With some models having as much connectivity as your smartphone, the National Highway Traffic Safety Administration (NHTSA) said it is taking a proactive approach to protecting vehicles from malicious cyber-attacks and unauthorized access by releasing proposed guidance for improving vehicle cybersecurity.
The agency within the Department of Transportation explained on Monday that the proposed cybersecurity guidance focuses on layered solutions to ensure vehicle systems are designed to take appropriate and safe actions, even when an attack is successful.
The guidance recommended risk-based prioritized identification and protection of critical vehicle controls and consumers' personal data.
Further, it suggested that companies should consider the full life-cycle of their vehicles and facilitate rapid response and recovery from cybersecurity incidents.
“Cybersecurity is a safety issue, and a top priority at the department,” Transportation Secretary Anthony Foxx said. “Our intention with today’s guidance is to provide best practices to help protect against breaches and other security failures.”
NHTSA noted that the guidance also highlighted the importance of making cybersecurity a top leadership priority for the automotive industry and suggested that companies should demonstrate it by allocating appropriate and dedicated resources, and enabling seamless and direct communication channels though organizational ranks related to vehicle cybersecurity matters.
"In the constantly changing environment of technology and cybersecurity, no single or static approach is sufficient,” NHTSA Administrator Mark Rosekind said. “Everyone involved must keep moving, adapting and improving to stay ahead of the bad guys.”
In addition to product development, the guidance pointed out best practices for researching, investigating, testing and validating cybersecurity measures. NHTSA recommended the industry self-audit and consider vulnerabilities and exploits that may impact their entire supply-chain of operations.
The agency also mentioned employee training to educate the entire automotive workforce on new cybersecurity practices and to share lessons learned with others.
Officials recapped the best practices guidance released on Monday is based on public feedback gathered by NHTSA, as well as the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The proposed guidance follows actions by other entities on motor vehicle cybersecurity, including SAE J3061 Recommended Best Practice: Cybersecurity Guidebook for Cyber-Physical Vehicle Systems and the executive summary to the Automotive Cybersecurity Best Practices issued by the Auto-ISAC in, collaboration with the motor vehicle trade associations, in July 2016.
NHTSA’s guidance also suggests that organizations should consider and adopt all applicable industry best practices.
NHTSA is soliciting public comments on the proposed guidance for 30 days. People may submit feedback by visiting regulations.gov and searching for docket NHTSA-2016-0104.