NHTSA to Automakers: Shield Electronic and Computer Systems from Hackers
The United States Department of Transportation’s National Highway Traffic Safety Administration (NHTSA) is taking a proactive safety approach to protect vehicles from cyberattacks and unauthorized access by releasing proposed guidance for improving motor vehicle cybersecurity.
The proposed cybersecurity guidance focuses on layered solutions to ensure vehicle systems are designed to take appropriate and safe actions, even when an attack is successful. The guidance recommends risk-based prioritized identification and protection of critical vehicle controls and consumers’ personal data. It also recommends that companies consider the full life-cycle of their vehicles and facilitate rapid response and recovery from cybersecurity incidents.
“Our intention with today’s guidance,” said U.S. Transportation Secretary Anthony Foxx, “is to provide best practices to help protect against breaches and other security failures that can impact motor vehicle safety.”
This guidance also highlights the importance of making cybersecurity a top leadership priority for the automotive industry, and suggests that companies should demonstrate it by allocating appropriate and dedicated resources, and enabling seamless and direct communication channels though organizational ranks related to vehicle cybersecurity matters.
“In the constantly changing environment of technology and cybersecurity, no single or static approach is sufficient,” said NHTSA Administrator Dr. Mark Rosekind. “Everyone involved must keep moving, adapting, and improving to stay ahead of the bad guys.”
In addition to product development, the guidance suggests best practices for researching, investigating, testing and validating cybersecurity measures. NHTSA recommends the industry self-audit and consider vulnerabilities and exploits that may impact their entire supply-chain of operations. The safety agency also recommends employee training to educate the entire automotive workforce on new cybersecurity practices and to share lessons learned with others.
The best practices guidance is based on public feedback gathered by NHTSA, as well as the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. NHTSA’s guidance also suggests that organizations should consider and adopt all applicable industry best practices.
“Although NHTSA’s guidance document is non-binding, it nonetheless establishes an important baseline against which vehicle manufacturers will be measured,” said Creighton Magid, a partner at the international law firm Dorsey & Whitney and head of its Washington, D.C., office. “Automakers, like manufacturers of other interconnected, Internet-of-Things devices, must treat their products as cyber-physical systems, with as much attention given to electronically interconnected systems as to the rest of the vehicle.”
NHTSA is soliciting public comments on the proposed guidance for 30 days.