16 July 2018TLP Green: May be shared within the Auto-ISAC Community.

Hi All,

Please find attached the Weekly Automotive Industry Report covering April 3April 8.

This week’s report includes articles on:

Toyota partnering with Microsoft on a new cloud-based division led by the CIO,

that builds chips for self-driving cars,

Hyundai unveiling its connected vehicle “roadmap,” and,

Toyota planning to open a new autonomous vehicle research center in Michigan.

You can find past reports on site.

Please let me know if you have any questions. Have a great weekend.

Josh

Auto-ISACMonthly Community Call

11 July 2018

Audio: 1-877-885-1087 Code: 9972152385

Skype link: https://autoisac.adobeconnect.com/communitycall/

TLP Green: May be shared within Auto-ISAC Community.

26 July 2018TLP Green: May be shared within the Auto-ISAC Community.

Agenda

Time (ET) Topic

10:00

Welcome

Why we’re here

Expectations for this community

10:10

Auto-ISAC Update

Auto-ISAC overview

Heard around the community

10:20

Featured Speakers

Justin Cappos, Professor at New York University

Sebastien Awwad, Lead Developer for Uptane

10:45Around the Room

Sharing around the virtual room

10:55 Closing Remarks

36 July 2018TLP Green: May be shared within the Auto-ISAC Community.

Welcome to our community!

Welcome

Purpose: These monthly Auto-ISAC Community Meetings are an opportunity for you,

our Members and connected vehicle ecosystem stakeholders, to:

Stay informed of Auto-ISAC activities

Share information on key vehicle cybersecurity topics

Participants: Auto-ISAC Members, Potential Members, Partners, Academia, Industry

Stakeholders, and Government Agencies

Classification Level: TLP Green, and “off the record”

Agenda: Each meeting will have three core segments: 1) Auto-ISAC Update: Our operations team will overview key activities, outcomes, and intel trends

2) Featured Speaker: We will invite an industry leader to share relevant topics of interest. Content

featured on the Auto-ISAC Community Call is not considered an endorsement. Speakers are

selected based on their relevant content and experience for the broader community.

3) Closing Remarks: An Auto-ISAC leader will open up for comments and sum up key takeaways

How to Connect: For further info, questions, or to add other POCs to the invite, please

contact Auto-ISAC Membership Engagement Lead Kim Kalinyak

(kimkalinyak@automotiveisac.com)

46 July 2018TLP Green: May be shared within the Auto-ISAC Community.

Expectations for this community

Share – “If you see something, say something!”

Submit threat intelligence

Send us information on potential vulnerabilities

Contribute incident reports and lessons learned

Provide best practices around mitigation techniques

Participate

Participate in monthly virtual conference calls (1st Wednesday)

If you have a topic of interest, connect with our Membership Engagement

Lead, Kim Kalinyak – kimkalinyak@automotiveisac.com, to apply for a

speaking opportunity at one of these calls

Join

If your organization is eligible, apply for Auto-ISAC membership

If you aren’t eligible for membership, connect with us as a partner

Welcome

56 July 2018TLP Green: May be shared within the Auto-ISAC Community.

Our 2018 BoD Leadership

Jeff Massimilla

Auto-ISAC

Chairman

General Motors

Tom Stricker

Auto-ISAC Vice

Chairman

Toyota

Mark Chernoby

Auto-ISAC

Treasurer

FCA

Steve Center

Auto-ISAC

Secretary

Honda

Jeff Stewart

Affiliate Advisory

Board Chairman

AT&T

Jeff Stewart

Affiliate Advisory

Board Chair

AT&T

Geoff Wood

Affiliate Advisory

Board Vice Chair

Harman

Bob Kaster

Supplier Affinity Group

Chair

Bosch

2018 AAB

Leadership

66 July 2018TLP Green: May be shared within the Auto-ISAC Community.

Auto-ISAC Program Operations Team

Faye Francy, Executive Director

E: fayefrancy@automotiveisac.com

Josh Poster, Program Operations

Manager

E: joshposter@automotiveisac.com

Jessica Etts, Senior Intel

Coordinator

E: jessicaetts@automotiveisac.com

Kim Kalinyak, Membership

Engagement Lead

E: kimkalinyak@automotiveisac.com

Candice Burke, Business and

Executive Administrator

E:

candiceburke@automotiveisac.com

Heather Rosenker,

Communications (Auto-Alliance)

