The new guidance, published in September 2022, updates NHTSA’s 2016 “Cybersecurity Best Practices for Modern Vehicles,” which described the steps manufacturers could take to improve motor vehicle cybersecurity. The updated guidance takes into consideration developments in technology and emerging voluntary standards, such as the International Standards Organization (“ISO”)/SAE International’s Final Draft International Standard (“FDIS”) 21434 and the Automotive Information Sharing and Analysis Center’s (“Auto-ISAC”) Best Practice Guides. The FDIS 21434 was published in 2021 and specifies engineering requirements for cybersecurity risk management regarding concept, product development, production, operation, maintenance, and decommissioning of electrical systems. The Auto-ISAC Best Practice Guides can act as resources to the automotive industry on a variety of topics including incident response, collaboration and engagement with appropriate third parties, governance, risk assessment and management awareness and training, threat detection, monitoring and analysis, and security development lifecycle.
NHTSA’s updated cybersecurity guidance divides key recommendations between two categories: general best practices and technical best practices. NHTSA’s overarching general recommendation is for automotive industry members to take a layered approach to vehicle cybersecurity in which it is assumed that some vehicle systems could be compromised. Cybersecurity approaches should be built upon risk-based, prioritized identification and protection of safety critical systems; eliminate sources of risks to safety-critical systems where possible; provide for timely detection and rapid response to potential incidents; design methods and processes to facilitate rapid recovery from incidents; and institutionalize methods for accelerated adoption of lessons learned across the industry.
More specifically, general best practices include the following:
- Prioritize vehicle cybersecurity and demonstrate the importance of cybersecurity at the executive management level and governance processes
- Design, manufacture, and sell vehicles in a way that builds in protections and removes unreasonable risk to safety-critical systems
- The vehicle development process should include cybersecurity risk assessment
- Manufacturers should consider the risks associated with sensor vulnerabilities
- Join Auto-ISAC for information sharing and find other ways to timely share information amongst industry members
- Industry members should create their own vulnerability reporting policies and mechanisms
- Develop an incident response and vulnerability management process and document details of each incident in order to periodically assess the effectiveness of incident response and vulnerability management
- Perform self-audits to ensure accountability
The technical best practices include:
- Limit developer-level access to the electronic control unit (“ECU”)
- Update cryptographic techniques based on computing innovations and National Institute for Standards and Technology (“NIST”) cybersecurity standards
- Design diagnostic functions and tools to eliminate potentially dangerous ramifications and with appropriate authentication and access controls
- Employ best practices for transmission of critical safety information, particularly if shared over insecure channels
- Limit unauthorized wireless access to vehicle computing resources and securely apply updates
The updated NHTSA guidance also discusses cybersecurity issues that can occur during software updates. The guidance advises that automotive manufacturers should limit the ability to modify firmware to authorized and appropriately authenticated parties. For over-the-air (“OTA”) updates, NHTSA advises that manufacturers should make sure to update servers, the transmission mechanism, and the updating process in order to prevent interruptions to the update transmission. These recommendations will be more and more relevant as motor vehicles are increasingly reliant on computer systems that must be regularly updated, and OTA updates are more frequently used for administering recall remedies.
While NHTSA’s cybersecurity guidance is not mandatory, it does indicate the agency’s strong interest in this area. Perhaps more importantly, this guidance very clearly connects cybersecurity to motor vehicle safety and emphasizes that vehicle manufacturers and other members of the automotive industry must proactively focus on cybersecurity in order to help ensure vehicle safety.
Authored by Joanne Rotondi, Paul Otto, Susan McAuliffe, Christina Bassick, Alaa Salaheldin, and Dan Ongaro.