On October 24, 2016, the U.S. Department of Transportation’s National Highway Traffic Safety Administration (“NHTSA”) announced the release of Cybersecurity Best Practices for Modern Vehicles, a non-binding, proposed guidance document designed to assist the automotive industry in improving motor vehicle cybersecurity and mitigating threats to safety.
The guidance is intended to apply broadly to “all individuals and organizations manufacturing and designing vehicle systems and software,” including entities that design, supply, manufacture, alter or modify motor vehicles or motor vehicle equipment. The voluntary best practices described in the guidance are intended to “provide a solid foundation for developing a risk-based approach” to mitigating cybersecurity risks throughout the automotive industry.
Cybersecurity Best Practices for Modern Vehicles provides a brief overview of general cybersecurity best practices, as well as detailed guidance for improving cybersecurity within the automotive industry. An overview of both sections of the guidance is provided below.
General Cybersecurity Guidance
The Cybersecurity Best Practices for Modern Vehicles recommends the automotive industry apply two general principles:
- Consistent with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, develop a layered approach to cybersecurity to “reduce the probability of an attack’s success and mitigate the ramifications of a potential unauthorized access.”
- Adapt existing information technology security standards and controls used in other sectors—such as the ISO 27000 series standards and the Center for Internet Security’s Critical Security Controls for Effective Cyber Defense (“CIS CSC”)—for use in the automotive industry.
Automotive Industry Cybersecurity Guidance
The Cybersecurity Best Practices for Modern Vehicles identifies seven specific principles for cybersecurity in the automotive industry. Although much of the guidance is aimed at the industry as a whole, individual companies are expected to leverage these principles to establish entity-specific cybersecurity programs.
An overview of each of the seven categories discussed in the guidance is provided below.
1. Vehicle Development Process With Explicit Cybersecurity Guidance (Security by Design)
- Identify risks from cybersecurity threats and vulnerabilities;
- Conduct risk analysis with a focus on the safety of vehicle occupants and other road users;
- Establish rapid incident detection, mitigation and remediation capabilities; and
- Fully document any “actions, changes, design choices, and analyses” to the process
2. Leadership Priority on Cybersecurity
- Prioritize vehicle cybersecurity and demonstrate management commitment by taking concrete actions to facilitate “a top-down interest” in product cybersecurity; and
- Establish communication channels focused on cybersecurity, including an “independent voice” for cybersecurity considerations in the vehicle safety design process.
3. Information Sharing
- NHTSA encourages all members of the vehicle manufacturing industry to participate in the Auto Information Sharing and Analysis Organization (“ISAC”); and
- NHTSA encourages the Auto ISAC to expand its membership to “suppliers and other vehicle segments.”
4. Vulnerability Reporting / Disclosure Policy
- Create or adapt a vulnerability reporting and disclosure program to facilitate information sharing;
- Provide external researchers with guidance for disclosing vulnerabilities to automotive industry entities; and
- Explain in detail how entities plan to interact with researchers
5. Vulnerability / Exploit / Incident Response Process
- Create a process for responding to incidents, vulnerabilities, and exploits;
- Define and use metrics to periodically assess effectiveness of the response process;
- Create records of each identified and reported vulnerability, exploit, or incident;
- Report all incidents, exploits, or incidents to the Auto ISAC and to US-CERT, and consider reporting to industrial systems CERT; and
- Run response capability exercises to test effectiveness.
- Document the cybersecurity process to allow auditing and accountability, which should include: risk assessments, penetration testing and documentation, and self-review;
- Retain relevant documentation through the lifespan of the relevant product; and
- Regularly revise documents as necessary.
7. Fundamental Vehicle Cybersecurity Protections
- NHTSA recommends that automotive industry entities implement eleven specific controls to assist in securing automotive computing systems. These controls include limiting unnecessary access to systems, implementing specific technical controls, and using technical restrictions to reduce potential vulnerabilities.
Other Cybersecurity Considerations
The guidance also briefly highlights NHTSA’s recommendations on two additional vehicle cybersecurity considerations. First, the automotive industry and aftermarket device manufacturers should consider risks posed by aftermarket devices and connectivity of consumer personal equipment and evaluate how to mitigate those risks. Second, the automotive industry should provide strong vehicle cybersecurity protections that do not “unduly restrict access” by authorized third-party repair services.
NHTSA is soliciting public comment on the guidance for thirty days. Details about the public comment process can be found in the press release announcing the publication of Cybersecurity Best Practices for Modern Vehicles.