E:heatherrosenker@automotiveisac.com

Julie Kirk, Finance

E: juliekirk@automotiveisac.com

Auto-ISAC Staff

Staff Updates

76 July 2018TLP Green: May be shared within the Auto-ISAC Community.

Auto-ISAC Support Staff

Auto-ISAC Support Team

Denis Cosgrove,

Senior Associate, BAH

Cosgrove_Denis@bah.com

Meredith Shaw,

Program Manager

Shaw_Meredith@bah.com

Pat Ruff, System Admin,

BAH

ruff_pat@bah.com

Michele David, Intel Lead, BAH

analyst@automotiveisac.com

Linda Rhodes, Legal

Council, Mayer Brown

lrhodes@mayerbown.com

Sudharson Sundararajan, Best

Practices Lead, BAH

analyst@automotiveisac.com

Rob Geist, Accountant, Tate

and Tryon

RGeist@tatetryon.com

Sarah Kelch, Portal Lead

kelch_sarah@bah.com

Support Updates

86 July 2018TLP Green: May be shared within the Auto-ISAC Community.

Auto-ISAC overview

Mission Scope

Serve as an unbiased information broker to

provide a central point of coordination and

communication for the global automotive

industry through the analysis and sharing of

trusted and timely cyber threat information.

Light- and heavy-duty vehicles, commercial

vehicle fleets and carriers. Currently, we are

focused on vehicle cyber security, and

anticipate expanding into manufacturing

and IT cyber related to the vehicle.

900+community members

Membership represents 99%of cars on the road in North America

200+active users

Members from 7 countries

on 3 continents

19 OEM members

Coordination with 23critical infrastructure ISACs

through the National ISAC Council

160+intel reports

200+media mentions

6+ partners

50+speaking

engagements

4 Best Practice

Guides complete,3 more planned

28 supplier &

commercial vehicle members

Auto-ISAC Update

96 July 2018TLP Green: May be shared within the Auto-ISAC Community.

Recent activities

Auto-ISAC Update

What we do

Highlights of key activities in June

Auto- ISAC hired a Business and Executive Administrator, Candice Burke. Welcome

Candice!

Auto-ISAC and BPWG started developing the Best Practice Guide #6 on Threat

Detection and Analysis.

Auto-ISAC continued planning our Annual Summit happening in September 2018

Auto-ISAC attended the TU Automotive Summit in Detroit, MI.

106 July 2018TLP Green: May be shared within the Auto-ISAC Community.

Auto-ISAC Update

Heard around the community

CyberTruck Challenge

June 11-15, 2018 • Hosted at Macomb Community College in

Warren, MI.

• Event had two-phases including:

• Hands on training for engineering

and computer science students

understand practical aspects of

heavy vehicle networks,

telematics, and diagnostic

systems.

• Cybersecurity analysis

assessments on available

devices and assets that provided

sponsors with great value

through observing and

interacting with assessment

teams.

• Students attending the challenge came

from various universities including:

Colorado State University, Arizona State

University, and Virginia Tech.

TU Automotive

June 6-7, 2018

• World’s largest conference and expo for future

automotive technology with 4000 attendees.

• Executive Director, Faye Francy monitored a

panel with representatives from GM, Harman,

and Continental that highlighted:

• The mission of Auto- ISAC

• How Auto-ISAC operates

• The different engagement opportunities

available.

ITS America

June 5-7, 2018

• Executive Director, Faye Francy was a participant

in the Cyber Security and Risk Management Panel

along with representatives from the State of

Michigan and New York City Department of

Transportation.

