The Federal Bureau of Investigation earlier in 2016 warned that criminals could exploit online vehicle software updates. The NHTSA document recommends manufacturers conduct tests of vehicle systems to see if the cyber security systems can be breached, and document their testing and their assessment of the risks.
Rather than relying on self-regulation by the industry some law makers are calling for legislation to enforce the securing of vehicle systems. Commenting on the NHTSA report, U.S. Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) said in a statement: “This new cybersecurity guidance from the Department of Transportation is like giving a take-home exam on the honor code to failing students. If modern day cars are computers on wheels, we need mandatory standards, not voluntary guidance, to ensure that our vehicles cannot be hacked and lives and information put in danger.” While they are not (yet) enforceable rules, the guidelines are the start of a process towards establishing a road map for the industry to protect increasingly connected and automated vehicles from cyber-attacks.
In some areas the industry is already well on the road to compliance. OEMs shifted the focus on cyber-security into high gear after data security researchers successfully took remote control of a Jeep Cherokee in July 2015. Fiat Chrysler Automobiles in the same month recalled 1.4 million vehicles to install software to protect against future data breaches. Other automakers, including BMW and Tesla, have subsequently plugged potential data security gaps.
Major manufacturers are already sharing information about cyber security threats, which is one of the proposals in the "Cybersecurity Best Practices for Modern Vehicles" document.
In 2015, a non-profit automotive Information Sharing and Analysis Center (ISAC) was established by a global group of automakers to act as a central hub for coordination and communication around industry-wide sharing cyber threats and vulnerabilities to the connected vehicle. The Auto ISAC is one of 23 ISACS on a National Council. The national council serves as an American forum for sharing physical and cyber threat and response information across sectors and as a gateway for federal agencies and other partners to reach the ISAC community.
In addition, a document outlining proactive safety principles released in January 2016 demonstrate the automotive industry’s commitment to collaboratively enhance the safety of the traveling public. The objective of the fourth principle, “Enhance Automotive Cybersecurity,” is to explore and employ ways to collectively address cyber threats that could present unreasonable safety or security risks. This includes the development of best practices to secure the motor vehicle ecosystem.
To further this objective, the Auto ISAC has undertaken the task of creating and maintaining a series of automotive cybersecurity best practices. The best practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response, training, and collaboration with appropriate third parties.
The best practices expand on the Framework for Automotive Cybersecurity Best Practices published in January 2016 by the Alliance of Automobile Manufacturers and the Association of Global Automakers. These best practices follow a precedent set by other ISACs and similar organizations that have developed best practices for their respective industries.
The Alliance of Automobile Manufacturers or Auto Alliance, a leading advocacy group for the auto industry, represents 77% of all car and light truck sales in the United States, including the BMW Group, Fiat Chrysler Automobiles, Ford Motor Company, General Motors Company, Jaguar Land Rover, Mazda, Mercedes-Benz USA, Mitsubishi Motors, Porsche, Toyota, Volkswagen Group of America and Volvo Car USA. Headquartered in Washington, DC, the Alliance also has offices in Sacramento, California and Detroit, Michigan.
The Automotive ISAC says that its best practices focus on product cybersecurity within the motor vehicle ecosystem and across the vehicle lifecycle. They refer primarily to U.S. light-duty, on-road vehicles but are applicable to other automotive markets, including heavy-duty and commercial vehicles. The best practices content intentionally leaves room for flexibility to allow for individualized implementation and to support international application by global automakers.
While participating automakers share a common commitment to vehicle cybersecurity, their electrical architectures, connected services, and organizational compositions vary. Accordingly, the best practices do not prescribe specific technical or organizational solutions.
The Auto-ISAC will update the best practices over time to address emerging cybersecurity areas and reflect the constantly evolving cyber landscape.
Automotive Industries (AI) spoke to Creighton Magid, Partner-in-Charge, Washington, DC, Office, Dorsey & Whitney LLP to understand the issues facing automotive OEMs. Magid is the co-Chair of the firm-wide Products Liability practice. Magid works with clients to reduce their liability risks and to help them navigate the federal regulatory system, particularly in connection with the US Consumer Product Safety Commission.
AI: What impact will the NHTSA’s guidelines have on automotive OEMs as regards cyber security?
Magid: The “Cybersecurity Best Practices for Modern Vehicles” guidance document, while general in its guidance, makes the point that automobile manufacturers have to take cybersecurity very seriously, and have to make cybersecurity a top priority in the design, testing, and monitoring of vehicles. Although NHTSA’s guidance document is non-binding, meaning that it can’t be enforced like a Federal Motor Vehicle Safety Standard, it nonetheless establishes an important baseline against which vehicle manufacturers will be measured – particularly by private parties in litigation.
AI: What are some of the important points in the guidance document?
Magid: The key takeaways from NHTSA’s guidance are the importance of making cybersecurity central to vehicle design; performing robust risk assessment and penetration testing; developing a means of identifying and responding to as-yet-unknown attacks; and collaborating closely with others in the automotive industry to share information about cyber vulnerabilities and cybersecurity improvements.
AI: How has the Internet of Things changed the scenario for automotive OEMs?
Magid: Automakers – like manufacturers of other interconnected (“Internet-of-Things”) devices – must treat their products as cyber-physical systems, with as much attention given to electronically interconnected systems as to the rest of the vehicle. Cybersecurity must be given the highest possible priority, in both word and deed. Cyber concerns must be treated as central to the design process, and considered as much of a safety consideration as brakes and crash protection.
AI: Apart from vehicle design, what do automotive OEMs need to do to keep their vehicles safe from potential cyber-attacks?
Magid: They need to give serious thought, up front, to responding to post-sale exploitation of cyber-vulnerabilities, including remote downloading of patches and redundancies of vehicle systems in order to ensure safe operation of the vehicle even in the event of an attack.