NHTSA Updates US Cybersecurity Guidelines for Vehicles

Connected and software-defined vehicles technologies are on the rise, offering customers a better user experience, and introducing new monetization strategies for OEMs. Given the rising cybersecurity challenges and risks associated with the digital transformation of the Automotive and Smart Mobility ecosystem, the National Highway Traffic Safety Administration, NHTSA, has recently released updated cybersecurity best practices for new vehicles. While these guidelines are non-binding at this time, their objective is to reflect the growing concerns and the sense of urgency in mitigating cybersecurity risks across the entire ecosystem.

The release of the NHTSA Cybersecurity Best Practices for Modern Vehicles signals that government bodies understand the importance of protecting vehicles, as they become more vulnerable to hacking, as well as the standardization of cybersecurity practices across the automotive industry, such as UNECE WP.29 R155.

The final version of this iteration, originally issued in 2016, considers new industry standards and research, and incorporates knowledge gained from real-world incidents and comments submitted about the 2016 and 2021 drafts. The NHTSA will continue to assess cybersecurity risks and update best practices as motor vehicles and their cybersecurity evolve.

The NHTSA recommends a layered cybersecurity approach, based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework’s five principal functions: ‘Identify, Protect, Detect, Respond, and Recover’, including:

• Risk-based prioritization of protection for safety-critical vehicle control systems and sensitive information
• Timely detection and rapid response to potential threats and incidents
• Rapid recovery when attacks do occur
• Methods for accelerating the adoption of lessons learned across the industry, including effective information sharing

 

The report, officially titled “Cybersecurity Best Practices for the Safety of Modern Vehicles”, also  highlights some key areas of interest:

• Monitoring, Containment, Remediation 
  • [G.16] In addition to design protections, the automotive industry should establish rapid vehicle cybersecurity incident detection, and remediation capabilities.
  • [G.17] Such capabilities should be able to mitigate safety risks to vehicle occupants and surrounding road users when a cyber-attack is detected and transition the vehicle to a minimal risk condition, as appropriate for the identified risk.

 

• Data, Documentation, Information Sharing 
  • [G.18] Manufacturers should collect information on potential attacks, and this information should be analyzed and shared with industry through the Auto-ISAC and other sharing mechanisms.
  • [G.19] Manufacturers should fully document any actions, design choices, analyses, supporting evidence, and changes related to its management of vehicle cybersecurity.
  • [G.20] All related work products should be traceable within a robust document version control system.

 

• Continuous Risk Monitoring and Assessment 
  • [G.21] Companies should use a systematic and ongoing process to periodically re-evaluate risks and make appropriate updates to processes and designs due to changes in the vehicle cybersecurity landscape, as appropriate.
  • Software development should adhere to best practices for security, such as those outlined in NIST publications and ISO/SAE 21434.34.

 

• Event Logs
  • Data produced by connected services and in-vehicle networks can help detect unauthorized access to vehicle computing resources.
  • [T.12] A log of events sufficient to reveal the nature of a cybersecurity attack or successful breach and support event reconstruction should be created and maintained.
  • [T.13] Such logs that can be aggregated across vehicles should be periodically reviewed to assess potential trends of cyber-attacks.

 

• Sensor Vulnerability Risks
• • Vehicle sensor data manipulation is an emerging area of cybersecurity. Manufacturers should consider that sensor signal manipulation can affect vehicle systems and their behavior in addition to traditional software/firmware modifications.
  • [G.6] Manufacturers should consider the risks associated with sensor vulnerabilities and potential sensor signal manipulation efforts such as GPS spoofing, road sign modification, Lidar/Radar jamming and spoofing, camera blinding, and excitation of machine learning false positives.
  • The updated guidelines emphasize the connection between cybersecurity and safety, making it clear that as the automotive industry becomes more connected, safety engineers and security stakeholders should also consider the ability of adversaries to manipulate signals. The importance of being able to parse legitimate and fake signals is important and should be a high priority, as safety engineering is critical to the automotive industry.

 

In previous drafts, NHTSA recommended maintaining an event log containing information on attacks and breaches to support event reconstruction. In this new version, NHTSA expands the score and suggests that data produced by in-vehicle networks and other connected services can be used to detect threats and attacks on vehicle computing resources. Automotive security stakeholders can also use this data and the maintained records to assess potential threats and point to cyber-attack trends, allowing the industry to provide improved security and safety.

The latest recommendation from NHTSA is inspired by ISO-SAE 21434 in structure and process, but also affected by UNECE WP.29 R155 in tackling practical and remote attacks.

In the guidelines, NHTSA emphasizes the importance of collaboration to ensure security and safety suggesting participation in Auto-ISAC as a means of effective information sharing across the industry. Upstream is a proponent of this, as a collaborative member in the community we maintain the Upstream AutoThreat Intelligence Cyber Incident Repository and share deep insights in our annual report. Upstream is also a proud partner and sponsor of Auto-ISAC as well as ASRG, where industry knowledge sharing and the development of cyber security best practices takes shape.

As attacks are becoming more frequent, regulatory bodies are now able to provide examples that transcend theory. Though the document does not have the force and effect of law and is not a regulation, it contains important best practices that will influence the industry going forward.