The power of community participation with Faye Francy, Executive Director, Auto-ISAC
The old phrase “sharing is caring” is something that Faye Francy has seen revolutionize entire industries. From her years as a Boeing Commercial Airplanes Cybersecurity ONE team leader, to Aviation-ISAC, and ultimately becoming the Executive Director of Automotive-ISAC, Faye has the unique vantage point of enabling communication between very private and siloed industries.
Faye’s interview on the Left To Our Own Devices podcast dove into how shortly after joining Boeing in 2001, the September 11th attacks on the United States sent a shockwave throughout the industry. Not only were their products used for terror, the entire industry began speaking about what happens if there is a ‘Cyber 9/11’, where their product’s security and capabilities were compromised while in the air.
Very quickly, she was tasked with helping an internal team take account of their connected devices. It was at this point that she realized that there was a lot they didn’t yet know. Yet, she also knew that taking the time to organize this information presented an opportunity to strengthen Boeing’s product security in a meaningful way. “Concerning what happened during 9/11, we examined where we were with our networking and our network infrastructure, our cabin and network systems, our infotainment systems and all of that. We realized that we needed to do more, and so that started my journey into cybersecurity in aviation.”
From that point, Faye was active in Aviation-ISAC, which focused on creating a space for sharing cybersecurity and product security information across organizations. This is during a time when it was nearly unheard of to have such collaboration, let alone in such a structured and open format. “I can tell you that while there were four airplanes built by Boeing that took the hit that day, on 9/11, Airbus’s stock went down just as low as the Boeing companies,” said Francy regarding how the industry was in this together, whether they wanted to be or not. “And so, one of the best stories I can tell is how Airbus and Boeing started to collaborate.”
Collaboration beyond aviation
Upon retiring from Boeing, Faye was approached by some people who wanted to create a similar organization to Aviation-ISAC, but for automotive.
Facing similar challenges to the aviation industry, Automotive OEMs and their Tier-N suppliers were becoming increasingly software-driven. While each automaker was committed to continuous operational uptime availability and passenger safety, the gaps in their security practices demanded an approach that reached outside the capabilities of an individual organization.
When considering the age of these automotive manufacturers, their size, and the ecosystems they command, change would appear to be rare. Yet, the industry has proven to be responsive and remain adaptive to the changing landscape they face. “This industry is absolutely amazing, right? What I’ve seen in the six years that I’ve been here, has been really inspiring,” said Faye. “From a personal perspective, it’s really exciting to see the transformations that are going on. Certainly with EVs but of course, the more and more the connectedness comes in, the more and more we have to be concerned about cybersecurity. And in fact, the OEMs and the supply chain have been working very hard together to learn about how to integrate cybersecurity practices with vendors outside of their companies.”
Regulation vs. risk
Much of what keeps Faye Francy motivated is the implementation of regulations across the automotive industry. While she says that there’s a limit and a balance to regulation, it also displays a joint collaboration between the private sector and public sector in trying to tackle one of the greatest challenges of our time.
“I think regulation is important from a consumer perspective. It will happen. How much is needed, I think needs to be examined as we move forward,” said Faye. “And it is constantly being examined, certainly by the government and I would say by the industry. Working together with the industry and government is one of the most important things we can do to really ensure that we are not over regulating and certainly not under regulating.”
She pointed out that both over and under regulation can have nefarious effects on companies and vehicle operators alike. The first steps towards meeting new regulations are met with caution as companies try to incorporate requirements into their existing practices and policies. Where these regulations go and what they will look like in a few short years is anyone’s guess. Ultimately, companies need to focus on keeping their businesses in operation, regulations or not.
Ensuring product security is inevitably balanced with taking calculated business risks. As Francy states, “Clearly there are some risks that are what I would call intolerable. The risk to human life? That would be an intolerable risk.” But many risks that exist in the automotive industry are focused on obtaining either private user or organizational data, not harming operators. There is no perfect solution.
Francy continued, “I think we would like to have a perfect solution, but we know from this emerging threat that there are no perfect solutions.” This uneven battle is unfair so it’s a matter of examining risk, calculating the odds of failure or a breach, understanding its impact, and trying to mitigate it as quickly as possible using minimal resources.
Improving the industry’s product security
Whether in aviation, automotive, healthcare, or any other sector, embedded systems face similar challenges. Product security practitioners stand to learn quite a lot about the challenges and security opportunities that lay in our devices.
Many of the challenges we face can be traced back to the infrastructure our connected devices rely on. Much of it was never meant to handle this level of connectivity and certainly didn’t have cybersecurity in mind. That’s why we need to focus on collaboration, discussing how we integrate new technologies into existing infrastructure and design better, more secure products.
“Collaborate. Share. Those are very simple. These are singular words that really have a lot of meaning behind them. In order to work through this issue, we really do need to work together. We need to collaborate, we need to learn from each other,” said Francy.
Evaluating best practices, considering what’s down the road, and cataloging exactly what is in our devices (SBOMs) are going to set the foundation for the automotive industry’s growth into the future.