April 21, 2019

April 19, 2019

Subscribe to Latest Legal News and Analysis

April 18, 2019

Subscribe to Latest Legal News and Analysis

Department of Transportation Invites Public Comment on Cybersecurity Best Practices for Modern Vehicles

Public comments on the proposal are due by November 28; guidance will influence automotive cybersecurity practices.

Increasingly “connected” automobiles bring convenience and other benefits to drivers and passengers, but at the same time raise concerns about safety and privacy. In response to this trend in automobile technology, members of the US Congress, along with others, have been asking what the US Department of Transportation’s (DOT’s) National Highway Traffic Safety Administration (NHTSA) will do to promote effective cybersecurity for automobiles.

Last year, members of the House Energy and Commerce Committee wrote to the NHTSA Administrator, noting that as new “technologies are incorporated into automobiles to improve safety, convenience, and performance, they also create the unavoidable potential for cyber threats.”[1] This issue arose again in September, when members of the same committee identified security and safety concerns with the On-Board Diagnostic (OBD-II) ports within vehicles. The members of Congress suggested an industrywide effort to develop a plan of action to address these risks.[2] On October 14, NHTSA responded, noting that it would soon issue best practices concerning cybersecurity.[3]

On October 24, NHTSA issued proposed federal guidance[4] to the automotive industry for improving motor vehicle cybersecurity.[5] The draft DOT guidance remains subject to public comment by November 28.[6] The final guidance will establish a baseline for automotive cybersecurity standards for the foreseeable future.

Voluntary Standards Based on Layered Approach

The proposed cybersecurity guidance, which is voluntary and nonbinding, is intended to “provide a solid foundation for developing a risk-based approach and important processes that can be maintained, refreshed and updated effectively over time to serve the needs of the automotive industry.”[7] The guidance notes that there is no current Federal Motor Vehicle Safety Standard covering vehicle cybersecurity.[8]

The guidance uses a layered approach “to ensure vehicle systems are designed to take appropriate and safe actions, even when an attack is successful.”[9] According to the draft guidance, this approach would include the following aspects:

  • “Be built upon risk-based prioritized identification and protection of safety-critical vehicle control systems and personally identifiable information”

  • “Provide for timely detection and rapid response to potential vehicle cybersecurity incidents in the field”

  • “Design-in methods and measures to facilitate rapid recovery from incidents when they occur”

  • “Institutionalize methods for accelerated adoption of lessons learned across the industry through effective information sharing, such as through participation in the Auto ISAC [Automotive Information Sharing and Analysis Center]”

Draft Best Practices Recommendations

The current draft contains several recommendations that draw upon industry and other best practices and internal applied research. Some of the recommendations include the following:

  • Promote “cybersecurity oriented leadership within the organization,” including over the product development cycle[10]

  • In “an ongoing risk management framework,” assess vulnerabilities at each stage in the process, including “the entire supply-chain of operations”[11]

  • Implement “a documented process for responding to incidents, vulnerabilities, and exploits” that clearly delineates roles and responsibilities for each responsible group within the organization[12]

  • Conduct cybersecurity testing, including penetration testing, by “qualified testers who have not been part of the development team, and who are highly incentivized to identify vulnerabilities”[13]

  • Adopt self-auditing programs that include periodic risk assessments and reviews of organizational decisions[14]

  • Encourage information sharing about cybersecurity risks and incidents, including through the Auto ISAC[15]

  • Consider the role of aftermarket devices (such as cell phones and insurance dongles)[16]

  • Remove unnecessary network services to control the proliferation of network ports and limit attack vectors[17]

  • Limit software developer access to Electronic Control Units where “no foreseeable operational reason” exists[18]

  • Consider encryption as a “useful tool in preventing the unauthorized recovery and analysis of firmware”[19]

  • Maintain sufficient log records to identify how cyber-attacks occurred and to detect trends[20]

