The National Highway Traffic Safety Administration’s updated guidance encourages auto industry suppliers and manufacturers to consider cybersecurity a top organizational priority.

By Arthur Foerster, Serrin Turner, Hadrian Luo, and De Vann Sago

On September 9, 2022, the National Highway Traffic Safety Administration (NHTSA) issued a notice of federal guidelines effective upon publication that announced the availability of the final version of its 2022 Cybersecurity Best Practices for the Safety of Modern Vehicles.[1] The notice summarized comments received in response to the draft guidance, laid out NHTSA’s response to those comments, and highlighted the changes made to the draft guidance in response to those comments.[2]

The guidance reflects NHTSA’s strong interest in cybersecurity and the agency’s belief that vehicle cybersecurity should be an organizational priority for the automotive industry.[3] The guidance encourages the industry to proactively address the risk of cybersecurity to vehicle safety by adopting and using available guidance, existing standards, and best practices.[4]

Cybersecurity Risks in Vehicles

Within the context of on-highway vehicles, cybersecurity is the protection of automotive electronic systems, communication networks, control algorithms, software, underlying data, and users from unauthorized access, malicious attacks, manipulation, or damage.[5] Vehicles are increasingly susceptible to cybersecurity attacks as they incorporate more sophisticated technology, and thus present more potential security vulnerabilities that hackers can access.[6] Hackers may steal user data by infiltrating data centers and back-end servers.[7] Hackers may also obtain direct access to the vehicles themselves, retrieving data and even manipulating autonomous vehicle controls.[8]

NHTSA’s Work in the Cybersecurity Field

NHTSA promotes a multi-layered approach to cybersecurity by concentrating on vehicles’ entry points that could potentially be vulnerable to cyberattacks.[9] NHTSA frequently collaborates with other agencies, vehicle manufacturers, suppliers, and the public to further the automotive industry’s efforts in addressing vehicle cybersecurity issues.[10] NHTSA encourages membership and active participation in the Automotive Information Sharing and Analysis Center (Auto-ISAC),[11] an industry-driven community that shares and analyzes information about emerging cybersecurity risks to vehicles.[12] NHTSA also encourages collaboration by hosting an annual cybersecurity forum with SAE International, a global association of more than 128,000 engineers and related technical experts in the automotive, aerospace, and commercial vehicle industries.[13] SAE will host a government/industry meeting January 17-19, 2023, in Washington, D.C.,[14] focusing on a variety of topics including cybersecurity, emissions, safety, and autonomous vehicles.[15]

NHTSA is conducting research on a number of cybersecurity issues including: 1) anomaly-based intrusion detection systems; 2) cybersecurity of automotive electronics update mechanisms; 3) comparisons of passenger vehicles and larger vehicles from a cybersecurity considerations standpoint; and 4) parser development for vehicle-to-vehicle communication interfaces.[16] NHTSA is also conducting in-house cybersecurity research that explores the risks of current vehicle electronic architecture.[17] NHTSA hopes to establish principles and guidance that can improve the cybersecurity position of passenger vehicles through applied research.[18]

NHTSA’s Updated Cybersecurity Best Practices for the Safety of Modern Vehicles

NHTSA’s 2022 Cybersecurity Best Practices for the Safety of Modern Vehicles updates the agency’s 2016 guidance to the automotive industry for improving motor vehicle cybersecurity.[19] The guidance encourages suppliers and manufacturers in the automotive industry to consider cybersecurity a top organizational priority, as NHTSA does, to address potential cybersecurity risks and minimize impact on safety.[20] Compared to the 2016 guidance, this updated guidance incorporates industry standards such as those provided in the International Standards Organization (ISO)/SAE International Final Draft International Standard on “Road Vehicles – Cybersecurity engineering,” which represents a consensus of global experts on automotive cybersecurity.[21]

The guidance elaborates on specific recommendations for two categories of best practices regarding cybersecurity: general and technical. The general best practices cover a wide range of topics including leadership priority, vehicle development process, information sharing, programs for security vulnerability reporting, incident response process, and self-auditing.[22] The technical best practices touch on topics such as debugging access, cryptographic techniques, and wireless paths into vehicles.[23]

