Hot on the heels of its draft guidance on self-driving cars, the National Highway Traffic Safety Administration (NHTSA) followed up with new guidance on cybersecurity and autos.
The two guidances have much in common. One of the elements of the self-driving cars guidance had to do with cybersecurity. Now this new cybersecurity guidance provides some additional thoughts.
The new Cybersecurity Best Practices for Modern Vehicles is advisory, too. And as with self-driving cars, no federal motor vehicle safety standard (FMVSS) is anticipated. NHTSA simply mentions some voluntary industry standards and best practices either already adopted or in the process of being developed, and voices the hope that auto manufacturers and suppliers will heed those.
The Best Practices makes a glancing reference to the aftermarket, stating what probably is the obvious: "The automotive industry should consider that consumers may bring aftermarket devices (e.g., insurance dongles) and personal equipment (e.g., cell phones) onto cars and connect them with vehicle systems through the interfaces that manufacturers provide (Bluetooth, USB, OBD-II port, etc.). The automotive industry should consider the incremental risks that could be presented by these devices and provide reasonable protections."
The guidance lists a number of relevant industry standards and best practices, including those published by the Automotive Information Sharing and Analysis Center (Auto ISAC), the National Institute of Standards and Technology’s Cybersecurity Framework, the ISO 27000 series standards, the Center for Internet Security’s (CIS) Critical Security Controls for Effective Cyber Defense (CIS CSC), and SAE J3061: Recommended Best Practice, Cybersecurity Guidebook for Cyber-Physical Vehicle Systems.
Tim Weisenberger, ground vehicle project specialist – Technical Programs, SAE International, points out that J3061 is the only voluntary standard that addresses cybersecurity processes in autos exclusively. "That is probably where auto industry needs to look to get the most targeted information," he says.
He notes that J3061 is informative, not normative and helps the manufacturer or supplier bake cybersecurity processes like threat analysis and risk assessment into their product development lifecycle. “Technologies are a snapshot in time," he adds. “As technologies change, cybersecurity threats will change and these processes allow the industry to adapt.”
He noted that J3061, published this January 2016, immediately went into revision to add more guidance in areas of hardware security, cybersecurity integrity levels and assurance testing.
Auto companies and suppliers may or may not be using J3061, which in its current form apparently has limitations. That is true, too, of the Auto ISAC's cybersecurity best practices published in July 2016. The Best Practices, according to the executive summary on the Auto ISAC website, is only available to members of that group. So whatever their benefit, they are not available to non-members.
The Motor & Equipment Manufacturers Association (MEMA) joined the Auto ISAC a few months ago. So it was not on board when the best practices were developed and published in July. One has to wonder however whether access to those best practices matter, because the Auto ISAC says: "The Best Practices are not intended to, nor should be interpreted to, obligate individual members of the Auto-ISAC, Auto Alliance, or Global Automakers to take specific action or measures. Each automaker has unique needs and capabilities with respect to cybersecurity." So even if you are an auto manufacturer or supplier with access to the best practices, you may ignore them if it suits your needs.
The only thing an automaker cannot ignore is the possibility of a NHTSA recall. The National Traffic and Motor Vehicle Safety Act requires that systems are designed free of unreasonable risks to motor vehicle safety, including those that may result due to existence of potential cybersecurity vulnerabilities. Under that authority, the NHTSA recalled almost 1.5 million Chrysler vehicles in July 2015 due to cybersecurity shortcomings.
Subscribe to Aftermarket Business World and receive articles like this every month….absolutely free. Click here.