116 July 2018TLP Green: May be shared within the Auto-ISAC Community.

Information Sharing

Activity of Interest– what’s

happening around the industry

Topic Description

Fault injection as a technique to

bypass the security of diagnosis

protocol implementations

Reseachers from Riscure prove that it is possible for an attacker to inject

faults and bypass the UDS authentication, obtaining access to the internal

Flash and SRAM memories of the targets. By analyzing the dumped

firmware, the keys and algorithm that protect the UDS are extracted, giving

full access to the diagnosis services without requiring the use of fault

injection techniques. Riscure shared their research findings for the first time

at Escar 2018 on June 20-21. To read Riscures entire findings, visit

https://www.riscure.com/publication/fault-injection-automotive-diagnostic-

protocols/#jump-to

TLBleed: When Protecting Your

CPU Caches is not Enough

Security Researchers from VU University will present findings at DEF CON

2018 regarding TLBleed, a novel side-channel attack that leaks information

out of Translation Lookaside Buffers (TLBs). The exploit successfully leaks a

256-bit EdDSA key from cryptographic signing code, which would be safe

from cache attacks with cache isolation turned on, but would no longer be

safe with TLBleed. Further, they will show how another exploit based on

TLBleed can leak bits from a side-channel resistant RSA implementation.

This talk contains details about the architecture and complex behavior of

modern, multilevel TLB's on several modern Intel microarchitectures that is

undocumented, and will be publically presented for the first time.

https://www.blackhat.com/us-18/briefings/schedule/#tlbleed-when-protecting-

your-cpu-caches-is-not-enough-10149

Blackhat & DEF CON

Blackhat and DEF CON will take place on August 4-9 and 9-12 respectively.

Both are general cybersecurity/information security conferences, they will

feature talks related to the automotive industry.

https://defcon.org/html/defcon-26/dc-26-index.html,

https://www.blackhat.com/us-18/

126 July 2018TLP Green: May be shared within the Auto-ISAC Community.

Connect with us at upcoming events:

Nuit du Hack June 30- July 1, Paris, France

Auto-ISAC Community Call *** July 11, Virtual Telecon

Auto- ISAC Member Analyst Workshop*** July 17-18, Plano, TX

Auto-ISAC Board of Directors Meeting *** July 19, Plano, TX

SAE CyberAuto Challenge™ July 22- 27, Detroit, MI

Event outlook

Auto-ISAC Update

For full 2018 calendar, visit www.automotiveisac.com

136 July 2018TLP Green: May be shared within the Auto-ISAC Community.

Speaker series overview

Featured Speaker

Why do we feature speakers?

These calls are an opportunity for information exchange

Our goal is to help the vehicle cyber community mature

What does it mean to be featured?

We try to balance perspectives across our ecosystem—including

government, academia, research, industry associations, security solutions

providers—to showcase a rich, balanced variety of topics and viewpoints

throughout the year

Featured speakers are not endorsed by Auto-ISAC

Featured speakers do not speak on behalf of Auto-ISAC

How can I be featured?

If you have a topic of interest you would like to share with the

broader Auto-ISAC Community, then we encourage you to contact

our Membership Engagement Lead, Kim Kalinyak

(kimkalinyak@automotiveisac.com)

146 July 2018TLP Green: May be shared within the Auto-ISAC Community.

Welcome to today’s speakers

Featured Speaker

Abstract: Uptane is the first compromise-resilient software update security system for the automotive industry. Unlike

other software update security systems (e.g., OMA-DM, SSL / TLS, signing updates with a single offline GPG / RSA key,

etc.), it addresses a comprehensive threat model. It is designed to make it extremely difficult for attackers to be able to

install malware on all vehicles maintained by a manufacturer, even if attackers have compromised some keys used to sign

updates. At the same time, Uptane has been designed to be extremely flexible, so as to accommodate a wide variety of

deployment scenarios, and allows on-demand customization of updates installed on vehicles.

Justin Cappos is a professor in the Computer Science and Engineering department

at New York University. His research advances are adopted into production use by

Docker, git, Python, VMware, automobiles, Cloudflare, Digital Ocean, and most Linux

distributions. His Uptane project is integrated into Automotive Grade Linux and

is being deployed for secure over-the-air updates by major automakers. His TUF

project, which focuses on secure software distribution, was recently adopted by the

Linux foundation and was the first cloud security technique standardized. Due to the

practical impact of his work, Justin was named to Popular Science's Brilliant 10 list in

2013.

