US government updates cybersecurity recommendations for vehicles
The National Highway Traffic Safety Administration has published cybersecurity recommendations for modern and connected vehicles after a six-year hiatus.
This article was originally featured on The Drive.
When most people think of the auto industry, their minds probably won’t immediately jump to cybersecurity. After all, a two-ton steel box on wheels doesn’t exactly scream “computer.” But as vehicles become more connected with centralized systems, each other, and the outside world, it becomes clear that cybersecurity is more relevant for the cars of today than ever before.
On Wednesday, the National Highway Traffic Safety Administration published a set of best practices for automakers to follow when building new vehicles and the software stacks that underpin them. The document, which was first published in the Federal Register last year, is an update to the agency’s 2016 guidance and focuses heavily on interconnected vehicles and their respective safety systems.NHTSA-Cybersecurity-Best-Practices-2022
Perhaps one of the most crucial areas that the NHTSA is focusing on involves vehicle sensors. The agency calls out sensor tampering as an emerging area of concern related to vehicle cybersecurity and notes that the potential to manipulate sensor data could result in a risk to safety-critical systems. The areas that the NHTSA calls for automakers to protect against are Lidar and radar jamming, GPS spoofing, road sign modification, camera blinding, and the excitation of machine learning false positives.
Vehicles with over-the-air (OTA) update capabilities are also on the NHTSA’s radar. Specifically, the agency says that the automaker should maintain not just the integrity of crucial vehicle updates, but also the underlying servers that host the OTA updates, as well as the transmission mechanism between the vehicle and the servers, as well as the updating process that takes place on the vehicle. Further, the NHTSA urges automakers to consider general cybersecurity concerns, such as insider threats, man-in-the-middle attacks, protocol vulnerabilities, and compromised servers.
Both vehicles that can be remotely updated and those that can’t are also encouraged to harden access to vehicle firmware to help thwart cybersecurity-related concerns. Many automakers are doing this today by encrypting the ECU firmware, though this can sometimes be defeated with a bench flash. The NHTSA asks automakers to “employ state-of-the-art techniques” to prevent this. What that could mean for the aftermarket scene, however, is unknown but unlikely to be good news for those looking to tune their car.
Lastly, not everything that the NHTSA included in the document is cutting-edge. In fact, the vast majority of recommendations revolve around the NIST security framework or were simply rehashed from the 2016 guide and still hold value today.
One key component that was pulled forward from the 2016 best practices involves aftermarket devices. NHTSA reminds aftermarket manufacturers that while their devices may not seem like they could impact safety-of-life systems, they should still be designed with such considerations in mind and should also undergo the same kind of security vetting as vehicles themselves. Seemingly harmless devices, such as insurance dongles and telematics collection devices, could be used as a proxy for other attacks. Because of this, NHTSA recommends sending critical safety signals separate from general CAN Bus traffic. For example, isolating messages sent to traction control actuators that control the physical braking function in order to prevent replay and spoofing attacks.
Vehicle serviceability is another item pulled forward from the last iteration of the best practices. The NHTSA says that cybersecurity protections should not unduly restrict access to third-party repair services, an argument that industry trade groups used during a recent right-to-repair fight in Massachusetts. According to a court filing, the trade group argued that automakers would need to “render inoperative cybersecurity design elements” installed on vehicles in order to meet the right-to-repair requirements passed by voters. Should the industry have followed NHTSA’s 2016 (and now 2022) guidelines, this may have not been a big issue.
Despite all of these recommendations, it’s ultimately up to the automaker to follow them. The NHTSA simply conveys these voluntary guidances for automakers to improve their own cybersecurity maturity based on their level of accepted risk. However, this type of guidance is needed in a rapidly growing industry like connected cars. The attack surfaces of today might represent a fraction of what the industry sees tomorrow, and without some regulatory body pointing in the right direction, could be much more damning than just unlocking doors.