NHTSA Publishes Cybersecurity Request for Comments

Today the DOT’s National Highway Transportation Safety Administration (NHTSA) published a request for comments in the Federal Register (86 FR 2481-2486) on its draft update [.PDF Download] for their “Cybersecurity Best Practices for the Safety of Modern Vehicles”. This is an update of the 2016 version of the document based upon ongoing research and comments received from government agencies, industry and the public on the original document [.PDF download].

In today’s notice NHTSA makes it clear that it continues to believe that adoption of these best practices should be voluntary. They also specifically note that they deal with safety aspects of cybersecurity. Safety is the NHTSA mandate not privacy.

New Guidance

The new draft includes the following ‘new’ best practices:

[G.6] Manufacturers should consider the risks associated with sensor vulnerabilities and potential sensor signal manipulation efforts such as GPS spoofing, road sign modification, Lidar/Radar jamming and spoofing, camera blinding, or excitation of machine learning false positives.

[G.9] Clear cybersecurity expectations should be specified and communicated to the suppliers that support the intended protections.

[G.10] Manufacturers should maintain a database of operational software components used in each automotive ECU, each assembled vehicle, and a history log of version updates applied over the vehicle's lifetime; and Manufacturers should track sufficient details related to software components, such that when a newly identified vulnerability is identified related to an open source or off-the-shelf software, manufacturers can quickly identify what ECUs and specific vehicles would be affected by it.

[G.12] Manufacturers should evaluate all commercial off-the-shelf and open-source software components used in vehicle ECUs against known vulnerabilities.

[G.22] Best practices for secure software development should be followed, for example as outlined in NIST 8151 and ISO/SAE 21434.

[G.23] Manufacturers should actively participate in automotive industry-specific best practices and standards development activities through Auto-ISAC and other recognized standards development organizations.

[G.30] Commensurate to assessed risks, organizations should have a plan for addressing newly identified vulnerabilities on consumer-owned vehicles in the field, inventories of vehicles built but not yet distributed to dealers, vehicles delivered to dealerships but not yet sold to consumers, as well as future products and vehicles.

[G.40] Any connection to a third-party device should be authenticated and provided with appropriate limited access.

[T.7] The use of global symmetric keys and ad-hoc cryptographic techniques for diagnostic access should be minimized.

[T.8] Vehicle and diagnostic tool manufacturers should control tools' access to vehicle systems that can perform diagnostic operations and reprogramming by providing for appropriate authentication and access control.

[T.12] Such logs that can be aggregated across vehicles should be periodically reviewed to assess potential trends of cyber-attacks.

[T.13] Manufacturers should treat all networks and systems external to a vehicle's wireless interfaces as untrusted and use appropriate techniques to mitigate potential threats.

[T.22] Maintain the integrity of OTA updates, update servers, the transmission mechanism and the updating process in general.

[T.23] Take into account, when designing security measures, the risks associated with compromised servers, insider threats, men-in-the-middle attacks, and protocol vulnerabilities.

Public Comments

NHTSA is soliciting public comments on this draft document. Comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket #NHTSA-2020-0087). Comments should be submitted by March 15^th, 2020.

Commentary

Guidance documents such as this have two major shortcomings. First, and foremost, since they are self-pronouncedly voluntary, there is no way to ensure that they are being followed. Second, even if a company were to try to adhere to this guidance, without an outside eye to watch over how the guidance is implemented to ensure that the company really understands what it is doing or trying to do from a cybersecurity perspective, there will be significant gaps in the resulting cybersecurity coverage.

This is not privacy or money that NHTSA is trying to protect. You can not go back and require a company that failed to adequately implement these best practices make an affected customer whole by replacing mangled limbs or reanimating dead bodies. Lack of cybersecurity in moving vehicles is going to have physical consequences in the real world. Monetary damages from lawsuits are not going to be an adequate (and will be a very delayed) response to cybersecurity failures.