Sebastien Awwad is the lead developer for Uptane and a developer for The Update

Framework. He has spent the past several years working on the security of software

update systems. In the past, he's worked on real-time experimental systems, banking

software, and computational neuroscience.

UptaneSecuring Over-the-Air Updates

Justin Cappos

New York University

What do these companies have in

common?

What do these companies have in

common?

Users attacked via software

updater!

Software repository compromise

impact

• SourceForge mirror distributed malware.• Attackers impersonate Microsoft

Windows Update to spread Flame malware.

• Attacks on software updaters have massive impact• E.g. South Korea faced 765 million dollars in

damages.• NotPetya spread via software updates!

The modern automobile

Ex

ha

ust

Engine Control Unit

TCU

Transmission

Brake LineABS

Airbag Control Unit

Body ControllerLocks/Lights/Etc

Radio

Telematics _

Internet/PSTN

HVAC

Keyless Entry

Anti-Theft

19

◼ Researchers have made some scary attacks against vehicles

▪ remotely controlling a car's brakes and steering while it's driving

▪ spontaneously applying the parking brake at speed

▪ turning off the transmission

▪ locking driver in the car

Cars are multi-ton, fast-moving weapons

People will die

Cars Are Dangerous

Updates Are Inevitable

◼ Millions of lines of code means bugs◼ Regulations change -> firmware must change◼ Maps change◼ Add new features◼ Close security holes◼ Cars move across borders…

Updates Must Be Practical

◼ Updating software/firmware has often meant recalls.

◼ Recalls are extremely expensive

▪ GM spent $4.1 billion on recalls in 2014

▪ GM's net income for 2014 was < $4 billion

▪ People do not like recalls.

◼ Updates must be over the air.

◼ Update -> Control

Updates Are Dangerous

◼ Nation-state actors pull off complex attacks

▪ Must not have a single point of failure

Secure Updates

What to do?

Must update to fix security issues

Insecure update mechanism is a new security problem

“...No one Can Hack My Mind”:

Comparing Expert and Non-

Expert Security Practices

Ion, et al. SOUPS 2015

What are some of the attacks?

Attacks

Arbitrary software attack

Repository

Is there an update?

Here is an update...

ECU-1

v.10ECU-1

v.12

27

ECU-1

v.Evil

Freeze attack

Is there an update?

Same old, same old!

ECU-1

v10ECU-1

v12

Repository

28

ECU-1

v10

Rollback attack

Is there an update?

Here is an update

ECU-1

v10

ECU-1

v1

ECU-1

v12

Repository

29

Slow retrieval attack

Is there an update?

Y … e … a … h … …

ECU-1

v10ECU-1

v12

Repository

30

Mix and Match attacks

Is there an update?

Here is an update

ECU-1

v10

ECU-2

v10

Bundle-2

ECU-1

v12

ECU-2

v12

Repository

31

ECU-2

v12

ECU-1

v11

Partial Freeze attack

Is there an update?

Here is an update

ECU-1

v10

ECU-2

v10

Bundle-2

ECU-1

v12

ECU-2

v12

Repository

32

ECU-2

v12

ECU-1

v12

So how do people try to prevent these

attacks?

Update Basics

Repository

Clientxyz.tgz, pls

xyz.tgz

Inadequate Update Security 1: TLS/SSL

Repository

Clientxyz.tgz, pls

xyz.tgz

Traditional solution 1:

Authenticate the repository (TLS, SSL, etc)

Certificate

Authority

Key XYZ

speaks for

domain

repo.net

XYZ

Inadequate Update Security 2: TLS/SSL

Repository

Clientxyz.tgz, pls

xyz.tgz

Transport Layer Security: Problem 1

Certificate

Authority

Key XYZ

speaks for

domain

repo.net

XYZClient has to trust all of these

Certificate Authorities

Inadequate Update Security 3: TLS/SSL

Repository

Clientxyz.tgz, pls

xyz.tgz

Transport Layer Security: Problem 2

Certificate

Authority

Key XYZ

speaks for

domain

repo.net

XYZ

Client has to trust this key.

