The United States Government Has Updated Automotive Cybersecurity Advice

automotive cybersecurity
Share on linkedin
Share on facebook
Share on twitter
Share on reddit

Cybersecurity isn’t the first thing that comes to mind when most people think of the automotive business. A two-ton steel box on wheels doesn’t exactly scream “computer,” but as cars grow increasingly interconnected with the rest of the world and with each other, it’s evident that cybersecurity is more important than ever before for modern automobiles.

The National Highway Traffic Safety Administration released guidelines for the development of new automobiles and their underlying software stacks on Wednesday. This paper is an update to the agency’s 2016 guidelines and places a heavy emphasis on connected cars and their related safety systems. It was initially published in the Federal Register last year.

The NHTSA sees improvements to car sensors as one of their top priorities. The government agency singles out sensor tampering as a developing area of vehicle cybersecurity concern, noting that the ability to modify sensor data might pose a danger to safety-critical systems. The NHTSA recommends that car manufacturers take precautions against Lidar and radar jamming, GPS spoofing, tampering with traffic signs, camera blindness, and the stimulation of machine learning false positives.

The NHTSA is also looking at vehicles that may get software updates wirelessly. The government has demanded that the manufacturer ensure the security of not just the most important upgrades for the vehicles themselves, but also the servers that house the OTA updates, the method by which the updates are sent from the servers to the vehicles, and the updating process itself. The NHTSA also that manufacturers think about outside cybersecurity dangers such insider threats, man-in-the-middle attacks, protocol weaknesses, and hacked servers.

Full PDF of Cybersecurity For Modern Vehicles

Hardening access to car firmware may help fend off cybersecurity risks for both remotely updatable and unupdatable vehicles. Many car companies currently achieve this by locking down the ECU firmware with encryption, however this may occasionally be bypassed with a bench flash. Automakers, according the NHTSA’s request, are urged to “use state-of-the-art procedures” to avoid this. While the potential effects on the aftermarket are unclear, they are likely to be bad news for auto tuners.

The NHTSA’s inclusion of less-than-revolutionary material is the last caveat. Most suggestions are either based on the NIST security framework or are recycled from the 2016 handbook, both of which are still relevant today.

Among the 2016 best practises that were carried over, aftermarket devices stand out as an essential component. Even if it doesn’t appear like an aftermarket gadget may affect safety-of-life systems, NHTSA says it should be developed with that in mind and go through the same security screening as the car. Unassuming gadgets like insurance dongles and telemetry collecting devices may be exploited as proxies in more sinister assaults. As a result, the National Highway Traffic Safety Administration suggests isolating vital safety signals from the rest of the CAN Bus’s data. Isolating signals delivered to traction control actuators, which regulate the actual braking function, is one way to thwart replay and spoofing attacks.

Another aspect of the previous set of recommendations that has been carried over is the need of keeping vehicles in good working condition. During the recent right-to-repair battle in Massachusetts, industry trade organisations cited a statement from the NHTSA stating that cybersecurity safeguards should not unnecessarily limit access to third-party repair services. It was stated in a court filing by the industry association that in order for manufacturers to comply with the right-to-repair provisions approved by voters, they would have to “render inoperative cybersecurity design components” placed un automobiles. This may not have been such a significant deal if the industry had followed the NHTSA’s 2016 (and now 2022) requirements.

The onus of implementing these suggestions remains on the carmaker, though. The NHTSA just disseminates these optional recommendations to manufacturers so that they may raise their own cybersecurity maturity in accordance with their tolerance for risk. Yet, in a quickly developing field like linked automobiles, this sort of direction is essential. Without a regulating agency to show the way, the consequences of future attack surfaces might be much worse than just opening doors, and the attack surfaces of today may only be a fraction of what the industry sees in the future.

Share This Article:

Share on linkedin
Share on facebook
Share on twitter
Share on reddit

Related Posts