Guidance from the National Highway Traffic Safety Administration for improving motor vehicle cybersecurity has attracted criticism from lawmakers who said that mandatory security standards were required.
“This new cybersecurity guidance from the Department of Transportation is like giving a take-home exam on the honor code to failing students,” said Senators Edward J. Markey, a Democrat from Massachusetts, and Richard Blumenthal, a Democrat from Connecticut, who are both members of the Commerce, Science and Transportation Committee.
“In this new Internet of Things era, we cannot let safety, cybersecurity, and privacy be an afterthought,” the senators added.
On Monday, NHTSA released a document, titled “Cybersecurity best practices for modern vehicles,” that laid out the agency’s “non- binding guidance” to the automotive industry for improving motor vehicle cybersecurity.
Markey and Blumenthal introduced in July last year in the Senate the Security and Privacy in Your Car Act, also known as the SPY Car Act, which would direct the NHTSA and the Federal Trade Commission to establish federal standards for vehicles made for sale in the U.S. that would protect them from unauthorized access to their electronic controls or data collected by electronic systems. A violator is liable for a civil penalty of up to US$5,000 for each violation.
The legislation would also establish a rating system or 'cyber dashboard' that would inform consumers about how well a vehicle protects drivers’ security and privacy beyond the minimum standards. The SPY Car Act was referred to the Committee on Commerce, Science, and Transportation on July 21, 2015, and has been pending ever since.
Concerns about the cybersecurity of automobiles came to the forefront last year after two security experts gained access to a Jeep Cherokee and took control remotely of some vital functions of the vehicle, raising concerns about the safety of vehicles with a high degree of automation. Under a NHTSA campaign, Chrysler recalled about 1.4 million vehicles that were equipped with radios that had software vulnerabilities that could allow third-party access to certain networked vehicle control systems.
NHTSA said in its report it was important for the automotive industry to make vehicle cybersecurity an organizational priority by proactively adopting and using available guidance such as its document and existing standards and best practices.
“Prioritizing vehicle cybersecurity also means establishing other internal processes and strategies to ensure that systems will be reasonably safe under expected real-world conditions, including those that may arise due to potential vehicle cybersecurity vulnerabilities,” the agency said in the report, which advises car makers that the product development process should be based on a systems-engineering approach that aims at designing systems free of unreasonable safety risks including from potential cybersecurity threats and vulnerabilities.
Among the fundamental vehicle protections recommended by NHTSA are limiting or even eliminating when possible developer and debugging access to the electronic control unit in production devices, controlled access and ability to modify firmware by using digital signing techniques, and the use of segmentation and isolation in vehicle architecture design with strong boundary controls.