The National Highway Traffic Safety Administration (“NHTSA”) recently released updated guidance on cybersecurity best practices for motor vehicle safety. This non-binding guidance demonstrates the NHTSA’s continued emphasis on cybersecurity in the context of motor vehicle safety. The guidelines broadly apply to individuals and organizations that design and manufacture electronic systems and software for vehicles and reflect evolving trends and developments since the first guidelines.
The new guidancepublished September 2022, NHTSA’s 2016 update”Cybersecurity Best Practices for Modern Vehicles”, detailing the steps manufacturers can take to improve motor vehicle cybersecurity. The updated guidelines take into account developments in technology and emerging voluntary standards, such as the International Standards Organization (“ISO”)/SAE International’s Final Draft International Standard (“FDIS”) 21434 and the Automotive Information Sharing and Analysis Centers (“Auto-ISAC ”) Best Practice Guides. The FDIS 21434 was published in 2021 and specifies technical requirements for cybersecurity risk management related to concept, product development, production, operation, maintenance and decommissioning of electrical systems. The Auto-ISAC Best Practice Guides can serve as tools for the automotive industry on a variety of topics, including incident response, collaboration and engagement with appropriate third parties, governance, risk assessment and management awareness and training, threat detection, monitoring and analysis, and security development lifecycle.
The NHTSA’s updated cybersecurity guidelines divide key recommendations into two categories: general best practices and technical best practices. The NHTSA’s overarching general recommendation is that members of the automotive industry take a layered approach to vehicle cybersecurity, assuming that some vehicle systems may be compromised. Cybersecurity approaches should be based on risk-based, prioritized identification and protection of security-critical systems; eliminate sources of risk to safety-critical systems where possible; ensure timely detection and rapid response to potential incidents; design methods and processes to facilitate rapid recovery from incidents; and institutionalize methods for accelerated application of lessons learned across the industry.
More specifically, general best practices include the following:
- Prioritize vehicle cybersecurity and demonstrate the importance of cybersecurity at board level and governance processes
- Design, manufacture and sell vehicles in a manner that incorporates protection and removes unreasonable risks to safety-critical systems
- Vehicle development process should include cybersecurity risk assessment
- Manufacturers must consider the risks of sensor vulnerabilities
- Join Auto-ISAC for information sharing and find other ways to share information among industry members in a timely manner
- Industry members should establish their own vulnerability reporting policies and mechanisms
- Develop an incident response and vulnerability management process and document details of each incident to periodically assess the effectiveness of incident response and vulnerability management
- Perform self-checks to be accountable
The technical best practices include:
- Restrict developer-level access to the Electronic Control Unit (“ECU”)
- Update cryptographic techniques based on computer innovations and cybersecurity standards from the National Institute for Standards and Technology (“NIST”)
- Design diagnostic functions and tools to eliminate potentially dangerous consequences and with appropriate authentication and access controls
- Use best practices for the transmission of critical security information, especially if it is shared through insecure channels
- Restrict unauthorized wireless access to in-vehicle computer resources and apply updates securely
The updated NHTSA guidelines also address cybersecurity vulnerabilities that can occur during software updates. The guideline advises that car manufacturers should limit the ability to modify firmware to authorized and properly verified parties. For over-the-air (“OTA”) updates, NHTSA recommends that manufacturers ensure that the servers, transmission mechanism, and update process are updated to avoid interruptions in update transmission. These recommendations will become increasingly relevant as motor vehicles increasingly rely on computer systems that require frequent updating, and OTA updates become more common to manage recalls.
While the NHTSA’s cybersecurity guidelines are not mandatory, it does indicate that the agency has a strong interest in this area. Perhaps more importantly, this guidance very clearly links cybersecurity to motor vehicle safety and emphasizes the need for vehicle manufacturers and other members of the automotive industry to proactively focus on cybersecurity to help ensure vehicle safety.