… which HAS to exist ON the repository, to

sign communications continuously.

Client has to trust this key

Inadequate Update Security 4: Just Sign!

Repository

Clientxyz.tgz, pls

xyz.tgz

Traditional Solution 2:

Sign your update package with a

specific key.

Updater ships with corresponding

public key. XYZ

… used for every update to the repository.

… key ends up on repo or build farm.

If an attacker gains the use of this key, they

can install arbitrary code on any client.

Update Security

Repository

Clientxyz.tgz, pls

xyz.tgz

We need:

● To survive server compromise with the

minimum possible damage.

○ Avoid arbitrary package attacks

● Minimize damage of a single key being

exposed

● Be able to revoke keys, maintaining trust

● Guarantee freshness to avoid freeze attacks

● Prevent mix and match attacks

● Prevent rollback attacks

● Prevent slow retrieval attacks

● ...

Must not have single point of failure!

TUF goal “Compromise Resilience”

● TUF secures software update files

● TUF emerges from a serious threat model:

○ We do NOT assume that your servers are perfectly secure

○ Servers will be compromised

○ Keys will be stolen or used by attackers

○ TUF tries to minimize the impact of every compromise

The Update Framework (TUF)

Linux Foundation CNCF project

CII Best Practices Silver Badge

Responsibility Separation

timeliness

Root of trust

content consistency

41

The Update Framework (TUF)

TUF Roles Overview

Timestamps

(timeliness)

Root

(root of trust)

Snapshot

(consistency)

Targets

(integrity)

42

The Update Framework (TUF)

Repository

Clientxyz.tgz, pls

xyz.tgz

The Update Framework (TUF)

Role metadata (root, targets, timestamp, snapshot)

The modern automobile

Ex

ha

ust

Engine Control Unit

TCU

Transmission

Brake LineABS

Airbag Control Unit

Body ControllerLocks/Lights/Etc

Radio

Telematics _

Internet/PSTN

HVAC

Keyless Entry

Anti-Theft

44

Automobiles present particular difficulties.

● Timeserver

● Multiple Repositories: Director and Image Repository

● Manifests

● Primary and Secondary clients

● Full and Partial verification

Uptane builds on The Update Framework (TUF)

Uptane: Client-side Basics

Primary

Client

SecondarySecondary

SecondarySecondary

Secondary

Secondary

Secondary

Secondary

Secondary

Secondary

Secondary

Secondary

Cell Network

Uptane: High level view

Image

Repository

(Section 5)

Director

Repository

(Section 6)

Director

Full Verification

(FV)

Secondary

Partial

Verification

(PV)

SecondaryPrimary

ECU

Time Server

(Section 7)

Inventory

Database

Vehicle

(Section 8)

FV

Secondary

PV

Secondary

metadata

& images

…

vehicle

manifests

…

Time server

48

Time server

● A primary sends a list of

tokens, one for each ECU, to

the time server.

● An automated process on the

time server returns a signed

message containing: (1) the

list of tokens, and (2) the

current time.

Automated

process

time

server

vehicle

Primary

(1)

sends

list of

tokens

(2)

receives

signed current time

& list of tokens

49

Image repository

50

The image repository

targets

A

snapshottimestamp

root

OEM-managed supplier-managed

Metadata

B

CD

E

B*.img

signs metadata for

signs root keys for

delegates images to

signs for images

● When possible, OEM

delegates updates for

ECUs to suppliers.

● Delegations are flexible,

and accommodate a

variety of arrangements.

A1.img

B3.img

CA5.img

CB2.img

51

Director repository

52

Director repository

● Records vehicle version

manifests.

● Determines which ECUs

install which images.

● Produces different

metadata for different

vehicles.

● May encrypt images per

ECU.

● Has access to an

inventory database.

