NHTSA Updating Guidance for Connected Cars, Cybersecurity
Despite having a formal mission objective to “save lives, prevent injuries, and reduce vehicle-related crashes,” the National Highway Traffic Safety Administration (NHTSA) has been shifting some of its focus toward automotive connectivity over the last few years. In fact, the agency has recently updated its guidance for vehicle cybersecurity – which was originally penned in 2016.
While this raises questions about the true role of the NHTSA, most government regulators have been flexing their muscles as new automotive technologies lacking clearly defined directives become increasingly commonplace. Besides, the safety agency has at least managed to tie its cybersecurity guidance (which is currently voluntary) to hacking concerns that could affect how the affected car behaves and how that might translate into physical harm for those on the road.
"As vehicle technology and connectivity develop, cybersecurity needs to be a top priority for every automaker, developer and operator," said NHTSA Administrator Steven Cliff, who will soon be leaving the agency to rejoin the California Air Resources Board (CARB) as its new executive officer. "NHTSA is committed to the safety of vehicles on our nation's roads and these updated best practices will provide the industry with important tools to protect Americans against cybersecurity risks."
According to the agency, the 2022 Cybersecurity Best Practices leverages its own pre-existing research, industry voluntary standards, and learnings from the motor vehicle cybersecurity research over the past several years. Though the basis of the guidance stems from an earlier draft, introduced in 2016, and a request for public comment issued in the very last days of the Trump administration.
Whereas the previous version is slightly more detailed, the 2022 edition adds a few items and further emphasizes the NHTSA’s desire to see more companies joining the Automotive Information Sharing and Analysis Center (Auto ISAC) that became operational in 2016. If you’re unfamiliar, Auto ISAC is an “industry-driven” coalition of companies (e.g. global automakers, suppliers, and tech companies) that share vehicle data under the premise that it’ll be use to help mitigate against cyber attacks. Critics have accused the group of being little more than a lobbying effort designed to help steer the government regulatory efforts in respect to connected cars. But proponents believe having a group wholly dedicated to identifying and preventing hacking threats is ultimately beneficial.
Regardless, both versions of the guidance report request that companies establish a “culture that is prepared and able to handle increasing cybersecurity challenges.” This means spending more money testing connected systems for existing vulnerabilities, better communicating potential vulnerabilities between companies or the government (ideally, via Auto ISAC), and appointing high-level corporate officers overseeing an entire department that would be directly responsible for product cybersecurity with a “top-down” management emphasis. The 2022 simply expands upon these requests, adding that companies should likewise “develop metrics to periodically assess the effectiveness of their response process.”
The latter guidance also suggests that “any incidents should also be reported to CISA/United States Computer Emergency Readiness Team (US-CERT) in accordance with the US-CERT Federal Incident Notification Guidelines. Information sharing is actually a massive part of both reports, with the NHTSA making mention of Executive Order 13691 – an Obama-era directive that “encourages the development and formation of industry-specific Information Sharing and Analysis Organizations and calls on private companies, nonprofit organizations, executive departments, agencies, and other entities to “share information related to cybersecurity risks and incidents and collaborate in as close to real time as possible.”
While not limited to automobiles, EO 13691 is a keystone issue for the NHTSA and basically underpins its request to have everyone join Auto ISAC over national security concerns. However nobody seems to have addressed why a global coalition of automakers would bother going out of its way to specifically protect the United States when their products are sold the world over.
The rest of the NHTSA’s 2022 Cybersecurity Best Practices focus on telling the industry that it might be a good idea to establish some kind of reporting system and response when cybersecurity issues arise. For now, the agency is being fairly nonspecific beyond endorsing Auto ISAC. But it does seem to want the resulting process to mimic its own protocols for vehicle safety recalls – even if the NHTSA seems to prefer the industry audit itself when it comes to data breaches and potential hacking vulnerabilities.
Some language was also shifted in regard to aftermarket products and who should be allowed access to a vehicle firmware and/or software code. In the earlier version, the NHTSA suggests the industry consider aftermarket devices and how they “could impact safety-of-life” even if the device has nothing to do with safety. In the newer draft, the agency makes reference to “Aftermarket/User Owned Devices,” asks aftermarket companies to likewise consider security risks, and recommends that all third-party devices “be authenticated and provided with appropriate limited access.”
