With the prevalence and increasing severity of cyber-attacks, and in the wake of the recent, massive denial of service attack on Dyn, there is a growing public awareness of the potential risks associated with security breaches of connected devices, including unsecured electronic systems in motor vehicles. Last year, cybersecurity researchers remotely disabled a car while it was being driven on a freeway. The vulnerability they discovered allowed them access to the car's transmission and braking systems, and resolution required the recall of about 1.4 million cars.1
As modern cars and trucks evolve into computers on wheels, and particularly with semi-autonomous vehicle functionality becoming more common and with completely autonomous vehicles on the horizon, the U.S. Department of Transportation's National Highway Traffic Safety Administration ("NHTSA") appears to be shifting its focus to cybersecurity. On Monday, October 24, 2016, NHTSA released its Cybersecurity Best Practices for Modern Vehicles,2 aimed at providing guidance on preventing and withstanding cybersecurity attacks to companies that design and manufacture vehicle systems and their related software. Through these guidelines, NHTSA is engaging the automotive community in a discussion on the new challenges to vehicle safety and encouraging the development and implementation of modern and standardized safety practices.
The guidelines suggest that vehicle designers and manufacturers adopt a "layered approach" to security, meaning that a comprehensive security plan should involve front-end protections against attacks as well as back-end mitigation once an attack has occurred. The guidelines recommend that vehicle designers and manufacturers:
- implement a triage process for classifying risks based on (i) how critical the risk is to the physical safety of vehicle occupants and the public and (ii) whether any personally identifiable information may be compromised as a result of any breach;
- detect and respond to security incidents in a timely fashion;
- incorporate design features in the vehicles that will assist with mitigating damage from such incidents; and
- create a plan to share incident information and lessons learned with their industry peers and competitors.
Viewing these guidelines from a 'tech-world' perspective, where most companies have expansive IT security and data privacy protocols in place, these guidelines may seem a little basic, but the rapid transformation of this industry from yesterday's 'heavy machinery' to tomorrow's 'cutting-edge, software-heavy, look-Ma-no-hands (literally)' model has left the accompanying safety landscape in the dust. At these breakneck speeds, safety regulation is just trying to keep up, and the challenge is to encourage sound practices to build public trust and adequately monitor adoption of new technologies while not stifling the technological breakthroughs that are causing the industry to evolve so quickly. These guidelines demonstrate regulators' proactive attitude toward improving safety and are an important step in the right direction.