Automotive Cybersecurity: Major Changes Underway
January 15, 2021
The National Highway Traffic Safety Administration (NHTSA) released an update to their Cybersecurity Best Practices for the Safety of Modern Vehicles.
The National Highway Traffic Safety Administration (NHTSA) released an update to their Cybersecurity Best Practices for the Safety of Modern Vehicles. The timing of this update and its new recommendations are indicative of major changes underway in the automotive industry concerning cybersecurity. While the NHTSA document provides non-binding guidance, the update is aligned with two new European Union automotive cybersecurity regulations, which are binding. These regulations were adopted in June 2020 by the United Nations Economic Commission for Europe (UNECE) World Forum for Harmonization of Vehicle Regulations (WP.29) and went into effect as of January 2021.
The first of the new European Union regulations requires automotive manufacturers to incorporate cybersecurity practices into their organization, development process, and support of vehicle cybersecurity through their entire lifecycle. The second regulation requires manufacturers to support software updates and the implementation of a software management system to track versions of deployed software to be updated if a vulnerability is identified. These regulations also call for documentation to be maintained so third parties can confirm cybersecurity practices are followed for audit purposes.
The timing to support these regulations is short when considering the development cycles for automobiles. New vehicle types must comply by July 2022. All newly produced vehicles need to comply by July 2024. These two regulations will ripple around the world to all automotive manufacturers that sell into Europe and will affect them at an organizational and operational level.
The new NHTSA document provides both general and technical best practices guidance. In the sections on general best practices, the connection is made to the WP.29 regulations through references to ISO/SAE 21434. ISO/SAE 21434 is a cybersecurity framework and a reference implementation for the WP.29 regulations. It was developed in parallel with the new regulations and in communication with the WP.29 group. So, alignment with ISO/SAE 21434 is, by and large, alignment with the European Union regulations.
There are 43 general best practice recommendations made in the NHTSA document and 14 include specific references to ISO/SAE 21434. Another 14 can be directly mapped to 21434. Four of the NHTSA recommendations are specific and most likely would be covered by the outcome of the 21434 processes. That leaves 11 of the NHTSA best practices that are not addressed by a 21434 implementation and would need specific consideration in addition to the application of 21434 processes. For more information on this see: Does Implementation of ISO/SAE 21434 Bring NHTSA’s Best Practice Recommendations Along for the Ride?
The NHTSA document also references Auto-ISAC’s series of seven best practices guides. The Auto-ISAC is an industry-supported information sharing group with a charter to facilitate collaboration and timely communication between automotive companies concerning exploited vulnerabilities. The Auto-ISAC guides cover a variety of cybersecurity topics ranging from training to product development, to incident response.
Due to the recent SolarWinds hack, another hot topic is supply chain security. In the case of SolarWinds, malware was added to SolarWinds’ software build system and became part of their authenticated software updates. Over 18,000 companies and government agency networks were affected due to the updates to the SolarWinds software. The attack highlighted how important the security of supplier-provided software is and both the NHTSA document and ISO/SAE 21434 address this very topic. The approach outlined is to engage in active communication with suppliers to make cybersecurity requirements clear and to identify and manage supplier related risks.
The technical best practices section of the NHTSA document does what the ISO/SAE standard cannot - provide specific technical guidance to mitigate cybersecurity threats. 21434 strives to be applicable to a variety of situations and components, so it cannot be too specific. Different devices will have different levels of need in terms of security requirements. The recommendations made by NHTSA are an excellent reference for cybersecurity protections and even have applicability to IoT devices in general. If your embedded computing device has a network interface, you should consider the NHTSA’s technical recommendations, including:
· Close debug ports on the production version of devices
· Keep cryptographic credentials for access (e.g., password, keys, certificates) protected and do not have a “break one breaks them all” credential scheme
· Implement message authentication for safety-critical communications
· Keep event logs that help identify cybersecurity attacks
· Treat external networks connected to wireless interfaces as untrusted
· Protect open Internet Protocol (IP) ports
· Ensure software updates are secure (e.g., authenticate software updates)
Many of the technical recommendations are based on 14 exploited vulnerabilities that are cited throughout the document. This is an excellent set of references and includes BlackHat and DefCon presentations. You’ll find them in the footnotes of the Technical Best Practices section.
The NHTSA document is a draft and is open for comments. Information on how to provide comments can be found in this Federal Register Notice. NHTSA provides a summary of the comments received and the rationale for their new best practice recommendations. These comments provide a helpful context for understanding why each new recommendation is important.
There is an excellent spirit of collaboration between automotive companies when it comes to the major cybersecurity changes that are underway. Competitors have come together in forums like the Auto-ISAC and the ISO and SAE committees to collaborate on cybersecurity. There is a common realization that cybersecurity is not to be treated as a competitive advantage, but instead, strong cybersecurity in all vehicles will benefit everyone. The updated “Cybersecurity Best Practices for the Safety of Modern Vehicles” recommendations by NHTSA are indicative of these changes, with its alignment to the new regulations in Europe through ISO/SAE 21434. Automotive manufacturers have and will continue to make significant investments in cybersecurity. The European regulations will demand it and there will be a positive, follow-on impact on automotive operations around the world.
If you need assistance with implementation of the processes outlined in ISO/SAE 21434, BG Networks’s consulting services can help with risk & vulnerability assessments and the development of cybersecurity goals, concepts, and requirements for new product developments.