CISA issues autonomous ground vehicle cybersecurity guide

The Cybersecurity and Infrastructure Security Agency (CISA), an agency within the Department of Homeland Security, recently issued an Autonomous Ground Vehicle Security Guide (Guide). Because autonomous-vehicle (AV) pilot programs are proliferating rapidly throughout the United States, and widespread adoption of AVs is drawing nearer by the day, CISA issued the Guide to help companies and industry leaders understand the cybersecurity risks associated with AVs and to implement strategies to reduce those risks. 

AVs rely on internet connections to operate, making them particularly vulnerable to cyberattacks. These attacks can target a single asset (i.e., the data and operation of an individual AV) or an entire enterprise (i.e., the data and operation of an entire AV-related network, AV company, or other, connected entity). Not surprisingly, risks associated with cyberattacks on AV systems include data breaches, supply-chain disruptions, property damage, financial loss, injury, and loss of life. CISA designed this guidance to help Chief Security Officers (CSOs) and Chief Information Security Officers (CISOs) develop holistic security strategies that offer protection at both the asset and enterprise levels. The Autonomous Ground Vehicle Security Guide provides (1) a framework for identifying AV risks and types of cyberattacks and (2) risk-mitigation strategies.


As part of the Guide, CISA created the Autonomous Vehicle Cyber-Attack Taxonomy (AV|CAT) tool as a framework for identifying AV cybersecurity risks. The tool provides a framework for identifying AV risks based on four factors:

  • Attack Vector: pathway that a malicious actor takes to access a targeted system.
  • Target: system that the malicious actor seeks to exploit.
  • Consequence: harm resulting from an attack.
  • Outcome: real-world result caused by the attack.

The Guide’s AV|CAT tool sets out baseline predictions for how attacks related to AVs may occur and what ripple effects could result due to unique characteristics of both the attack and the target. For example, if an attacker remotely disables an AV fleet, it is likely that the attack vector is related to acquiring privileged credentials to access the fleet’s anti-theft systems. The likely consequences are that the AVs would be inaccessible, stolen, or subject to tampering. And the predicted outcome is that operational or supply-chain disruptions and financial losses will occur. Industry leaders can use this framework to design systems to defend against and defeat attacks and also to trace the causes and impacts when attacks occur.

Risk-Mitigation Strategies

The Guide, after going through various real-world threat scenarios, then offers risk-mitigation strategies at both the enterprise and asset levels. CISA envisions that after teams analyze potential risks using the AV|CAT Framework, risk-mitigation strategies will be deployed to develop measures that minimize the risks of cyberattacks. CISA recommends a multi-layered approach that encompasses both physical security and cybersecurity. CISA also recommends prioritizing communication, coordination, and collaboration across security functions and throughout the supply chain(s) to reduce risk.  

With the widespread adoption of AVs across all industries, the potential for cybersecurity threats will continue to rise. So will the impacts of cyberattacks. CISA estimates that a single cyberattack today could cost an automaker up to $1.1 billion.

Hogan Lovells’s cross-practice cybersecurity policy and compliance team is prepared to assist you in navigating and implementing all aspects of CISA’s Autonomous Ground Vehicle Security Guide to protect you and your company against cyberattacks.


Authored by Andrew Lillie, Paul Otto, Joanne Rotondi, Emily Kimball, Carolyn Kraska, and Cory Wroblewski.

Paul Otto
Washington, D.C.
Joanne Rotondi
Washington, D.C.
Emily Kimball
Carolyn Kraska
NW Washington, D.C.
Cory Wroblewski


This website is operated by Hogan Lovells Solutions Limited, whose registered office is at 21 Holborn Viaduct, London, United Kingdom, EC1A 2DY. Hogan Lovells Solutions Limited is a wholly-owned subsidiary of Hogan Lovells International LLP but is not itself a law firm. For further details of Hogan Lovells Solutions Limited and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2022 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.