• Login
    • Advanced search
    • Title
    • Channel
    • Module
  • Home
  • Industry
    •  

      • Aerospace, Defense, and Government Services
      • Automotive and Mobility
      • Consumer
      • Manufacturing and Industrials
      • Education
      • Energy and Natural Resources
      • Financial Institutions
    •  

      • Insurance
      • Life Sciences and Health Care
      • Private Capital
      • Real Estate
      • Sports, Media and Entertainment
      • Technology and Telecoms
      • Transportation and Logistics
  • Practice
    • Corporate & Finance

      • Banking and Loan Finance
      • Business Restructuring and Insolvency
      • Capital Markets
      • Corporate Governance and Public Company Representation
      • Digital Assets and Blockchain
      • Infrastructure, Energy, Resources, and Projects
      • Leveraged and Acquisition Finance
      • Mergers and Acquisitions
      • Pensions
      • Private Equity, Venture Capital and Investment Funds
      • Real Estate
      • Real Estate Investment Trusts (REITs)
      • Tax
      • Transfer Pricing
    • Global Regulatory

      • Administrative and Public Law
      • Antitrust and Competition
      • Communications, Internet, and Media
      • Education
      • Energy Regulatory
      • Environment and Natural Resources
      • Financial Services
      • Food Law
      • Gaming Law
      • Government Contracts and Public Procurement
      • Government Relations and Public Affairs
      • Health
      • Immigration
      • International Trade and Investment
      • Medical Device and Technology Regulatory
      • New Nuclear
      • Pharmaceuticals and Biotechnology Regulatory
      • Privacy and Cybersecurity
      • Space and Satellite
      • Strategic Operations, Agreements and Regulation
      • Transportation Regulatory
    • Intellectual Property

      • Copyright
      • Designs
      • Domain Names
      • IP and Technology Transactions
      • IP Enforcement
      • Patents
      • Trade Secrets and Confidential Know-how
      • Trademarks and Brands
      • Unfair Competition
    • Litigation, Arbitration, and Employment

      • Business and Human Rights
      • Construction and Engineering
      • Corporate and Securities Litigation
      • Employment
      • International Arbitration
      • Investigations, White Collar, and Fraud
      • Products Law
      • Risks, Disputes, and Litigation
  • Comparative guides
  • Engage Premium
  • Login
  • Register
Hogan Lovells Engage 5.7.26
      • Title
      • Channel
      • Module
    • Hit ENTER to search in content
    • Advanced search
    • Login
  • Home
  • Industry
    •  

      • Aerospace, Defense, and Government Services
      • Automotive and Mobility
      • Consumer
      • Manufacturing and Industrials
      • Education
      • Energy and Natural Resources
      • Financial Institutions
    •  

      • Insurance
      • Life Sciences and Health Care
      • Private Capital
      • Real Estate
      • Sports, Media and Entertainment
      • Technology and Telecoms
      • Transportation and Logistics
  • Practice
    • Corporate & Finance

      • Banking and Loan Finance
      • Business Restructuring and Insolvency
      • Capital Markets
      • Corporate Governance and Public Company Representation
      • Digital Assets and Blockchain
      • Infrastructure, Energy, Resources, and Projects
      • Leveraged and Acquisition Finance
      • Mergers and Acquisitions
      • Pensions
      • Private Equity, Venture Capital and Investment Funds
      • Real Estate
      • Real Estate Investment Trusts (REITs)
      • Tax
      • Transfer Pricing
    • Global Regulatory

      • Administrative and Public Law
      • Antitrust and Competition
      • Communications, Internet, and Media
      • Education
      • Energy Regulatory
      • Environment and Natural Resources
      • Financial Services
      • Food Law
      • Gaming Law
      • Government Contracts and Public Procurement
      • Government Relations and Public Affairs
      • Health
      • Immigration
      • International Trade and Investment
      • Medical Device and Technology Regulatory
      • New Nuclear
      • Pharmaceuticals and Biotechnology Regulatory
      • Privacy and Cybersecurity
      • Space and Satellite
      • Strategic Operations, Agreements and Regulation
      • Transportation Regulatory
    • Intellectual Property

      • Copyright
      • Designs
      • Domain Names
      • IP and Technology Transactions
      • IP Enforcement
      • Patents
      • Trade Secrets and Confidential Know-how
      • Trademarks and Brands
      • Unfair Competition
    • Litigation, Arbitration, and Employment

      • Business and Human Rights
      • Construction and Engineering
      • Corporate and Securities Litigation
      • Employment
      • International Arbitration
      • Investigations, White Collar, and Fraud
      • Products Law
      • Risks, Disputes, and Litigation
  • Comparative guides
  • Engage Premium
  • Login
  • Register
  1. News
  2. NHTSA issues updated cybersecurity best practices for the safety of modern vehicles

NHTSA issues updated cybersecurity best practices for the safety of modern vehicles

16 September 2022
    • Share by email
    • Share on
    • Twitter
    • LinkedIn
    • Get link
    • Get QR Code
    • Download
    • Print

The National Highway Traffic Safety Administration (“NHTSA”) recently issued updated guidance on cybersecurity best practices for motor vehicle safety. This non-binding guidance demonstrates NHTSA’s continued emphasis on cybersecurity in the context of motor vehicle safety. The guidance applies broadly to individuals and organizations designing and manufacturing vehicle electronic systems and software, and reflects evolving trends and developments since the initial guidance.