  • Implement employee training to educate the entire automotive workforce on new cybersecurity practices, and share lessons learned[21]

  • Address serviceability issues by providing “strong vehicle cybersecurity protections that do not unduly restrict access by authorized alternative third-party repair services” [22]

After the public comment period has concluded, DOT will issue final guidance. As noted, members of Congress are also reviewing this issue. It remains to be seen whether the voluntary standards may ultimately prove to be the basis for mandatory standards or legislation. The issue of automobile cybersecurity is likely to remain active on the legislative and regulatory fronts as vehicle technology continues to develop and automotive companies (and others) work to protect vehicles from cybersecurity and other threats.

Interested parties can submit comments on or before November 28 by visiting the Request for Comments on Federal Cybersecurity Best Practices page on the regulations.gov website.


[1] Letter to Mark R. Rosekind, NHTSA Administrator (May 28, 2015)

[2] Letter to Mark R. Rosekind, NHTSA Administrator (Sept. 12, 2016).

[3] Letter of Mark R. Rosekind, NHTSA Administrator, to House Committee on Energy and Commerce Chairman Fred Upton (Oct. 14, 2016)

[4] Proposed Cybersecurity Best Practices for Modern Vehicles (Oct. 24, 2016)

[5] Press Release, US Dep’t of Transportation, US DOT issues Federal guidance to the automotive industry for improving motor vehicle cybersecurity (Oct. 24, 2016)

[6] Public Comment for Agency Information Collection Activities; Proposals, Submissions, and Approvals: Cybersecurity Best Practices for Modern Vehicles

[7] Proposed DOT Cybersecurity Vehicle Guidance, at 5. 

[8] Id. at 5. 

[9] Id. at 10. 

[10] Id. § 6.2. 

[11] Id. § 6.6.1.  

[12] Id. § 6.5.  

[13] Id. § 6.6.2.  

[14] Id. § 6.6.  

[15] Id. § 6.3.  

[16] Id. § 8.  

[17] Id. § 6.7.6.  

[18] Id. § 6.7.1. 

[19] Id. § 6.7.4. 

[20] Id. § 6.7.9.  

[21] Id. § 7. 

[22] Id. § 9. 

Copyright © 2019 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Mark Krotoski, Litigation attorney, Morgan Lewis
Partner

Mark L. Krotoski represents and advises clients on antitrust cartel investigations; cybersecurity and privacy matters; trade secret, economic espionage, fraud, and foreign corrupt practices cases; and government investigations. With nearly 20 years of experience as a federal prosecutor and a leader in the US Department of Justice (DOJ), Mark provides clients with a unique blend of litigation and investigative experience. He has tried 20 cases to verdict and successfully argued appeals before the US Court of Appeals for the Ninth and Sixth Circuits.

202.739.3001
Ellie F. Chapman, Morgan Lewis, Environmental Attorney
Associate

Ellie Chapman's practice focuses on privacy, securities, environmental, and complex business matters. She has experience representing clients in many phases of litigation including class actions.

Ellie also advises clients on issues relating to cybersecurity (with a particular expertise in artificial intelligence, breach and response laws, and automobiles), land-use entitlements, and securities issues (including insider trading and aspects of mortgage-backed securities). Ellie maintains an active pro bono practice, recently serving on the Blue Ribbon Task Force, an investigative body instigated by the San Francisco DA to evaluate racial bias in the San Francisco Police Department, and working with the ACLU to challenge a nationwide domestic surveillance program. Ellie also represents local residents facing housing eviction and several individuals seeking asylum.

415-442-1484
Ronald Del Sesto, Morgan Lewis, Regulatory Attorney
Partner

Ron Del Sesto represents technology companies on a broad range of issues including corporate, financial, regulatory, and cybersecurity. Ron also advises financial institutions, private equity firms and venture capital funds with respect to investments in  the telecommunications, media, and technology (TMT) sectors.

202.373.6023