,“如今,數據安全協議已經不再是‘錦上添花’的東西,而是必須具備的。”
The essence of automotive cybersecurity's current state of capability: It’s possible to thwart most—but not all—cyber incidents.
“You can put in place all the preventive medicine that you want, but a cyber disruption is going to happen. The relevant question for an organization is ‘how will you respond?’” said Bill Hardin, Vice President of Forensic & Cyber Investigations at Charles River Assoc.
Hardin and other cyber security experts who recently spoke with Automotive Engineering stress the importance of developing a response plan for online attacks. A company’s general counsel, chief information security officer and outside legal counsel typically are involved in assembling such a plan.
“It can be just a one-pager that states the response team’s quarterback, the things that need to be done and the folks who need to get involved,” Hardin said.
Whether it’s a virus, a ransomware demand, or another type of cyber attack, the disruption requires immediate attention. And the unfolding situation needs to be handled in a coordinated manner.
Brian Balow, a member of the law firm Dawda, Mann, Mulcahy & Sadler PLC, advises clients dealing with a cyber situation to avoid communicating via emails and texts.
“While deliberating the incident, the response and recovery should be done with face-to-face meetings and phone calls,” he said. “After you’ve made decisions about what to do, then you can document those decisions in writing.”
It’s important to keep the information technology landscape intact after a cyber hack. “Preserve the IT environment if you can. If you do not have a system backup, you may be required to reconstruct the databases. And doing that reconstruction means you’ve lost a lot of the server log information,” Balow noted. “That historical information can be used to help understand what happened and understand how many individuals were affected.”
The impulse to shut down a computer and restart it could further complicate a cyber situation, according to Brian Warszona, Vice President, Cyber Specialist for Willis Towers Watson. “You really don’t want to do something when you’re not even sure what it is. It could just be a computer glitch,” he said. “Don’t panic; consult with your company’s designated response-plan quarterback.”
A rush to judgment can be pointless, especially since not all cyber incidents trace back to hackers. “How did the bad guys get into the system? Did they even get into it? Was it a misconfiguration of code? It comes down to how quickly we can make a determination, preserve the evidence and do what’s necessary to limit the operational impact on the organization,” Hardin said.
Meanwhile, cyber-attack 'rehearsals' can good practice to stay prepared. “Let’s say a company is concerned about a ransomware demand. The response team, along with outside legal counsel, could do a few tabletop exercises to see if there are any vulnerabilities in the process,” suggested Warszona.
Having procedures and policies in place before a cyber disruption is just as important as training the workforce on the cybersecurity action plan. Observed Balow, “A data security protocol is not ‘nice-to-have’ anymore, it’s must-have.”
Author: Kami Buchholz
Source: SAE Automotive Engineering Magazine