NHTSA “Levels Up” its Cybersecurity Best Practices
Earlier this month, NHTSA released its “Cybersecurity Best Practices for the Safety of Modern Vehicles.” This new release updates NHTSA’s original best practices, published in 2016, which were intended to provide NHTSA’s “non-binding guidance to the automotive industry for improving motor vehicle cybersecurity.” Likewise, the 2022 version is “non-binding and voluntary,” with NHTSA encouraging “vehicle and equipment manufacturers to review th[e] guidance to determine whether and, if so, how to apply this guidance to their unique systems.”
Yet even a cursory comparison of the two documents reveals substantial and substantive improvements in the 2022 version, reflecting advancements across the industry and the explosion of connectivity in just over five years. As NHTSA noted in its publication notice, “[c]omments to the 2016 guidance tended to be general and higher-level ( i.e., bigger-picture). In contrast, comments received in response to the Draft Best Practices focused on discrete issues important to commenters. This evolution is also likely due to the introduction of vehicle-specific cybersecurity standards and best practices in the automotive sector.”
Notable updates include:
The scope of the guidance has been expanded to cover cybersecurity issues for both motor vehicles and motor vehicle equipment, including software, and to extend specifically to “small and large volume” industry participants.
General cybersecurity guidance is provided along with technical guidance.
For example, within the “general” guidance, NHTSA addresses “Sensor Vulnerability Risks” associated with the “potential manipulation of vehicle sensor data,” and recommends that manufacturers “consider the risks associated with sensor vulnerabilities and potential sensor signal manipulation efforts such as GPS spoofing, road sign modification, Lidar/Radar jamming and spoofing, camera blinding, and excitation of machine learning false positives.”
Within the “technical” guidance, NHTSA outlines “protection techniques,” including two separate sections directed at software updates/modifications and over-the-air software updates.
The guidance includes provisions specifically directed at right to repair, including a stand-alone section on “Serviceability” that cautions “cybersecurity should not become a reason to justify limiting serviceability.” (Wonder why we care about right to repair? Read more here.)
In releasing the new guidance, outgoing NHTSA Administrator Steven Cliff commented, “As vehicle technology and connectivity develop, cybersecurity needs to be a top priority for every automaker, developer, and operator. NHTSA is committed to the safety of vehicles on our nation’s roads, and these updated best practices will provide the industry with important tools to protect Americans against cybersecurity risks.”
While we have not completed an exhaustive survey, at least several major automakers appear to be following the guidance and openly prioritizing cybersecurity. In the wake of the new guidance, Ford publicized its efforts to respond to cybersecurity threats, highlighting a joint venture with ADT for vehicle security and several recently-filed patents for vehicle security systems. For its part, GM has partnered with the U.S. Army to improve cybersecurity, and has “developed a new electronic architecture dubbed GM Global B” to improve cybersecurity in its vehicles.
Copyright Nelson Niehaus LLC
The opinions expressed in this blog are those of the author(s) and do not necessarily reflect the views of the Firm, its clients, or any of its or their respective affiliates. This blog post is for general information purposes and is not intended to be and should not be taken as legal advice.