NHTSA Cyber ‘Best Practices’ Do Not Make Perfect

March 15, 2021
For Immediate Release
Contact: Jason Levine, [email protected]

NHTSA Cyber ‘Best Practices’ Do Not Make Perfect

Today, the Center for Auto Safety submitted a response to the National Highway Traffic Safety Administration’s request for comments to NHTSA’s “Cybersecurity Best Practices for the Safety of Modern Vehicles,” (NHTSA 2020 Cyber Practices).

In 2016, NHTSA requested comments on voluntary cyber best practices. Five years later, rather than simply asking for additional comments, steps must be taken to ensure that the federal government has the methods and means in place to prevent and respond to vehicle cyberattacks on motor vehicles. To enable developers to achieve vehicle cybersecurity, NHTSA should continue to research and make available to developers validated best practices to support their designs and potentially vehicle maintenance.

The NHTSA 2020 Cyber Practices of selected purported “best practices” contains voluntary standard documents written by several automotive standard setting organizations. It is far from clear, however, that it is a sufficiently comprehensive source for developers that has evaluated all potential applicable sourced and vetted asserted ‘best practices’ for practicality and efficacy.
NHTSA has yet to provide minimum cybersecurity performance requirements for automakers and suppliers to enable validation of design approaches that assure long-term cybersecurity effectiveness and vehicle safety throughout a connected vehicle’s life cycle.

It may never be possible to implement 100% effective prophylactic cybersecurity measures, thus NHTSA should endeavor to promote full life cycle vehicle cybersecurity. In order to assure sufficient information for post-incident forensic analysis and the ability to share lessons learned with the entire connected vehicle community, including the public, a robust data set will be required. NHTSA should mandate that vehicle software, logic-bearing devices, sensors, and data processing equipment configuration are embedded in vehicle data records in the event of a successful attack causing a life-threatening or deadly incident.

NHTSA should be determining the needed scope and means of cyber testing to enhance public safety and seeing that the auto industry is enabled to realistically validate their cybersecurity designs, that capabilities have been validated, and that validation results are available to the public. The results of cybersecurity testing and validation should be incorporated into the information available to consumers to assist their evaluation of various modern vehicle offerings.

The argument that such NHTSA capabilities do not currently exist does not absolve NHTSA of its legal duty to act in the face of clear threats to vehicular safety. The need to address connected vehicle cybersecurity is new and NHTSA’s response to that need must also be entirely new.

NHTSA has failed to lead the way for connected vehicle cybersecurity, and the NHTSA 2020 Cyber Practices does not remediate this failure. On behalf of all drivers, passengers, or pedestrians sharing the road with a connected car today, or a self-driving car in the future, NHTSA must take a more complete look at vehicle cybersecurity. NHTSA’s goal should be to turn the included best practices (and others) into effective tools to prevent and mitigate vehicle cyberintrusions, thereby enhancing the safety of everyone interacting with connected vehicles.



Click here to view the CAS Comment