汽车网络安全现状的本质:可以杜绝绝大多数网络事件,但不可能完全杜绝。
Charles River Assoc 公司司法与网络调查副总裁 Bill Hardin 表示,“你可以尽情采取各种预防措施,但网络安全事件要发生终究还会发生。公司需要面对的真正问题是“你将如何响应?”
Hardin 与其他几位最近接受SAE《国际汽车工程(AEI)》杂志采访的网络安全专家均强调了制定一套网络攻击响应方案的重要性。通常来说,该方案的制定应由公司的法律总顾问、首席信息安全官和外部法律顾问共同负责。
Hardin 表示,“该方案可能只有一页纸,上列响应团队的主要负责人、需要开展的行动,以及具体的执行人等。”
响应团队必须随时立刻注意到各种网络病毒、勒索或任何其他形式的网络攻击,并相互配合积极进行处理。
Dawda, Mann, Mulcahy& Sadler PLC 律师事务所成员 Brian Balow 建议,客户在出现网络安全问题的情况下,应避免通过邮件和短信进行沟通。
“在讨论解决方案时,客户应采用面对面或电话会议的形式。”Brian Balow 表示,“只有当你已经做出决定后,接着才可以将这些决定用书面形式记录下来。”
在遭受网络攻击后,保证公司 IT 系统的完整性非常重要。“如果可以的话,应随时对 IT 系统进行备份。这是因为如果没有备份,IT 系统在遇到网络安全问题时,可能需要重新构建数据库,而重建意味着你将失去大量服务器的日志信息。”Balow 表示,“这些历史信息本可以用来帮助我们了解所发生的情况,并确定有多少人受到了影响。”
Willis Towers Watson 公司的 Brian Warszona 表示,用户在遇到问题时只想重启电脑的冲动,可能会让情况更加复杂。“如果你没有相关知识,那真的不应该随意采取行动。这也可能只是一个电脑故障,”Warszona 表示,“不要惊慌,直接咨询你们公司指定的响应机制负责人。”
贸然下结论是毫无意义的,尤其是在并非所有的网络安全事件都可以追溯到黑客的情况下。Hardin 表示,“这些坏人是怎么攻入系统的?他们到底有没有攻入系统?这会不会只是一行错误代码?这取决于你所在的组织做出决定、保存证据,并采取必要措施限制影响扩大的能力。”
与此同时,经常就网络攻击响应场景进行“演习”,可以让公司时刻做好准备。Warszona建议,“比方说,有一家公司非常关注网络勒索。那么,这家公司的响应团队及外部法律顾问可以做一些演练,看看是否存在任何流程上的漏洞。”
在网络安全事件发生之前制定相关机制和政策,就如同对员工进行网络安全培训一样重要。 Balow 表示,“如今,数据安全协议已经不再是‘锦上添花’的东西,而是必须具备的。”
The essence of automotive cybersecurity's current state of capability: It’s possible to thwart most—but not all—cyber incidents.
“You can put in place all the preventive medicine that you want, but a cyber disruption is going to happen. The relevant question for an organization is ‘how will you respond?’” said Bill Hardin, Vice President of Forensic & Cyber Investigations at Charles River Assoc.
Hardin and other cyber security experts who recently spoke with Automotive Engineering stress the importance of developing a response plan for online attacks. A company’s general counsel, chief information security officer and outside legal counsel typically are involved in assembling such a plan.
“It can be just a one-pager that states the response team’s quarterback, the things that need to be done and the folks who need to get involved,” Hardin said.
Whether it’s a virus, a ransomware demand, or another type of cyber attack, the disruption requires immediate attention. And the unfolding situation needs to be handled in a coordinated manner.
Brian Balow, a member of the law firm Dawda, Mann, Mulcahy & Sadler PLC, advises clients dealing with a cyber situation to avoid communicating via emails and texts.
“While deliberating the incident, the response and recovery should be done with face-to-face meetings and phone calls,” he said. “After you’ve made decisions about what to do, then you can document those decisions in writing.”
It’s important to keep the information technology landscape intact after a cyber hack. “Preserve the IT environment if you can. If you do not have a system backup, you may be required to reconstruct the databases. And doing that reconstruction means you’ve lost a lot of the server log information,” Balow noted. “That historical information can be used to help understand what happened and understand how many individuals were affected.”
The impulse to shut down a computer and restart it could further complicate a cyber situation, according to Brian Warszona, Vice President, Cyber Specialist for Willis Towers Watson. “You really don’t want to do something when you’re not even sure what it is. It could just be a computer glitch,” he said. “Don’t panic; consult with your company’s designated response-plan quarterback.”
A rush to judgment can be pointless, especially since not all cyber incidents trace back to hackers. “How did the bad guys get into the system? Did they even get into it? Was it a misconfiguration of code? It comes down to how quickly we can make a determination, preserve the evidence and do what’s necessary to limit the operational impact on the organization,” Hardin said.
Meanwhile, cyber-attack 'rehearsals' can good practice to stay prepared. “Let’s say a company is concerned about a ransomware demand. The response team, along with outside legal counsel, could do a few tabletop exercises to see if there are any vulnerabilities in the process,” suggested Warszona.
Having procedures and policies in place before a cyber disruption is just as important as training the workforce on the cybersecurity action plan. Observed Balow, “A data security protocol is not ‘nice-to-have’ anymore, it’s must-have.”
Author: Kami Buchholz
Source: SAE Automotive Engineering Magazine
Bill Hardin 问道:“发生问题时,你所在的组织可以多快做出决定、保存证据,并采取必要措施限制影响的扩大?”(图片来源:Charles RiverAssoc. )
Brian Balow 表示,“在遇到问题,讨论解决方案时,客户应采用面对面或电话会议的形式。”(图片来源:Dawda, Mann, Mulcahy & Sadler)
Willis Towers Watson 公司的 Brian Warszona 表示,用户在遇到问题时只想重启电脑的冲动可能会让情况更加复杂。(图片来源:Willis Towers Watson) 