The auto industry now has at least a couple of \u201cbest practices\u201d guide for cybersecurity.One, from the Automotive Information Sharing and Analysis Center (Auto ISAC), was released about a month ago, generated a flurry of stories that highlighted the group\u2019s exhortations to automakers to start building security into their software from the ground up \u2013 from design through production.Another is from Intel Security, which released a white paper earlier this month titled\u00a0"Automotive Security Best Practices," a set of, \u201crecommendations for building security into the design, fabrication and operation phases of the automotive production process,\u201d according to McAfee blogger Lorie Wigle (McAfee was acquired by Intel in 2011).\u201cMore than just a set of recommendations, this paper is a call to action for the industry to integrate best practices into their processes now to achieve automotive security,\u201d she wrote.[ ALSO ON CSO: Should you worry that your car will be hacked? ]And, a cynic might add, a long-delayed call to action. While welcome in the security community, the call for best practices also raises the question of why it has taken so long to put a serious focus on automotive cybersecurity.Cars and drones can be hardened in a way that will make the risk of cyber hacking tamed to levels that are close to zero.Vehicles have been increasingly \u201cconnected\u201d for decades \u2013 and the attack surface is now, according to more than one study, varied and porous.GPS became available in production cars in the mid-1990s, Bluetooth started becoming common by 2007 and Wifi connectivity arrived several years later, along with video chat and streaming content. That connectivity has also made them \u201csmarter\u201d \u2013 they can call 911 if there is a crash, and many have accident-avoidance features built into them.All of which has improved physical safety and made vehicles into entertainment centers. But it has also made them much more vulnerable. Anything that is connected is hackable.In a white paper titled "Commonalities in Vehicle Vulnerabilities," released earlier this month, the cybersecurity firm IOActive noted the breadth of the attack surface \u2013 data can enter vehicles through cellular radio, Bluetooth, Wifi, V2V radio, infotainment media, companion apps and Zigbee Radio.The company said it had spent 16,000 hours researching vehicle cybersecurity since 2013, and using a formula combining how serious a vulnerability is and how likely it is to be exploited, ranked 22 percent of more than 150 vulnerabilities it found as critical. \u201cThese are the high-priority \u2018hair on fire\u2019 vulnerabilities that are easily discovered and exploited and can cause major impacts to the system or component,\u201d wrote Corey Thuen, senior security consultant and the report\u2019s author.The problems have been increasingly apparent for several years now. A report from the financial advisory firm Stout Risius Ross found that the percentage of vehicle recalls attributed to software problems tripled between 2011 and 2015.Obviously people\u2019s laptops, smartphones, bank accounts and increasingly their \u201csmart\u201d homes are also hackable. But the stakes are much higher in a moving vehicle. If your credit card gets compromised, you can get a different one. If your bank account is hacked, you could lose a lot of money. But if your car gets hacked, you could lose your life.The auto industry is, 'dealing with the challenge of adding connectivity to systems that were never intended to be connected.' Steve Grobman, CTO, Intel Security GroupThat has been most famously demonstrated at the past two Black Hat conferences by Charlie Miller and Chris Valasek, hackers who now work for the ride-hailing service Uber. They showed that an attacker with physical access to a vehicle\u2019s computer systems (in this case a 2014 Jeep Cherokee) can bypass Controller Area Network (CAN) protections and hijack functions including steering, acceleration and brakes.Chrysler recalled 1.4 million vehicles after last year\u2019s demonstration, and patched the flaw that allowed the two to hack the car remotely. This year, the two had to have a laptop plugged into the Jeep\u2019s CAN through a port under the dashboard. But they were able to create much more dangerous mischief \u2013 turning the wheel or slamming on the brakes at any speed.And they and other experts say it is only a matter of time before hackers will find ways to do that remotely.As software management consultant Art Dahnert put it in a post on Dark Reading, "the age-old problem of\u00a0software development failing to 'build security in' is leading to insecurity in automobiles today.\u201dSo yes, Thuen agrees that, \u201cbest practice initiatives are late. We have legacy technology mixed with modern technology being developed by companies that are just exploring this area of technology,\u201d he said, \u201cand all of that is a recipe for security gaps.