Automated

process

Inventory

database

timestamp

metadata(3)

w

r

i

t

e

s(2) reads & writes

encrypted

image

snapshot

metadata

targets

metadata

repository

vehicle

Primary

(1)

sends

vehicle

version

manifest

(4)

receives

link to

timestamp

metadata

53

Big picture

54

Image

Repository

(Section 5)

Director

Repository

(Section 6)

Director

Full Verification

(FV)

Secondary

Partial

Verification

(PV)

SecondaryPrimary

ECU

Time Server

(Section 7)

Inventory

Database

Vehicle

(Section 8)

FV

Secondary

PV

Secondary

metadata

& images

…

vehicle

manifests

…

Uptane workflow

on vehicle

55

Downloading updates (1)

● Primary receives an ECU Version

Manifest and a nonce from each

Secondary.

● Primary produces Vehicle Version

Manifest, a signed record of what

is installed on Secondaries

● Primary sends VVM to Director

● Primary sends nonces to

Timeserver

56

Downloading updates (2)

● Timeserver returns the signed [time

and nonces] to the Primary.

57

Downloading updates (3)

● The primary downloads metadata

from both the Director and Image

repositories on behalf of all ECUs

● The primary performs full

verification of metadata on behalf of

all secondaries.

58

Full verification

1. Load the latest downloaded time from the time server.

2. Verify metadata from the director repository.a. Check the root metadata file.

b. Check the timestamp metadata file.

c. Check the snapshot metadata file.

d. Check the targets metadata file.

3. Download and verify metadata from the image repository.a. Check the root metadata file.

b. Check the timestamp metadata file.

c. Check the snapshot metadata file, especially for rollback attacks.

d. Check the targets metadata file.

e. For every image A in the director targets metadata file, perform a preorder depth-first search

for the same image B in the targets metadata from the image repository, and check that A = B.

4. Return an error code indicating a security attack, if any. 59

Partial verification

1. Load the latest downloaded time from the time server.

2. Load the latest top-level targets metadata file from the director

repository.a. Check for an arbitrary software attack. This metadata file must have been signed by a

threshold of keys specified in the previous root metadata file.

b. Check for a rollback attack.

c. Check for a freeze attack. The latest downloaded time should be < the expiration timestamp in

this metadata file.

d. Check that there are no delegations.

e. Check that every ECU identifier has been represented at most once.

3. Return an error code indicating a security attack, if any.

60

Uptane status / wrap up

61

Uptane “Reference” Implementation

● Goal: Assist other implementers

○ Code readability is a primary goal

● Not the most popular implementation in practice (by design)

○ Readability > performance / implementation size

■ Most TUF deployments do not use the reference implementation

○ Useful as a reference, conformance testing, etc.

● Open source, free to use (MIT License)

○ Other groups are free to contribute!

62

Security Reviews

Reviews of implementations and design:

○ Cure53 audited ATS's Uptane implementation

○ NCC Group audited Uptane's reference implementation

(pre-TUF fork)

○ SWRI finalizing Uptane reference implementation /

specification audit

○ ...

63

Work closely with vendors, OEMs, etc.

● Security reps from 78% of cars

● Many top suppliers / vendors

○ ~12-35% of cars on US roads

● Automotive Grade Linux

● OEM integrations

○ Easy to integrate!

Uptane Integration

Press

○ Dozens of articles

○ TV / Radio / Newspapers / Magazines

65

Get Involved With Uptane!

● Workshops

● Technology demonstration

● Compliance tests

● Standardization ( IEEE / ISTO )

● Join our community! (email: jcappos@nyu.edu or go to the Uptane forum)

https://uptane.github.io/

66

67

For more details, please see the

Implementation Specification and other

documentation at uptane.github.io

686 July 2018TLP Green: May be shared within the Auto-ISAC Community.

Open discussion

Around the Room

What questions or topics would you like to address?

696 July 2018TLP Green: May be shared within the Auto-ISAC Community.

Closing Remarks

If you are an OEM, supplier or commercial vehicle company,

now is a great time to join Auto-ISAC. Key benefits this year include:

How to get involved: Membership

To learn more about Auto-ISAC Membership or Partnership,

please contact Kim Kalinyak (kimkalinyak@automotiveisac.com).

