The National Highway Traffic Safety Administration (NHTSA), which is an agency of the U.S. federal government and part of the Department of Transportation, has just a month ago released an update of its “Best Practices for the Safety of Modern Vehicles”, originally released in 2016.
The updated document builds upon almost six years of agency research and findings from NHTSA’s own cybersecurity research including over-the-air updates, formal verification, and static code analysis. Emerging voluntary industry standards such as (ISO)/SAE DIS 21434 – “Road Vehicles – Cybersecurity Engineering”, as well as industry best practice documents developed by members of Auto-ISAC, have also been considered in the development of the document.
The updated 2022 Best Practices separates its recommendations into 45 general best practices and 23 technical best practices along with updated and new recommendations for categories such as e.g., secure software development, electronic control unit (ECU) security, external data ports, and securing diagnostic tools.
The guidance still (strongly) suggests that members of the automotive industry share information on potential attacks with each other through Auto-ISAC. But also, through other sharing mechanisms, such as US-CERT at CISA.
With this update NHTSA intends to remind vehicle manufacturers to continue to make vehicle and industry cybersecurity a priority, and to stay informed regarding the best practices to prevent unreasonable and foreseeable cybersecurity risks.
An interesting guidance from the 2022 Best Practices is that NHTSA recommends the automotive industry to strike a balance between the need for cybersecurity and the “third party serviceability” of new vehicles. Thereby addressing the data access question, that has been heavily debated in the “right to repair” movement.
The updated “Best Practices for the Safety of Modern Vehicles” document can be found here.
Other related automotive cybersecurity news
Software-defined vehicle (SDV) – An alternative approach to meet the global semiconductor chips shortage for the automotive industry? https://www.murgitroyd.com/blog/global-chip-shortages-software-defined-vehicles-are-both-the-problem-and-solution/
An article from Connor Ivens, a security researcher at Tanium, and his experience from participating in DEF CON’s hacking challenge in how to attack automotive systems. https://www.tanium.com/blog/car-hacking-the-next-frontier-of-cybersecurity/
Written by Joakim Rosell