NHTSA proposed guidance aims to improve motor vehicle cybersecurity

Updated Oct 27, 2016

The U.S Department of Transportation’s National Highway Traffic Safety Administration (NHTSA) has issued proposed guidance for improving motor vehicle cybersecurity as a means of protecting against “malicious cyber-attacks and unauthorized access.”

screen-shot-2016-10-25-at-8-55-29-am“Cybersecurity is a safety issue, and a top priority at the Department,” says Transportation Se. Anthony Foxx. “Our intention with today’s guidance is to provide best practices to help protect against breaches and other security failures that can put motor vehicle safety.”

NHTSA’s document broadly covers product development for manufacturers, as well as best practices researching, testing and validating cybersecurity.

“The guidance recommends risk-based prioritized identification and protection of critical vehicle controls and consumers’ personal data,” NHTSA says. “Further, it recommends that companies should consider the full life-cycle of their vehicles and facilitate rapid response and recovery from cybersecurity incidents.”

The agency also recommends manufacturers “self-audit” and look at any vulnerabilities beyond the vehicles, including impacts to supply-chain operations.

“In the constantly changing environment of technology and cybersecurity, no single or static approach is sufficient,” says NHTSA Administrator Dr. Mark Rosekind. “Everyone involved must keep moving, adapting, and improving to stay ahead of the bad guys.”

The Cybersecurity Best Practices for Modern Vehicles contains the following topics:

  • Vehicle Development Process With Explicit Cybersecurity Considerations
  • Leadership Priority on Product Cybersecurity
  • Information Sharing
  • Vulnerability Reporting/Disclosure Policy
  • Vulnerability / Exploit / Incident Response Process
  • Self-Auditing: Risk Assessment; Penetration Testing and Documentation; Self-Review;
  • Fundamental Vehicle Cybersecurity Protections: Limit Developer/Debugging Access in Production Devices; Control Keys; Control Vehicle Maintenance Diagnostic Access; Control Access to Firmware; Limit Ability to Modify Firmware; Control Proliferation of Network Ports, Protocols and Services; Use Segmentation and Isolation techniques in Vehicle Architecture Design; Control Internal Vehicle Communications; Log Events; Control Communication to Back-End Servers; Control Wireless Interfaces