DOT Issues Guidance to Automotive Industry for Improving Motor Vehicle Cybersecurity; Rep. Lipinski Says Keeping Transportation Safe from Cyber Attacks Needs to Be a Top Priority (Ocotber 24, 2016)
The U.S. Department of Transportation's (DOT) National Highway Traffic Safety Administration (NHTSA) is releasing proposed guidance for improving motor vehicle cybersecurity. Since 2014, Congressman Dan Lipinski (IL-3) has been pushing for enhanced protection against potential cyber attacks on vehicles. The guidance released today serves as a set of best practices for automakers and component suppliers to ensure their products are secure from cyber attacks. The NHTSA’s recommendations include the use of extensive product testing by mimicking potential threats, limiting the ability to modify firmware to control possible malware installation, and the development of an industry-wide disclosure framework to create a body of knowledge that will enable researchers to develop defenses against cyber threats.
In April, the Government Accountability Office released a report following an investigation requested by Lipinski that found that the DOT needs to better define the federal government’s role in the cyber protection of vehicles and develop a plan for dealing with cyber attacks. Serving on the Transportation and Infrastructure and Science, Space, and Technology Committees, Lipinski has focused on cyber protection issues in other transportation systems, as well as having been an author of the Cybersecurity Enhancement Act, which became law during the last session of Congress.
“As technology evolves, more and more of the items we use every day have critical systems connected to the internet, including the vehicles we drive,” said Rep. Lipinski. “The industry needs to consider these during the design phase, and how to deal with evolving threats throughout the vehicle’s service life. There are many positives to these advances, but it does increase the risk of cyber attacks. Hackers have already proven that they can take control of some vehicles, including the brake system, which could be the difference between life and death. Cybersecurity in transportation is an issue to be taken seriously in both the private and public sector, especially considering the ongoing efforts by the automotive industry and others to put more connected and driverless vehicles on our roadways. I'm pleased that the DOT is making it clear that cybersecurity must be a priority in the automotive technology development process, but I’m hopeful that congressional hearings will afford us to hear more from stakeholders about this guidance.”
The DOT’s newly-released guidance focuses on solutions to ensure vehicle systems are designed to take appropriate and safe actions, even when an attack is successful. It recommends risk-based prioritized identification and protection of critical vehicle controls and consumers’ personal data, and it asks companies to consider the full life-cycle of their vehicles and facilitate rapid response and recovery from cybersecurity incidents.
This guidance suggests that companies allocate appropriate and dedicated resources to address vehicle cybersecurity matters, and the entire automotive industry should consider vulnerabilities and exploits that may impact their supply-chain of operations. Employee training is also necessary to educate the automotive workforce on new cybersecurity practices and to share lessons learned with others.