\u201dBut he and others say there is almost always a delay when a new technology is brought in to a well-established industry.The auto industry is, \u201cdealing with the challenge of adding connectivity to systems that were never intended to be connected,\u201d said Steve Grobman, CTO for Intel Security Group.Thuen agrees. \u201cThe emerging technologies have moved these auto companies from automobile manufacturers to Silicon Valley companies who also manufacture automobiles,\u201d he said.And there is evidence that the industries big players, which have always been notoriously secretive about both their plans and their problems, are concerned enough about their software vulnerabilities to share cyber threat information and solutions with one another.\u201cWe\u2019ve seen a sense of urgency, and the players \u2013 in a break with past industry tradition \u2013 are willing to share knowledge and best practices,\u201d said David Barzilai, cofounder of Karamba Security, a company that makes security programs to protect automotive software.There are at least some political leaders who believe it will take a push from government to get automakers to address their vulnerabilities, much like it took legislation to require safety features like seat belts and airbags.U.S. Sen. Ed Markey (D-Mass), who released a report in February 2015 titled,\u00a0\u201cTracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,\u201d also filed legislation last year, called the\u00a0"SPY Car Act of 2015," to require the National Highway Traffic Safety Administration (NHTSA) to issue rules to require \u201creasonable\u201d protections for the physical security and privacy of those in connected cars. The report noted that, \u201ctoday\u2019s cars and light trucks contain more than 50 separate electronic control units (ECU) that collect driver information and are also vulnerable to attack.But that bill never went beyond a referral to committee. Markey\u2019s staff did not respond to questions on the status of the bill.Best practicesThe Automotive Information Sharing and Analysis Center\u2019s (Auto ISAC) \u201cBest Practices\u201d guide, according to the group, expands on the Framework for Automotive Cybersecurity Best Practices published in January 2016 by the Alliance of Automobile Manufacturers and the Association of Global Automakers.The group says it, \u201cemphasizes risk management, including the identification of risks and implementation of reasonable risk-reduction measures.However, \u201cBest Practices do not form an assessment or compliance framework, and do not mandate prescriptive requirements. Each automaker will determine if and\/or how to apply the Best Practices internally,\u201d the group said.The Best Practices include seven Functions, including:Security by designRisk assessment and managementThreat detection and protectionIncident responseCollaboration and engagement with appropriate third parties, including industry bodies such as Auto-ISAC\u00a0itself, the\u00a0Auto Alliance,\u00a0governmental entities like\u00a0the National Highway Traffic Safety Administration, NIST, Department of Homeland Security and FBI.GovernanceAwareness and trainingAnd experts generally argue that legislation would not be as effective as various private sector pressures. One of the most obvious problems is the difficulty with defining "reasonable."Barzilai said automakers are already under major pressure to improve the software security of their products for two reasons: \u201cTo avoid brand damage that may harm sales of their current models, and to make sure cyber security is an enabler for autonomous cars.\u201dAutonomous cars and ride-sharing, \u201care seen as the industry\u2019s two main growth engines in the coming years,\u201d he said, adding that if there are significant and successful hacks of vehicles, \u201cgrowth and sales expectations will be negatively affected.\u201dThuen said he thinks pressure will also ramp up with the adoption of cybersecurity insurance. \u201cNo companies are better at assessing risk than insurance companies,\u201d he said, \u201cand if anyone can figure out what activities\u00a0actually\u00a0make us more secure, it\u2019s them.\u201cAlso, a statement like, \u2018Having a vulnerability assessment done on a component will reduce your premiums by X dollars,\u2019 is an actual ROI that business leaders and policy makers can factor into their calculations.\u201dOf course, there is also the reality that, in the online world, nothing is bulletproof. Even Auto ISAC notes in its best practices document that, \u201ca future vehicle with zero risk is unobtainable and unrealistic.\u201dBut Barzilai, while he agrees with Auto ISAC, said he also believes that, \u201ccars and drones can be hardened in a way that will make the risk of cyber hacking tamed to levels that are close to zero.\u201dThat, he said, is because, \u201ccars, drones and IoT devices in general, are not user-configured. They should run according to factory settings, so any foreign code or unexpected in-memory operation imply hacking attempts.\u201dAnd Grobman notes that semi- and fully autonomous vehicles are already in the works. He said the Automotive Security Review Board (Intel is a founding member), \u201chas a vision of driving research to achieve intelligent, self-healing vehicles.\u201dAnd he said it is important to focus on the \u201caggregate\u201d improvement that connected cars bring to vehicle safety, and not dwell only on a few failures.\u201cJust as the airline industry now relies on automation and \u2018fly by wire\u2019 to improve air safety in inclement weather, we should look forward to similar benefits in the automotive world,\u201d he said.