NHTSA Updating Guidance for Connected Cars, Cybersecurity

Despite having a formal mission objective to “save lives, prevent injuries, and reduce vehicle-related crashes,” the National Highway Traffic Safety Administration (NHTSA) has been shifting some of its focus toward automotive connectivity over the last few years. In fact, the agency has recently updated its guidance for vehicle cybersecurity – which was originally penned in 2016. 

While this raises questions about the true role of the NHTSA, most government regulators have been flexing their muscles as new automotive technologies lacking clearly defined directives become increasingly commonplace. Besides, the safety agency has at least managed to tie its cybersecurity guidance (which is currently voluntary) to hacking concerns that could affect how the affected car behaves and how that might translate into physical harm for those on the road. 

"As vehicle technology and connectivity develop, cybersecurity needs to be a top priority for every automaker, developer and operator," said NHTSA Administrator Steven Cliff, who will soon be leaving the agency to rejoin the California Air Resources Board (CARB) as its new executive officer. "NHTSA is committed to the safety of vehicles on our nation's roads and these updated best practices will provide the industry with important tools to protect Americans against cybersecurity risks."

According to the agency, the 2022 Cybersecurity Best Practices leverages its own pre-existing research, industry voluntary standards, and learnings from the motor vehicle cybersecurity research over the past several years. Though the basis of the guidance stems from an earlier draft, introduced in 2016, and a request for public comment issued in the very last days of the Trump administration. 

Whereas the previous version is slightly more detailed, the 2022 edition adds a few items and further emphasizes the NHTSA’s desire to see more companies joining the Automotive Information Sharing and Analysis Center (Auto ISAC) that became operational in 2016. If you’re unfamiliar, Auto ISAC is an “industry-driven” coalition of companies (e.g. global automakers, suppliers, and tech companies) that share vehicle data under the premise that it’ll be use to help mitigate against cyber attacks. Critics have accused the group of being little more than a lobbying effort designed to help steer the government regulatory efforts in respect to connected cars. But proponents believe having a group wholly dedicated to identifying and preventing hacking threats is ultimately beneficial. 

Regardless, both versions of the guidance report request that companies establish a “culture that is prepared and able to handle increasing cybersecurity challenges.” This means spending more money testing connected systems for existing vulnerabilities, better communicating potential vulnerabilities between companies or the government (ideally, via Auto ISAC), and appointing high-level corporate officers overseeing an entire department that would be directly responsible for product cybersecurity with a “top-down” management emphasis. The 2022 simply expands upon these requests, adding that companies should likewise “develop metrics to periodically assess the effectiveness of their response process.”

The latter guidance also suggests that “any incidents should also be reported to CISA/United States Computer Emergency Readiness Team (US-CERT) in accordance with the US-CERT Federal Incident Notification Guidelines. Information sharing is actually a massive part of both reports, with the NHTSA making mention of Executive Order 13691 – an Obama-era directive that “encourages the development and formation of industry-specific Information Sharing and Analysis Organizations and calls on private companies, nonprofit organizations, executive departments, agencies, and other entities to “share information related to cybersecurity risks and incidents and collaborate in as close to real time as possible.”

While not limited to automobiles, EO 13691 is a keystone issue for the NHTSA and basically underpins its request to have everyone join Auto ISAC over national security concerns. However nobody seems to have addressed why a global coalition of automakers would bother going out of its way to specifically protect the United States when their products are sold the world over. 

The rest of the NHTSA’s 2022 Cybersecurity Best Practices focus on telling the industry that it might be a good idea to establish some kind of reporting system and response when cybersecurity issues arise. For now, the agency is being fairly nonspecific beyond endorsing Auto ISAC. But it does seem to want the resulting process to mimic its own protocols for vehicle safety recalls – even if the NHTSA seems to prefer the industry audit itself when it comes to data breaches and potential hacking vulnerabilities. 

Some language was also shifted in regard to aftermarket products and who should be allowed access to a vehicle firmware and/or software code. In the earlier version, the NHTSA suggests the industry consider aftermarket devices and how they “could impact safety-of-life” even if the device has nothing to do with safety. In the newer draft, the agency makes reference to “Aftermarket/User Owned Devices,” asks aftermarket companies to likewise consider security risks, and recommends that all third-party devices “be authenticated and provided with appropriate limited access.”

This was expanded upon in the section about limiting general access via a car’s debugging port, serial console, or an open IP port on the vehicle’s Wi-Fi network. Ideally, the NHTSA would like to mitigate who can access the ECU by limiting developer-level access by minimizing diagnostic features and having manufacturers better control the relevant hardware or how a vehicle behaves after its been modified by the end under. It also stated that “merely physically hiding connectors, traces, or pins intended for developer debugging access should not be considered a sufficient form of protection.” 

This will undoubtedly annoy the right-to-repair movement that’s finally making some headway in the United States. However the NHTSA curiously retained the 2016 report’s request to ensure vehicles remain serviceable by ensuring digital protections “do not unduly restrict access by alternative third-party repair services authorized by the vehicle owner.” However the language is softened by suggesting that finding the appropriate balance will be challenging. 

My take is that the NHTSA has become too preoccupied with how these systems are regulated and has completely ignored the possibility that their very existence may represent an unnecessary safety risk. For example, the unkillable 2000 Toyota Corolla VE I keep around as a backup vehicle may not offer me turn-by-turn directions or allow me to pay for gas without ever reaching into my pocket. But it’s also not exposing me to identity theft, manufacturer data harvesting, or vehicle hacking because it’s not capable of being connected to the internet. Though the government willfully ignoring this fact is hardly a novel problem. I’ve watched legislators repeatedly display their lack of knowledge on the subject for years, with the end result often being their deferring to experts (often industry lobbyists) while collectively failing to grapple with the most basic aspects of modern tech. 

While the NHTSA is likely to be substantially better informed than your average Senator, connected-car technologies are advancing at a rate that’s difficult for anyone to keep up with. This becomes obvious when reading through the report, as most inclusions basically amount to the agency asking that the industry collaboratively regulates itself without burning the customer or third-party repair shops too badly. But it doesn’t seem all that interested in taking manufactures to task when connected technologies create vulnerabilities. 

It could be argued that’s ultimately the responsibility of the Federal Communications Commission (FCC). However the communications commission has been pretty hands off when it comes to regulating the automotive sector. The FCC has really only expressed an interest in determining which portions of the communications band, while The Department of Transportation (DOT) and NHTSA actually proposed making vehicle-to-vehicle and communication a legal requirement in all new cars in 2017. While that didn’t end up happening, it showed where U.S. regulators generally stand on the issue of vehicle connectivity.

[Image: Virrage Images]