NHTSA releases updated vehicle cybersecurity best practices
The 2022 report leveraged research and industry activity over the last six years to provide updated guidance for how the auto industry can improve vehicle cybersecurity.
In the midst of ever-evolving cyberthreats, the National Highway Traffic Safety Administration (NHTSA) recently updated its Cybersecurity Best Practices for the Safety of Modern Vehicles report, which was originally released in 2016. The 2022 report leveraged research and industry activity over the last six years in order to provide updated guidance for how the automotive industry can improve motor vehicle cybersecurity.
The non-binding recommendations from the NHTSA fall into two main categories: general best practices and technical best practices.
General vehicle cybersecurity best practices
The NHTSA recommends the automotive industry follow the National Institute of Standards and Technology’s (NIST’s) documented Cybersecurity Framework in order to “build a comprehensive and systematic approach to developing layered cybersecurity protections for vehicles.”
Other recommendations from the NHTSA about general vehicle cybersecurity include:
- Emphasizing the importance of cybersecurity from the top level of leadership to the staff level in order to demonstrate how serious effectively managing cybersecurity is.
- The vehicle development process should include a cybersecurity risk assessment step, with safety of the vehicle’s occupants and others on the road as the primary concern when considering risks.
- The industry should pay attention to sensor vulnerability — an emerging area of risk — as sensor data can potentially be manipulated. Some of these acts of signal manipulation include GPS spoofing, Lidar/Radar jamming and spoofing and camera blinding.
- The automotive industry should develop ways to rapidly detect vehicle cybersecurity incidents, as well as strategies for remediation. These capabilities should be able to mitigate a detected cyberattack and transition the vehicle to a “minimum risk condition.”
- Information on potential attacks should be recorded, analyzed and then shared industry-wide.
- Companies should establish an ongoing system to update processes and reevaluate risks as the cybersecurity landscape evolves.
Technical vehicle cybersecurity best practices
In updating their vehicle cybersecurity recommendations, the NHTSA utilized internal applied research, as well as input about stakeholder experiences. This led them to a collection of technical best practices, including:
- Access at the developer level should be limited or eliminated if there isn’t any reason the software developer would need continued access. If continued developer access is necessary, appropriate protections for debugging interfaces should be in place.
- Cryptographic techniques can change in response to innovation, so it’s imperative the automotive industry keeps its cryptographic techniques current to avoid them becoming obsolete.
- Vehicle diagnostic features can assist in the repair and service of vehicles, but they can also be used to compromise vehicle systems. For this reason, these features should be limited to a “specific mode of vehicle operation which accomplishes the intended purpose of the associated feature.” They also recommend these operations be designed in such a way as to minimize the dangerous ramifications if they are misused.
- Critical safety messages should be sent in a way that is inaccessible from external interfaces, and best practices should be implemented for the communication of critical information over shared or insecure channels.
- Wireless interfaces in vehicles can potentially be remotely accessed and exploited, and these attacks could potentially scale to multiple vehicles. Manufacturers should design vehicles’ wireless interfaces to treat all external networks and systems as untrusted to mitigate threats.
- Manufacturers that offer over-the-air software update distribution should maintain the integrity of these updates, the update servers, the method of transmission and overall updating process.
These best practices are all voluntary, but the NHTSA states in their report that they believe their recommendations can provide a foundation for manufacturers to develop a risk-based approach, as well as recognize the importance of processes that can be maintained and updated over time to best meet the cybersecurity needs of the automotive industry.