On Monday, October 24, 2016, the Department of Transportation’s National Highway Traffic Safety Administration (NHTSA) issued proposed cybersecurity guidance to the auto industry, including auto manufacturers and designers and manufacturers of vehicle systems and software, designed to assist the industry in developing best practices to safeguard vehicles’ systems against cyber-attacks and to protect the data collected in automobiles.
The guidance is voluntary and non-binding. It recommends that companies involved in the manufacture of vehicles, systems and software implement a layered approach to protect vehicles against potential attacks and “to ensure vehicle systems take appropriate and safe actions.”
The recommendations follow the National Institute of Standards and Technology (NIST) cybersecurity framework to develop and implement cybersecurity protocols to protect vehicles. Measures include performing a security risk assessment, protecting critical systems that are important to the safety of the operation of the vehicle, protecting personal information that may be collected by the vehicle (through GPS Bluetooth or smartphone connections), the ability to detect hacking or cyber-attacks, having mechanisms in place to be able to recover from a cyber-attack, and having a documented (and I would add tested) incident response plan, which includes a team, and not one individual.
The guidance also discusses how auto manufacturers can share cyber intrusion information and to share with each other about lessons learned.
Finally, the guidance suggests that the auto industry self-audit its progress and implement employee training for the workforce so it is aware of and follows the cybersecurity practices of the organization.
These recommendations are similar to those for other industries and auto manufacturers and auto systems and software manufacturers may wish to consider implementing these best practices provided by NHTSA.