Hot on the heels of its draft guidance on self-driving cars, the National Highway Traffic Safety Administration (NHTSA) followed up with new guidance on cybersecurity and autos.
The two guidances have much in common. One of the elements of the self-driving cars guidance had to do with cybersecurity. Now this new cybersecurity guidance provides some additional thoughts.
The new Cybersecurity Best Practices for Modern Vehicles is advisory, too. And as with self-driving cars, no federal motor vehicle safety standard (FMVSS) is anticipated. NHTSA simply mentions some voluntary industry standards and best practices either already adopted or in the process of being developed, and voices the hope that auto manufacturers and suppliers will heed those.
The Best Practices makes a glancing reference to the aftermarket, stating what probably is the obvious: "The automotive industry should consider that consumers may bring aftermarket devices (e.g., insurance dongles) and personal equipment (e.g., cell phones) onto cars and connect them with vehicle systems through the interfaces that manufacturers provide (Bluetooth, USB, OBD-II port, etc.). The automotive industry should consider the incremental risks that could be presented by these devices and provide reasonable protections."
The guidance lists a number of relevant industry standards and best practices, including those published by the Automotive Information Sharing and Analysis Center (Auto ISAC), the National Institute of Standards and Technology’s Cybersecurity Framework, the ISO 27000 series standards, the Center for Internet Security’s (CIS) Critical Security Controls for Effective Cyber Defense (CIS CSC), and SAE J3061: Recommended Best Practice, Cybersecurity Guidebook for Cyber-Physical Vehicle Systems.
Tim Weisenberger, ground vehicle project specialist – Technical Programs, SAE International, points out that J3061 is the only voluntary standard that addresses cybersecurity processes in autos exclusively. "That is probably where auto industry needs to look to get the most targeted information," he says.