NHTSA Issues New “Best Practices” Guidelines to Protect Motor Vehicles From Cybersecurity Threats

Federal highway safety officials have released a new cybersecurity guidance for the automobile industry, which calls on manufacturers to make it a priority to develop multi-level defense systems that will protect vehicles from malicious cyber-attacks and security failures.

Cybersecurity in the automotive industry has become a growing topic of concern, as manufacturers continue to develop autonomous vehicles and technologies that are projected to save thousands of lives annually from car crashes. However, if the hackers are able to disrupt the vehicle controls, it could cause serious risks on U.S. roadways in the future.

The U.S. National Highway Traffic Safety Administration released an updated 2022 Cybersecurity Best Practices for the Safety of Modern Vehicles this month, urging automakers, suppliers and the aftermarket automobile industry to focus on thwarting cybersecurity risks when designing components of automated vehicles.

The updated guidelines provide non-binding, voluntary recommendations for automobile manufacturers to establish a layered approach when designing electrical systems and software’s from real-world will threats.

Officials said automated vehicle systems should be built upon risk-based prioritized identification and protection of safety-critical vehicle control systems, eliminating sources of risks to safety-critical vehicle control systems where possible and feasible, provide timely detection and rapid response to potential vehicle cybersecurity incidents in the field, develop rapid recovery response processes for when an incident occurs, as well as to maintain the ability to adopt new updates to protect against evolving threats.

Specifically, cybersecurity threats to automated vehicles outlined in the guidance include GPS spoofing, road sign modification, light detection and ranging (LiDAR)/Radar jamming and spoofing, camera blinding, and excitation of machine learning false positives.

The guidance further warns about the evolving use of wireless communication and paths to autonomous vehicles, which can each create new attack vectors that could be remotely exploited.

These wireless communications include over-the-air (OTA) software updates, which is a software update distribution method using wireless transmission. These types of updates are often pushed to resolve software bugs that can result in safety defects which pose risks to consumers. Officials recommended the access and security of servers providing updates be routinely assessed to prevent insider threats, men-in-the-middle attacks, and protocol vulnerabilities.

“As vehicle technology and connectivity develop, cybersecurity needs to be a top priority for every automaker, developer, and operator,” said Dr. Steven Cliff, NHTSA’s Administrator. “NHTSA is committed to the safety of vehicles on our nation’s roads, and these updated best practices will provide the industry with important tools to protect Americans against cybersecurity risks.”