NHTSA Offers New Cybersecurity Guidelines

The U.S. has issued new, nonbinding guidelines for the auto industry to help guide its approach to cybersecurity.

The recommendations expand on the cybersecurity best-practices report in July from the Automotive Information Sharing and Analysis Center. Carmakers set up Auto-ISAC in 2015 as a non-profit trade association to share cybersecurity information.

The 22-page report from the National Highway Traffic Safety Administration asserts the agency’s position that it has authority over cybersecurity, a matter not covered by any current federal motor vehicle safety standards. The agency notes that it ordered the recall of 1.5 million Fiat Chrysler Automobiles NV vehicles in July 2015 because of cybersecurity issues that posed a safety threat.

NHTSA urges carmakers design security measures into their electronics rather than try to apply protection after the fact. The agency also suggests the auto industry start by embracing security standards already adopted by the finance, energy, communications and information technology sectors.

Carmakers need to bolster their ability to identify risks and potential threats, NHTSA says. But it adds they also must develop the ability to quickly detect and remediate cyber attacks.

The NHTSA guidelines urge the industry to set up a cyber security information sharing system to quickly eliminate newfound vulnerabilities. The process should be paired with a documented process for responding to attacks that includes impact assessment, containment, recovery and follow-up testing.

The agency warns against the obvious need to guard so-called “back door” access by developers to software being used in production devices. It recommends that developers take steps to guard a device’s operating “firmware,” the software code and data that reside in onboard computers. It also underscores the importance of limiting the ability of a car's control systems to access each other unnecessarily.

NHTSA says the industry should set up life-of-product mechanisms to assess risk, test the defenses of a system against attack and generate internal self-review reports. Finally, the agency urges carmakers to find ways to defend their vehicles against possible access through aftermarket electronic devices that consumers might plug into their cars.