Reminder: NHTSA Updated Cybersecurity Best Practices—Comments Due by March 15, 2021

The National Highway Traffic Safety Administration (NHTSA) has invited, by March 15, 2021, public comments on NHTSA’s draft updated Cybersecurity Best Practices for the Safety of Modern Vehicles. NHTSA published the first version of the Cybersecurity Best Practices in 2016, and the current draft reflects revisions in light of previous public comments as well as security research, evolving cybersecurity practices, and industry developments.

The updated Cybersecurity Best Practices emphasize standards issued by cybersecurity and industry groups, including SAE International, the International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), and the Automotive Information Sharing and Analysis Center (Auto-ISAC). The draft is centered around five key areas (1) general cybersecurity best practices, (2) education, (3) aftermarket / user-owned devices, (4) serviceability, and (5) technical vehicle cybersecurity best practices. Some areas discussed in the updated guidance include:

• Data, Documentation, Information Sharing — Companies should collect information on potential attacks, and this information should be analyzed and shared with industry, such as through the Auto-ISAC. Companies should fully document design choices, analyses, evidence, and changes related to cybersecurity.
• Security Vulnerability Reporting Program — The Department of Homeland Security has issued a directive requiring federal departments and agencies to develop a vulnerability disclosure policy as part of federal cybersecurity efforts. NHTSA’s updated cyber guidance calls for automotive industry members to create their own vulnerability reporting policies and mechanisms to facilitate by identification of vulnerabilities by external cybersecurity researchers.
• Increased Penetration Testing and Documentation of Supply Chain Risks — NHTSA’s updated cyber guidance builds on general recommendations in its 2016 guidance to consider extensive product cybersecurity testing. The updated guidance specifically calls for cybersecurity expectations to be specified and communicated to suppliers, for the evaluation of all commercial off-the-shelf and open-source software components, and for a vulnerability analysis to be generated and maintained for each vulnerability identified during cybersecurity testing.
• Sensor Vulnerability Risks — NHTSA’s updated guidance proposes a best practice that focuses on threats to sensors, an emerging area of focus for automated vehicles. NHTSA acknowledges that these concerns differ from traditional software manipulation-based cyber issues, and highlights GPS spoofing, road sign modification, Lidar/Radar jamming and spoofing, camera blinding, and excitation of machine learning false positives.
• Third-Party Devices — NHTSA also addresses third-party devices that may connect to a vehicle’s systems. The updated guidance suggests that devices such as mobile phones and insurance dongles should be authenticated, and their access limited appropriately.
• Technical Vehicle Cybersecurity Best Practices — In addition to the policy-based guidance, NHTSA lays out certain technical principles that NHTSA labels as “fundamental protection techniques,” spanning topics such as developer-level access, cryptographic credentials, vulnerability in diagnostics, event logs, software updates (including over-the-air updates), internal vehicle communications, and wireless functionality (including wireless interfaces, segmentation and isolation, network ports and protocols, and communications to back-end servers).

Companies throughout the vehicle supply chain, as well cybersecurity professionals, may be interested in commenting, especially as NHTSA makes more specific recommendations about cybersecurity best practices that are unique to the automotive industry. Written comments are due by March 15, 2021, although NHTSA also will endeavor to consider later comments. If you have questions about the NHTSA Cybersecurity Best Practices or any other issues related to vehicle cybersecurity, or would like to submit a comment to NHTSA in response to these proposals, O’Melveny attorneys are available to assist you.