Policy controls
This first type of control is enforced through organizational-level procedures that define what is permissible from a security perspective. Policy controls are simply dos and don’ts that must be observed to eliminate certain risks that would otherwise be very expensive or difficult to mitigate through technical controls. An example of a policy control relates to the use of aftermarket telematics units and onboard diagnostics (OBD) dongles. Such devices are known to be abused by hackers to gain access to a vehicle’s internal network and spoof its components. This can result in modifying the target ECU software or data, enabling the attacker to take control of the vehicle remotely.
To mitigate the risks associated with aftermarket telematics control unit (TCU) devices/OBD dongles, original equipment manufacturers (OEMs) can define a policy control that prohibits the vehicle owner from using such devices if they want to avoid voiding their vehicle’...
