The National Highway Traffic Safety Administration (NHTSA) unveiled new guidelines on Monday to help automakers respond to the threat of cyberattacks, as the administration braces for a world of connected and automated vehicles.
NHSTA already asked automakers to consider cybersecurity in a 15-point safety assessment that was tucked into recently released federal guidelines for self-driving cars.
But the best practices issued Monday go into further detail about how automakers should work to prevent cyber-attacks and unauthorized access to automobiles.
"Cybersecurity is a safety issue, and a top priority at the Department," said Transportation Secretary Anthony FoxxAnthony Renard FoxxBusiness, labor groups teaming in high-speed rail push Hillicon Valley: Uber, Lyft agree to take California labor win nationwide | Zoom to implement new security program along with FTC | Virgin Hyperloop completes first test ride with passengers Uber, Lyft eager to take California labor win nationwide MORE. "Our intention with today's guidance is to provide best practices to help protect against breaches and other security failures.”
Most modern vehicles have software interfaces that connect to an external network, which can be exploited either directly or remotely to take over critical safety functions like breaking and steering.
Such attacks remain difficult to carry out and have only been reported in a research setting, but that hasn’t stopped safety advocates from hoisting a red flag about the issue as more companies work to build driverless cars.
NHTSA is calling for a “layered approach” and urging the auto industry to make cybersecurity a top leadership priority.
The guidelines suggest that companies consider cybersecurity vulnerabilities during the development process; limit the exposure of critical safety systems and personal data to attacks; build in methods to facilitate rapid recovery from attacks; and conduct extensive cybersecurity testing.
The agency also wants automakers to conduct employee training to educate the entire workforce about new cybersecurity practices, as well as share any lessons with others in the industry.
"In the constantly changing environment of technology and cybersecurity, no single or static approach is sufficient," said NHTSA Administrator Mark Rosekind. "Everyone involved must keep moving, adapting, and improving to stay ahead of the bad guys."
NHTSA is now soliciting public comments on the proposed guidance for 30 days.
Sen. Gary Peters (D-Mich.), co-founder of the Senate Smart Transportation Caucus, said that connected and automated vehicles can save lives, but acknowledged that “there are also challenges that must be overcome to ensure these technologies reach their full potential.”
“With the automation and computerization of these modern vehicles, cybersecurity must be a top priority for everyone,” Peters said in a statement. “Robust security will ensure our cars operate as intended, and protect us from the potential damage of cyber threats and unpatched vulnerabilities.”