• Real-time Intelligence Sharing

• Intelligence Summaries

• Crisis Notifications

• Member Contact Directory

• Development of Best Practice Guides

• Exchanges and Workshops

• Webinars and Presentations

• Annual Auto-ISAC Summit Event

706 July 2018TLP Green: May be shared within the Auto-ISAC Community.

Strategic Partnership Programs

NAVIGATORSupport Partnership

- Provides guidance and

support

- Annual definition of

activity commitments

and expected outcomes

- Provides guidance on

key topics / activities

INNOVATORPaid Partnership

- Annual investment

and agreement

- Specific commitment

to engage with ISAC

- In-kind contributions

allowed

COLLABORATORCoordination

Partnership- “See something, say

something”

- May not require a formal

agreement

- Information exchanges-

coordination activities

BENEFACTORSponsorship

Partnership - Participate in monthly

community calls

- Sponsor Summit

- Network with Auto

Community

- Webinar / Events

Solutions

Providers

For-profit companies that

sell connected vehicle

cybersecurity products &

services.

Examples: Hacker ONE,

SANS, IOActive

Affiliations

Government, academia,

research, non-profit orgs

with complementary

missions to Auto-ISAC.

Examples: NCI, A-ISAC,

DHS, NHTSA

Community

Companies interested in

engaging the automotive

ecosystem and supporting

- educating the community.

Examples: Summit

sponsorship –

key events

Associations

Industry associations and

others who want to

support and invest in the

Auto-ISAC activities.

Examples: Auto Alliance,

Global Auto, ATA

Strategic Partners

This document is Auto-ISAC Sensitive and Confidential. 716 July 2018

Strategic Partnership Programs

Research

Some partners share white papers and research

projects—on threats & vulnerabilities—with our members.

Webinars

We are open to partners presenting at our Community

Town Halls, with audience including members & beyond.

Branding on the Auto-ISAC Website

Partner names and/or logos will be featured on the Auto-ISAC public-facing website.

Community Town Halls

We invite you to monthly calls featuring experts across the

connected vehicle ecosystem.Member Discounts

Some partners promote discounts or special offers for

services (e.g. conferences, software licenses).

Other

We are open to other types of in-kind support (e.g.

training, infrastructure support) based on your expertise.

Intel Sharing

Some partners submit relevant data, insights and papers

addressing threats against the automotive industry.

Annual Executive Call

Our executives will host a call once a year for all Members

and partners to present our strategic goals and priorities.

Summit Booth Priority

Partners will receive priority booth selection at future

Auto-ISAC Summits.

Access to Auto-ISAC Reports

Our partners receive Auto-ISAC TLP Green/White reports and special reports at Auto-ISAC’s discretion.

Ac

tivit

ies

Be

ne

fitsFuture Plans

726 July 2018TLP Green: May be shared within the Auto-ISAC Community.

Our contact info

Faye FrancyExecutive Director

Booz Allen Hamilton Inc.

20 M Street SE

Washington, DC 20003

703-861-5417

fayefrancy@automotiveisac.com

Kim KalinyakMembership Engagement

Lead

Booz Allen Hamilton Inc.

20 M Street SE

Washington, DC 20003

240-422-9008

kimkalinyak@automotiveisac.com

Josh PosterProgram Operations

Manager

Booz Allen Hamilton Inc.

20 M Street SE

Washington, DC 20003

joshposter@automotiveisac.com

736 July 2018TLP Green: May be shared within the Auto-ISAC Community.

Our contact info

Meredith ShawTransition Support

Booz Allen Hamilton Inc.

901 15th Street Northwest

Washington, DC 20005

703-377-9853

Shaw_Meredith@bah.com

M Michele DavidIntel Coordinator

Booz Allen Hamilton Inc.

901 15th Street Northwest

Washington, DC 20005

analyst@automotiveisac.com

Jessica EttsSenior Intel Coordinator

Booz Allen Hamilton Inc.

20 M Street SE

Washington, DC 20003

jessicaetts@automotiveisac.com

Candice BurkeBusiness and Executive

Administrator

Booz Allen Hamilton Inc.

20 M Street SE

Washington, DC 20003

candiceburke@automotiveisac.co

m