General Best Practices

On general best practices, the 2022 guidance retains many of the best practices from the 2016 version, including having a documented plan for incident response and clearly identifying personnel with responsibilities for incident response and communication channels.[24] The 2022 guidance, however, also adds that “organizations should have a plan for addressing newly identified vulnerabilities on consumer-owned vehicles in the field, inventories of vehicles built but not yet distributed to dealers, vehicles delivered to dealerships but not yet sold to consumers, as well as future products and vehicles.”[25] The 2022 guidance also calls on the industry to collaborate to quickly develop responses to future risks as they emerge.[26] The general best practices guidance further suggests that cybersecurity education for the workforce plays an important role and encourages companies to work with universities to support educational efforts.[27] In addition, the 2022 guidance encourages manufacturers to take into account cybersecurity risks post-sale of a vehicle, including assessing the risks from the connection with vehicle owners’ other mobile devices and long-term serviceability of vehicles with respect to cybersecurity.[28]

Technical Best Practices

On technical best practices, the 2022 guidance includes a new section that specifically addresses the use of cryptographic techniques and credentials.[29] Cryptographic techniques are used to ensure integrity of data and secrecy when facing an adversary,[30] and cryptographic credentials help mediate access to vehicle computing resources and back-end servers.[31] The 2022 guidance provides that organizations should keep their cryptographic techniques updated in light of any new innovation.[32] The 2022 guidance also provides that cryptographic credentials should be varied among vehicles to prevent a situation in which credentials obtained from one vehicle provide access to other vehicles.[33] The 2022 guidance also recommends the use of best practices to protect critical information transmitted through possibly insecure channels, such as limiting the possibility of replay, integrity compromise and spoofing, and restricting physical and logical access.[34]

Latham & Watkins will continue to monitor developments in this area.

 

Endnotes

[1] Cybersecurity Best Practices for the Safety of Modern Vehicles, 87 FR 55459 (Sept. 9, 2022).

[2] Id.

[3] Cybersecurity Best Practices for the Safety of Modern Vehicles at 1 (Sept. 2022), available at https://www.nhtsa.gov/sites/nhtsa.gov/files/2022-09/cybersecurity-best-practices-safety-modern-vehicles-2022-tag.pdf.

[4] Id.

[5] NHTSA, Automotive Cybersecurity: Overview, available at https://www.nhtsa.gov/crash-avoidance/automotive-cybersecurity#:~:text=Cybersecurity%2C%20within%20the%20context%20of,%2C%20unauthorized%20access%2C%20or%20manipulation.

[6] https://www.uscybersecurity.net/automotive-industry/; https://www.iso.org/news/ref2705.html; https://www.iso.org/news/ref2705.html.

[7] https://www.uscybersecurity.net/automotive-industry/.

[8] Id.

[9] NHTSA, Vehicle Cybersecurity: Cybersecurity Protection Methods, available at https://www.nhtsa.gov/technology-innovation/vehicle-cybersecurity.

[10] NHTSA, NHTSA in Action, available at https://www.nhtsa.gov/technology-innovation/vehicle-cybersecurity.

[11] 87 FR at 55461; https://automotiveisac.com/.

[12] 87 FR at 55461; https://automotiveisac.com/.

[13] 87 FR at 55461; SAE International – Advancing Mobility Knowledge and Solutions, available at https://www.sae.org/.

[14] https://www.sae.org/attend/government-industry/program.

[15] Id.

[16] NHTSA, Vehicle Cybersecurity: Current Research, available at https://www.nhtsa.gov/technology-innovation/vehicle-cybersecurity.

[17] Id.

[18] Id.

[19] Cybersecurity Best Practices for the Safety of Modern Vehicles at 2.

[20] Id.

[21] Id. at 2.

[22] Id. at 4-11.

[23] Id. at 12-17.

[24] Id. at 9.

[25] Id.

[26] Id. at 7.

[27] Id. at 11.

[28] Id. at 11-12.

[29] Id. at 13.

[30] ScienceDirect, “Cryptographic Technique,” available at https://www.sciencedirect.com/topics/computer-science/cryptographic-technique.

[31] Cybersecurity Best Practices for the Safety of Modern Vehicles at 13.

[32] Id.

[33] Id.

[34] Id. at 14.