Today the DOT’s National Highway Transportation Safety Administration
(NHTSA) published a request for comments in the Federal Register (86
FR 2481-2486) on its draft
update [.PDF Download] for their “Cybersecurity Best Practices for the
Safety of Modern Vehicles”. This is an update of the 2016 version of the
document based upon ongoing research and comments
received from government agencies, industry and the public on the original
document [.PDF download].
In today’s notice NHTSA makes it clear
that it continues to believe that adoption of these best practices should be
voluntary. They also specifically
note that they deal with safety aspects of cybersecurity. Safety is the
NHTSA mandate not privacy.
The new draft includes the following ‘new’ best practices:
should consider the risks associated with sensor vulnerabilities and potential
sensor signal manipulation efforts such as GPS spoofing, road sign
modification, Lidar/Radar jamming and spoofing, camera blinding, or excitation
of machine learning false positives.
cybersecurity expectations should be specified and communicated to the
suppliers that support the intended protections.
Manufacturers should maintain a database of operational software components
used in each automotive ECU, each assembled vehicle, and a history log of
version updates applied over the vehicle’s lifetime; and Manufacturers should
track sufficient details related to software components, such that when a newly
identified vulnerability is identified related to an open source or
off-the-shelf software, manufacturers can quickly identify what ECUs and
specific vehicles would be affected by it.
Manufacturers should evaluate all commercial off-the-shelf and open-source
software components used in vehicle ECUs against known vulnerabilities.
practices for secure software development should be followed, for example as
outlined in NIST 8151 and ISO/SAE 21434.
Manufacturers should actively participate in automotive industry-specific best
practices and standards development activities through Auto-ISAC and other
recognized standards development organizations.
to assessed risks, organizations should have a plan for addressing newly identified
vulnerabilities on consumer-owned vehicles in the field, inventories of
vehicles built but not yet distributed to dealers, vehicles delivered to
dealerships but not yet sold to consumers, as well as future products and
connection to a third-party device should be authenticated and provided with
appropriate limited access.
[T.7] The use of global
symmetric keys and ad-hoc cryptographic techniques for diagnostic access should
[T.8] Vehicle and
diagnostic tool manufacturers should control tools’ access to vehicle systems
that can perform diagnostic operations and reprogramming by providing for
appropriate authentication and access control.
[T.12] Such logs
that can be aggregated across vehicles should be periodically reviewed to
assess potential trends of cyber-attacks.
Manufacturers should treat all networks and systems external to a vehicle’s
wireless interfaces as untrusted and use appropriate techniques to mitigate
[T.22] Maintain the
integrity of OTA updates, update servers, the transmission mechanism and the
updating process in general.
[T.23] Take into
account, when designing security measures, the risks associated with
compromised servers, insider threats, men-in-the-middle attacks, and protocol
NHTSA is soliciting public comments on this draft document.
Comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket #NHTSA-2020-0087).
Comments should be submitted by March 15th, 2020.
Guidance documents such as this have two major shortcomings.
First, and foremost, since they are self-pronouncedly voluntary, there is no
way to ensure that they are being followed. Second, even if a company were to
try to adhere to this guidance, without an outside eye to watch over how the
guidance is implemented to ensure that the company really understands what it
is doing or trying to do from a cybersecurity perspective, there will be
significant gaps in the resulting cybersecurity coverage.
This is not privacy or money that NHTSA is trying to protect.
You can not go back and require a company that failed to adequately implement
these best practices make an affected customer whole by replacing mangled limbs
or reanimating dead bodies. Lack of cybersecurity in moving vehicles is going
to have physical consequences in the real world. Monetary damages from lawsuits
are not going to be an adequate (and will be a very delayed) response to