Security best practices
In 2016 the U.S. Government Accountability Office (GAO) issued a report on vehicle cybersecurity recommendations. It found that current technologies leave vehicle systems vulnerable to cyber attacks. Those problems have been exacerbated by a lack of transparency, communication and collaboration when it comes to cybersecurity across the auto supply chain.
The auto industry is taking steps to improve security. The Automotive Information Sharing and Analysis Center (Auto-ISAC), for example, was formed to collect and analyze threat data. A large number of vehicle and equipment manufacturers are ISAC participants, and NHTSA sees ISAC as a key part of having a rapid response system in place to address vehicle cyber attacks. Auto-ISAC has issued a best practices document that encourages the use of established cybersecurity guidelines in automotive design, including NIST SP 800-61, NIST SP 800–150, and ISO/IEC 27010.
NHTSA also has taken steps to address cybersecurity, but its role is still unclear – particularly now that there has been a change in administrations and the new head of NHTSA has yet to be identified. The agency did not plan to make a determination on the need for new government standards or regulations until 2018.
There have already been proposals for new regulations, though. In 2015, Senators Richard Blumenthal (D-Conn.) and Ed Markey (D-Mass.) proposed legislation that would require NHTSA and the Federal Trade Commission to establish federal standards for vehicle data security and privacy in the wake of several well-publicized incidents of vehicle safety and security vulnerabilities. Those included research demonstrations that showed hackers could remotely control vehicle systems (including car stereos, windshield wipers, and brakes) while the car was in motion. Those tests led Chrysler to recall 1.4 million vehicles.
Current security approaches vary by company. Among the key practices identified by the GAO are:
• Conducting risk assessments
• Incorporating security-by-design principles
• Creating domain separation for in-vehicle networks
• Implementing a layered approach to security
• Conducting penetration testing
• Conducting code reviews
• Developing over-the-air update capabilities
For aftermarket telematics providers, there also are some good best practices. Plug-in devices should minimize the amount of data held within the device itself. The device should also initiate all communication (it shouldn’t accept any communications from outside sources).