Published: 11 November 2016
Increasingly “connected” automobiles bring convenience and other benefits to drivers and passengers, but at the same time raise concerns about safety and privacy. In response to this trend in automobile technology, members of the US Congress, along with others, have been asking what the US Department of Transportation’s (DOT’s) National Highway Traffic Safety Administration (NHTSA) will do to promote effective cybersecurity for automobiles.
Last year, members of the House Energy and Commerce Committee wrote to the NHTSA Administrator, noting that as new “technologies are incorporated into automobiles to improve safety, convenience, and performance, they also create the unavoidable potential for cyber threats.” This issue arose again in September, when members of the same committee identified security and safety concerns with the On-Board Diagnostic (OBD-II) ports within vehicles. The members of Congress suggested an industrywide effort to develop a plan of action to address these risks. On October 14, NHTSA responded, noting that it would soon issue best practices concerning cybersecurity.
On October 24, NHTSA issued proposed federal guidance to the automotive industry for improving motor vehicle cybersecurity. The draft DOT guidance remains subject to public comment by November 28. The final guidance will establish a baseline for automotive cybersecurity standards for the foreseeable future.
This LawFlash provides a brief overview of this new development on vehicle cybersecurity.
Voluntary Standards Based on Layered Approach
The proposed cybersecurity guidance, which is voluntary and nonbinding, is intended to “provide a solid foundation for developing a risk-based approach and important processes that can be maintained, refreshed and updated effectively over time to serve the needs of the automotive industry.” The guidance notes that there is no current Federal Motor Vehicle Safety Standard covering vehicle cybersecurity.
The guidance uses a layered approach “to ensure vehicle systems are designed to take appropriate and safe actions, even when an attack is successful. According to the draft guidance, this approach would include the following aspects:
- “Be built upon risk-based prioritized identification and protection of safety-critical vehicle control systems and personally identifiable information”
- “Provide for timely detection and rapid response to potential vehicle cybersecurity incidents in the field”
- “Design-in methods and measures to facilitate rapid recovery from incidents when they occur”
- “Institutionalize methods for accelerated adoption of lessons learned across the industry through effective information sharing, such as through participation in the Auto ISAC [Automotive Information Sharing and Analysis Center]”
Draft Best Practices Recommendations
The current draft contains several recommendations that draw upon industry and other best practices and internal applied research. Some of the recommendations include the following:
- Promote “cybersecurity oriented leadership within the organization,” including over the product development cycle
- In “an ongoing risk management framework,” assess vulnerabilities at each stage in the process, including “the entire supply-chain of operations”
- Implement “a documented process for responding to incidents, vulnerabilities, and exploits” that clearly delineates roles and responsibilities for each responsible group within the organization
- Conduct cybersecurity testing, including penetration testing, by “qualified testers who have not been part of the development team, and who are highly incentivized to identify vulnerabilities”
- Adopt self-auditing programs that include periodic risk assessments and reviews of organizational decisions
- Encourage information sharing about cybersecurity risks and incidents, including through the Auto ISAC
- Consider the role of aftermarket devices (such as cell phones and insurance dongles)
- Remove unnecessary network services to control the proliferation of network ports and limit attack vectors
- Limit software developer access to Electronic Control Units where “no foreseeable operational reason” exists
- Consider encryption as a “useful tool in preventing the unauthorized recovery and analysis of firmware”
- Maintain sufficient log records to identify how cyber-attacks occurred and to detect trends
- Implement employee training to educate the entire automotive workforce on new cybersecurity practices, and share lessons learned
- Address serviceability issues by providing “strong vehicle cybersecurity protections that do not unduly restrict access by authorized alternative third-party repair services”
After the public comment period has concluded, DOT will issue final guidance. As noted, members of Congress are also reviewing this issue. It remains to be seen whether the voluntary standards may ultimately prove to be the basis for mandatory standards or legislation. The issue of automobile cybersecurity is likely to remain active on the legislative and regulatory fronts as vehicle technology continues to develop and automotive companies (and others) work to protect vehicles from cybersecurity and other threats.