November 17, 2016, Trial News
NHTSA issues vehicle cybersecurity guidance
The National Highway Traffic Safety Administration (NHTSA) has issued nonbinding best practices for cybersecurity in vehicles for all designers and manufacturers of vehicles and software to help combat and respond to hacking of vehicle technology systems. The agency is urging the automotive industry to be proactive and prioritize vehicle cybersecurity.
The National Highway Traffic Safety Administration (NHTSA) has issued nonbinding best practices for cybersecurity in vehicles for all designers and manufacturers of vehicles and software to help combat and respond to hacking of vehicle technology systems. The agency is urging the automotive industry to be proactive and prioritize vehicle cybersecurity. Although no Federal Motor Vehicle Safety Standard currently exists for cybersecurity, NHTSA noted that because the issue could impact public safety and potentially endanger lives, its authority extends to ensuring that automakers address cybersecurity vulnerabilities.
The guidance offers a multilayered approach to vehicle cybersecurity “to reduce the probability of an attack’s success and mitigate the ramifications of a potential unauthorized access.” NHTSA directs automakers to a five-point system advanced by the National Institute for Standards and Technology: “identify, protect, detect, respond, and recover.” Specific recommendations cover the breadth of vehicle technology systems design, implementation, reaction to attacks, and adapting in the aftermath of an attack.
The guidance includes identifying existing cybersecurity vulnerabilities, developing plans to address them, and consistently monitoring those plans’ performance. For example, one best practice involves making cybersecurity an expected company priority “through the entire life-cycle of a vehicle . . . from conception, design, manufacture, sale, use, maintenance, resale, and decommissioning.” This includes intensive recordkeeping of any changes and testing of a vehicle’s systems. The guidance recommends having plans in place to immediately handle a cybersecurity attack that endangers a vehicle’s occupants and others on the road. The agency encouraged a top-down leadership approach to ensure that a company’s management is dedicated to cybersecurity and that its culture follows suit.
Another major component is the real-time sharing of information about cybersecurity risks and attacks. The Automotive Information Sharing and Analysis Center was created in 2015 to enable the auto industry to pool efforts to learn about cybersecurity issues and devise ways to deal with them. NHTSA is encouraging the auto industry to participate in the center’s activities and emphasizing the need to disclose vulnerabilities to other companies. In addition, the guidance calls for a clearly defined process for responding to threats and attacks, and it “should be designed in a manner that ensures rapid response without sole dependence on any single person.”
The report also mentions several specific vehicle technology systems that it identifies as “fundamental” to secure from unauthorized access. It recommends limiting software developer access to engine control units once they have been installed, protecting any key or password that could allow someone to gain unauthorized access to a vehicle’s computer system, tying diagnostic features to one aspect of vehicle operation to minimize the effect of any attack on other critical systems, using encryption for and restricting ability to modify firmware, and carefully controlling communications to and from a vehicle to limit unauthorized messages that could affect vehicle safety systems.
NHTSA administrator Mark Rosekind said that “in the constantly changing environment of technology and cybersecurity, no single or static approach is sufficient. Everyone involved must keep moving, adapting, and improving to stay ahead of the bad guys.” But Senators Richard Blumenthal (D-Conn.) and Edward Markey (D-Mass.), who have been pushing for action on vehicle cybersecurity, criticized the guidance for not making a meaningful difference. “If modern day cars are computers on wheels, we need mandatory standards, not voluntary guidance, to ensure that our vehicles cannot be hacked and lives and information put in danger. In this new Internet of Things era, we cannot let safety, cybersecurity, and privacy be an afterthought,” they said in a joint statement.
Lexington, Mo., attorney Brett Emison, who handles auto cases, said that the guidelines are a good start and that “it is important to be proactive to ensure that carmakers and the industry as a whole have a set of standards in place to address potential issues and failures in the design process and correct them before people are harmed in the real world. As technology continues to improve—particularly in the area of self-driving vehicles—cybersecurity will become even more critical.”
However, Emison cautioned that the best practices should not protect the auto industry from liability. “It is critical that this document is seen as the first step (not the last step) and the floor (not the ceiling) as to the safety and security that automakers need to provide,” he said. “Compliance with these standards should not protect or immunize a manufacturer if it knows or should know about vulnerabilities that it needs to protect. No manufacturer should have immunity just because the government says it’s OK. . . . Compliance with the guidance should be the minimum level of cybersecurity provided. It should not immunize a manufacturer from liability if the product was defective or if the manufacturer was negligent in the product’s design.”