The new guidance, published in September 2022, updates NHTSA’s 2016 “Cybersecurity Best Practices for Modern Vehicles,” which described the steps manufacturers could take to improve motor vehicle cybersecurity. The updated guidance takes into consideration developments in technology and emerging voluntary standards, such as the International Standards Organization (“ISO”)/SAE International’s Final Draft International Standard (“FDIS”) 21434 and the Automotive Information Sharing and Analysis Center’s (“Auto-ISAC”) Best Practice Guides. The FDIS 21434 was published in 2021 and specifies engineering requirements for cybersecurity risk management regarding concept, product development, production, operation, maintenance, and decommissioning of electrical systems. The Auto-ISAC Best Practice Guides can act as resources to the automotive industry on a variety of topics including incident response, collaboration and engagement with appropriate third parties, governance, risk assessment and management awareness and training, threat detection, monitoring and analysis, and security development lifecycle.

NHTSA’s updated cybersecurity guidance divides key recommendations between two categories: general best practices and technical best practices. NHTSA’s overarching general recommendation is for automotive industry members to take a layered approach to vehicle cybersecurity in which it is assumed that some vehicle systems could be compromised. Cybersecurity approaches should be built upon risk-based, prioritized identification and protection of safety critical systems; eliminate sources of risks to safety-critical systems where possible; provide for timely detection and rapid response to potential incidents; design methods and processes to facilitate rapid recovery from incidents; and institutionalize methods for accelerated adoption of lessons learned across the industry.

More specifically, general best practices include the following:

  • Prioritize vehicle cybersecurity and demonstrate the importance of cybersecurity at the executive management level and governance processes
  • Design, manufacture, and sell vehicles in a way that builds in protections and removes unreasonable risk to safety-critical systems
    • The vehicle development process should include cybersecurity risk assessment
    • Manufacturers should consider the risks associated with sensor vulnerabilities
  • Join Auto-ISAC for information sharing and find other ways to timely share information amongst industry members
  • Industry members should create their own vulnerability reporting policies and mechanisms
  • Develop an incident response and vulnerability management process and document details of each incident in order to periodically assess the effectiveness of incident response and vulnerability management
  • Perform self-audits to ensure accountability

The technical best practices include:

  • Limit developer-level access to the electronic control unit (“ECU”)
  • Update cryptographic techniques based on computing innovations and National Institute for Standards and Technology (“NIST”) cybersecurity standards
  • Design diagnostic functions and tools to eliminate potentially dangerous ramifications and with appropriate authentication and access controls
  • Employ best practices for transmission of critical safety information, particularly if shared over insecure channels
  • Limit unauthorized wireless access to vehicle computing resources and securely apply updates

The updated NHTSA guidance also discusses cybersecurity issues that can occur during software updates. The guidance advises that automotive manufacturers should limit the ability to modify firmware to authorized and appropriately authenticated parties. For over-the-air (“OTA”) updates, NHTSA advises that manufacturers should make sure to update servers, the transmission mechanism, and the updating process in order to prevent interruptions to the update transmission. These recommendations will be more and more relevant as motor vehicles are increasingly reliant on computer systems that must be regularly updated, and OTA updates are more frequently used for administering recall remedies.

While NHTSA’s cybersecurity guidance is not mandatory, it does indicate the agency’s strong interest in this area. Perhaps more importantly, this guidance very clearly connects cybersecurity to motor vehicle safety and emphasizes that vehicle manufacturers and other members of the automotive industry must proactively focus on cybersecurity in order to help ensure vehicle safety.

 

 

Authored by Joanne Rotondi, Paul Otto, Susan McAuliffe, Christina Bassick, Alaa Salaheldin, and Dan Ongaro.

Contacts
Joanne Rotondi
Partner
Washington, D.C.
Paul Otto
Partner
Washington, D.C.
Susan McAuliffe
Counsel
Washington, D.C.
Christina Bassick
Associate
Washington, D.C.
Alaa Salaheldin
Associate
Washington, D.C.
Dan Ongaro
Associate
Minneapolis
Additional Resources
  • Cybersecurity Best Practices for the Safety of Modern Vehicles updated 2022
Keywords NHTSA, Cybersecurity, Automotive, consumer safety, OTA, updates
Languages English
Topics Mobility, Automotive regulatory
Countries United States
Delete Comment ?

Are you sure want to delete comment ?

Get link
Embed
Share by email
Get QR Code

Scan this QR Code to share this content

  • Contact us
  • Disclaimer
  • Privacy
  • Cookies
  • Legal Notices
  • Terms of Use

 

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2022 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.

Thomson Reuters HighQ Logo
© 2023 Hogan Lovells | Privacy Policy | Terms of Service