This was expanded upon in the section about limiting general access via a car’s debugging port, serial console, or an open IP port on the vehicle’s Wi-Fi network. Ideally, the NHTSA would like to mitigate who can access the ECU by limiting developer-level access by minimizing diagnostic features and having manufacturers better control the relevant hardware or how a vehicle behaves after its been modified by the end under. It also stated that “merely physically hiding connectors, traces, or pins intended for developer debugging access should not be considered a sufficient form of protection.”
This will undoubtedly annoy the right-to-repair movement that’s finally making some headway in the United States. However the NHTSA curiously retained the 2016 report’s request to ensure vehicles remain serviceable by ensuring digital protections “do not unduly restrict access by alternative third-party repair services authorized by the vehicle owner.” However the language is softened by suggesting that finding the appropriate balance will be challenging.
My take is that the NHTSA has become too preoccupied with how these systems are regulated and has completely ignored the possibility that their very existence may represent an unnecessary safety risk. For example, the unkillable 2000 Toyota Corolla VE I keep around as a backup vehicle may not offer me turn-by-turn directions or allow me to pay for gas without ever reaching into my pocket. But it’s also not exposing me to identity theft, manufacturer data harvesting, or vehicle hacking because it’s not capable of being connected to the internet. Though the government willfully ignoring this fact is hardly a novel problem. I’ve watched legislators repeatedly display their lack of knowledge on the subject for years, with the end result often being their deferring to experts (often industry lobbyists) while collectively failing to grapple with the most basic aspects of modern tech.
While the NHTSA is likely to be substantially better informed than your average Senator, connected-car technologies are advancing at a rate that’s difficult for anyone to keep up with. This becomes obvious when reading through the report, as most inclusions basically amount to the agency asking that the industry collaboratively regulates itself without burning the customer or third-party repair shops too badly. But it doesn’t seem all that interested in taking manufactures to task when connected technologies create vulnerabilities.
It could be argued that’s ultimately the responsibility of the Federal Communications Commission (FCC). However the communications commission has been pretty hands off when it comes to regulating the automotive sector. The FCC has really only expressed an interest in determining which portions of the communications band, while The Department of Transportation (DOT) and NHTSA actually proposed making vehicle-to-vehicle and communication a legal requirement in all new cars in 2017. While that didn’t end up happening, it showed where U.S. regulators generally stand on the issue of vehicle connectivity.
[Image: Virrage Images]
Join the conversation
Latest Car ReviewsRead more
Latest Product ReviewsRead more
- John When you are driving to your own house, you are usually on residential roads at 25 mph for the last mile. If you drive at 25 mph, you cover that last mile in 2 minutes and 24 seconds. If you drive at 30 mph, you cover it in 2 minutes even. If you drive it at 45 mph, you cover the distance in 1 minute and 20 seconds. So, you can drive like a bat out of hell to save yourself 64 seconds, or you can drive the speed limit, and preserve the life and safety on the streets where your own children play and ride their bikes.
- Zipper69 Thank goodness none of our US manufacturers, supplying vehicles powered by internal combustion engines EVER have to issue recalls...
- MKizzy Looks kinda good from the front and sides but I suspect its because of the darker colors featured in the photos. The rear however, is gruesome with the cliched rear fascia and ill proportioned tailights which appear grafted on from a smaller vehicle. Speaking of the "other site," most of the reader comments were negative towards the Taurus (I don't know when sedans became associated with Boomers, but okay) and many disagreed with the writer's overblown praise for what is merely a slightly attractive sedan.
- SCE to AUX "Dmitry Medvedev recently took a trip to China and praised the country’s cars as being on par with Mercedes-Benz"Tassos, help us out here!
- Bugo There is some incorrect information here. First of all, the Z code 300 horsepower 390 4bbl had the Thunderbird valve covers. Source: I have owned a Z code 1962 Galaxie 500 2 door hardtop for almost 35 years. Also, the 340 horsepower 390 was a Police Interceptor engine and was quite rare. Confusingly, it was also given the Z code. The vast majority of 390 engines in 1962 were 300 horsepower engines. And the 352 is a fine engine, not "scrap metal". The 1962 352 only put out 220 horsepower, but in 1960, there was a 360 horsepower 352 that was Ford's first high performance engine since the 1957 supercharged 312 Fairlanes and Customs. That engine was anything but "scrap metal".
The Venn diagram where "computers" and "government" overlap is... well never mind. 😉
"10 Best Ski Masks for Coding"