Automobile Cybersecurity Risks Targeted by NHTSA Proposed Guidance

The National Highway Traffic Safety Administration (NHTSA) has released new cyber security guidance for the automobile industry, calling on manufacturers to make it a priority to develop multi-level defense systems that protect vehicles from malicious cyber-attacks and security failures. 

With continuously evolving automotive technology entering the market, many vehicles are being developed with automated systems controlled by electronics and computer systems. While these systems provide substantial benefits and safety features, they may also open the door to security breaches by hackers if not properly designed, potentially disrupting control of the vehicle and increasing the risk of an accident.

In a new automobile safety guidance (PDF) issued this week, the NHTSA urges automakers and their suppliers to focus on the prevention of cyber security risks in the development of new vehicles.

Officials from the NHTSA released the non-binding guidance to the public after gathering public feedback from consumers and the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity.

The guidance proposes that the automobile industry, including the automakers, suppliers, and technology supplying companies, begin focusing their attentions on the importance of cyber security in the development of modern vehicles.

“Cybersecurity is a safety issue, and a top priority at the Department,” Transportation Secretary Anthony Foxx said in a press release. “Our intention with today’s guidance is to provide best practices to help protectagainst breaches and other security failures that can put motor vehicle safety at risk.”

Within the guidance, the NHTSA encourages the automobile industry to design “layered solutions” that would ensure vehicle systems are designed to prevent and mitigate cyber security hacks to keep drivers safe even when the breach is successful. The guidance further calls for the cyber security defense systems to take a “risk-based prioritized identification and protection of critical vehicles controls and consumers’ personal data.” These types of defenses would include manual operator override systems during a breach for automated self-driving vehicles.

The guidance proposes that the cyber security technology also take into consideration the entire life-span of vehicles, to ensure that older models in the future are still protected and can have adaptable or updated software installs.

The Department of Transportation (DOT) and the NHTSA are suggesting the automotive industry begin allocating the appropriate resources and researching the best professional organizations and communication channels to align themselves with to begin implementing cyber security based strategies.

“In the constantly changing environment of technology and cybersecurity, no single or static approach is sufficient,” NHTSA Administrator Dr. Mark Rosekind said in the press release. “Everyone involved must keep moving, adapting, and improving to stay ahead of the bad guys.”

Efforts by several automakers were increased to prevent cyber security hacks after two hackers were able to take control over a Fiat Chrysler 2014 Jeep Cherokee. Reports of the incident indicate that the hackers were able to control all of the electronics displaying on the dash and were even able to kill the transmission while the vehicle was in motion. The hack resulted in nearly 1.4 million vehicles being recalled to install software that would protect against future data breaches.

The Federal Bureau of Investigation released a warning that criminals could take control over or exploit vehicle software, prompting the NHTSA’s recently released cyber security guidance. The NHTSA is asking automakers to conduct necessary testing of vehicle systems to ensure the systems cannot be breached or tampered with in a way that could put drivers at risk or harm.