Feds Issue Vehicle Cybersecurity Guidance

CARS.COM — With so much talk about self-driving cars, it’s important to remember your new car or truck could become increasingly vulnerable to someone who could take control of it remotely. To prevent this, the National Highway Traffic Safety Administration is taking the driver’s seat, so to speak, and issuing recommendations for new guidelines and best practices aimed toward improving cybersecurity in cars.

Related: FCA Enlists Hackers to Find Its Cars’ Tech Weaknesses

The car hacking problem already exists, as you might remember from Fiat Chrysler Automobiles’ recall of 1.4 million vehicles in July 2015. FCA discovered that hackers could tap into main vehicle functions using a weakness in the company’s 8.4-inch touchscreens.

As it did with guidelines for the burgeoning self-driving automotive landscape, NHTSA’s issuance of cybersecurity testing and regulation is not binding and enforceable, at least not in the strictest sense of more traditional recalls.

The new guidelines focus on “layered solutions to ensure vehicle systems are designed to take appropriate and safe actions, even when an attack is successful,” NHTSA said in a statement. This means ensuring the loss of one system does not necessarily balloon into a catastrophic hack of a vehicle. Like your phone or computer, a car or truck would be constantly monitoring its software and, should a breach occur, safely alert the driver and prevent a loss of control.

In a Detroit News story published on Oct. 12, Transportation Secretary Anthony Foxx discussed how difficult today’s automobile tech can be to monitor and regulate.

“Because we’re not talking about what you might call a mature technology, it means we have to strike a balance between being descriptive, which is how most of our regulations are set up,” Foxx explained, referring specifically to NHTSA’s earlier issuance of guidelines for self-driving vehicles.

Typically, if a car or truck had a faulty part, the vehicle would be recalled and the part fixed or replaced. Not knowing what problems might crop up, or what the source of a problem might be, makes monitoring highly advanced, cutting-edge vehicle systems that much more difficult.

The same hard-to-define challenge of ensuring modern cars aren’t susceptible to hacks — or that security breaches can be controlled and minimized — means that strict “dos” and “don’ts” are similarly difficult to enforce, at least at this early stage.

“In the constantly changing environment of technology and cybersecurity, no single or static approach is sufficient,” said NHTSA chief Mark Rosekind. “Everyone involved must keep moving, adapting and improving to stay ahead of the bad guys.”

What might “bad guys” want to gain by taking control of your vehicle? For starters, the chance to access the personal information stored in today’s cars which can also be connected to our smartphones. In a worst-case scenario, a potential hacker could brake, steer or accelerate a vehicle simply to cause harm to a car’s occupants — or other road users.

In its guidelines, NHTSA also recommends “that companies should consider the full life cycle of their vehicles and facilitate rapid response and recovery from cybersecurity incidents.” This means data sharing, something the car industry has often been reluctant to do out of fear that a competitive edge might be lost. 

In the increasingly complicated world of automobiles, however, many of these old habits must be changed to keep up with the times. NHTSA has put the ball firmly in the court of the automobile world in terms of “making cybersecurity a top leadership priority for the automotive industry,” with “appropriate and dedicated resources” aimed at preventing and learning from cybersecurity attacks.