NHTSA Drafting Cyber Security Guidelines for Light Vehicles

Rear view of luxury car

In-brief: The National Highway Traffic and Safety Administration (NHTSA) is drafting cyber security guidelines for light vehicles, the agency’s first major initiative exclusively focused on the security of connected cars.

The National Highway Traffic and Safety Administration (NHTSA) is drafting cyber security guidelines for light vehicles, the agency’s first major initiative exclusively focused on the security of connected cars.

NHTSA has issued a request for proposals (RFP) to private firms for support developing automotive cybersecurity guidelines. NHTSA is looking to contractors to “help develop initial light-vehicle cybersecurity guidelines” that will “help provide the foundation for safe, reliable and secure vehicle systems,” according to a copy of the request shared with The Security Ledger.

The RFP lays out a one year time frame for private sector firms to work with NHTSA to come up with guidelines to help automakers builde a “cyber secure vehicle.” “Modern vehicles are becoming more and more reliant on advanced electronic systems. These systems are vulnerable to cyber- attacks. Cybersecurity is quickly becoming one of the most important vehicle safety research topics,” the RFP reads, in part.

The work is intended to expand upon already completed research done by VOLPE, The National Transportation Systems Center, on information security practices “both inside and outside the automotive sector,” including protection of cyber physical systems. NHTSA wants to expand on that research and use it to create firm guidelines for industry.

NHTSA plans to take in other, similar guidelines developed by other federal agencies including the FDA, NIST, the FAA as well as private sector firms like SAE International and “the electrical power generation sector.” The goal is to identify commonalities in those regulations as well as gaps – areas where current needs and existing guidelines don’t meet up.

The final guidelines should be consistent with existing NHTSA “guidelines, Regulations and Federal Standards,” the document reads. As an example, the RFP notes NHTSA’s 2013 guidance on distracted driving as an example, as well as earlier regulations pertaining to electronic data recorders on vehicles.

NHTSA did not respond to calls and email messages requesting comment on the RFP.

The RFP signals forward movement by the U.S. Government’s lead vehicle safety agency on cyber security, after criticism from within and outside government on oversight of the security and privacy implications of new, connected vehicles.

In February, 2015, for example, U.S. Senators Markey (D-MA) and Blumenthal (D-CT) released a report calling for new standards to “plug security and privacy gaps in our cars and trucks.” That report followed disclosures from sixteen major automobile manufacturers in response to pointed questions from Senator Markey about how vehicles may be vulnerable to hackers, and how driver information is collected and protected.

Then, in August, Fiat Chrysler issued the first ever recall linked to software vulnerabilities. That, after researchers Charlie Miller and Chris Valasek demonstrated a remote, software based attack on a Chrysler Jeep Cherokee that allowed them to remotely control the vehicle’s transmission, braking and steering. In March, the FBI and NHTSA issued a bulletin warning that motor vehicles are “increasingly vulnerable” to hacking. And Carnegie Mellon CERT issued an alert last week about a vulnerable, after-market connected car product: a mobile app that lets car owners monitor their vehicle’s performance via the Bluetooth wireless protocol.

The convergence of new, connected features and demonstrations of malicious attacks has pushed cyber security to the front burner for federal authorities and regulators, said John Walsh of the firm Sypris Solutions, which works with automakers on vehicle security.

“You’re seeing this convergence, and that’s creating concerns,” he said. Walsh says that the concerns go well beyond public safety and impact liability as well. “If there were an accident, its getting to the point of wondering ‘was the driver in control of the vehicle?'” The advent of autonomous vehicles only multiplies the complexity of answering such questions, Walsh said.

“That’s why you’re seeing NHTSA getting more involved.”

Any guidelines could be years in the making. The RFP allows 12 months for the winning firm 12 months after the award of the contract to complete a final report.  Walsh said that NHTSA would likely use that report to formulate guidelines and then work with the automobile industry and other experts to fine tune those guidelines.

Regardless, the RFP is important because it shows the NHTSA moving forward on an issue that has been languishing for years, Walsh said. “They’ve been bringing on staff in this area starting in 2012 or 2013, but they didn’t have any funding to do anything. This is the first year that they’ve actually received the funding to become more situationally aware,” he said.