Reminder: NHTSA Updated Cybersecurity Best Practices—Comments Due by March 15, 2021
March 8, 2021
The National Highway Traffic Safety Administration (NHTSA) has invited, by March 15, 2021, public comments on NHTSA’s draft updated Cybersecurity Best Practices for the Safety of Modern Vehicles. NHTSA published the first version of the Cybersecurity Best Practices in 2016, and the current draft reflects revisions in light of previous public comments as well as security research, evolving cybersecurity practices, and industry developments.
The updated Cybersecurity Best Practices emphasize standards issued by cybersecurity and industry groups, including SAE International, the International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), and the Automotive Information Sharing and Analysis Center (Auto-ISAC). The draft is centered around five key areas (1) general cybersecurity best practices, (2) education, (3) aftermarket / user-owned devices, (4) serviceability, and (5) technical vehicle cybersecurity best practices. Some areas discussed in the updated guidance include:
- Data, Documentation, Information Sharing — Companies should collect information on potential attacks, and this information should be analyzed and shared with industry, such as through the Auto-ISAC. Companies should fully document design choices, analyses, evidence, and changes related to cybersecurity.
- Security Vulnerability Reporting Program — The Department of Homeland Security has issued a directive requiring federal departments and agencies to develop a vulnerability disclosure policy as part of federal cybersecurity efforts. NHTSA’s updated cyber guidance calls for automotive industry members to create their own vulnerability reporting policies and mechanisms to facilitate by identification of vulnerabilities by external cybersecurity researchers.
- Increased Penetration Testing and Documentation of Supply Chain Risks — NHTSA’s updated cyber guidance builds on general recommendations in its 2016 guidance to consider extensive product cybersecurity testing. The updated guidance specifically calls for cybersecurity expectations to be specified and communicated to suppliers, for the evaluation of all commercial off-the-shelf and open-source software components, and for a vulnerability analysis to be generated and maintained for each vulnerability identified during cybersecurity testing.
- Sensor Vulnerability Risks — NHTSA’s updated guidance proposes a best practice that focuses on threats to sensors, an emerging area of focus for automated vehicles. NHTSA acknowledges that these concerns differ from traditional software manipulation-based cyber issues, and highlights GPS spoofing, road sign modification, Lidar/Radar jamming and spoofing, camera blinding, and excitation of machine learning false positives.
- Third-Party Devices — NHTSA also addresses third-party devices that may connect to a vehicle’s systems. The updated guidance suggests that devices such as mobile phones and insurance dongles should be authenticated, and their access limited appropriately.
- Technical Vehicle Cybersecurity Best Practices — In addition to the policy-based guidance, NHTSA lays out certain technical principles that NHTSA labels as “fundamental protection techniques,” spanning topics such as developer-level access, cryptographic credentials, vulnerability in diagnostics, event logs, software updates (including over-the-air updates), internal vehicle communications, and wireless functionality (including wireless interfaces, segmentation and isolation, network ports and protocols, and communications to back-end servers).
Companies throughout the vehicle supply chain, as well cybersecurity professionals, may be interested in commenting, especially as NHTSA makes more specific recommendations about cybersecurity best practices that are unique to the automotive industry. Written comments are due by March 15, 2021, although NHTSA also will endeavor to consider later comments. If you have questions about the NHTSA Cybersecurity Best Practices or any other issues related to vehicle cybersecurity, or would like to submit a comment to NHTSA in response to these proposals, O’Melveny attorneys are available to assist you.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Melody Drummond Hansen, an O’Melveny Partner licensed to practice law in California, the District of Columbia, and Illinois, John Dermody, an O’Melveny Counsel licensed to practice law in California and the District of Columbia, and Jason Orr, an O’Melveny Counsel licensed to practice law in California, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
© 2021 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.