US Lawmakers Slam Opt-in Car Cybersecurity Guidance

US regulators have urged car manufacturers to prioritize cybersecurity in the design of their vehicles, in a new voluntary set of guidelines.

The National Highway Traffic Safety Administration (NHTSA) released on Monday Cybersecurity Best Practices for Modern Vehicles – what it claimed to be “a solid foundation for developing a risk-based approach and important processes” to ensure systems are properly secured.

It continued:

“NHTSA believes that it important for the automotive industry to make vehicle cybersecurity an organizational priority. This includes proactively adopting and using available guidance such as this document and existing standards and best practices. Prioritizing vehicle cybersecurity also means establishing other internal processes and strategies to ensure that systems will be reasonably safe under expected realworld conditions, including those that may arise due to potential vehicle cybersecurity vulnerabilities.”

The document sets out best practice advice including information sharing via the Auto ISAC; following established standards such as ISO; pen testing; and creating a new industry-specific vulnerability reporting program.

The guidance is certainly needed, given the rapid pace of development in the connected car industry and headline research which has highlighted potentially life-threatening flaws in systems.

This was most famously spear-headed by Miller and Valasek in 2015 research which showed how a Jeep Cherokee could be remotely controlled by hackers.

However, the NHTSA’s guidance is voluntary, which simply isn’t good enough, according to Democrat senators and members of the Commerce, Science and Transportation Committee, Edward Markey and Richard Blumenthal.

“If modern day cars are computers on wheels, we need mandatory standards, not voluntary guidance, to ensure that our vehicles cannot be hacked and lives and information put in danger,” they argued in a prepared statement.

“In this new Internet of Things era, we cannot let safety, cybersecurity, and privacy be an afterthought. We must pass our legislation, the SPY Car Act, that puts the protections in place to ensure auto safety and security in the 21st century.”

The Security and Privacy in Your Car (SPY Car) Act was introduced back in July and would require the NHTSA to establish federal standards on in-vehicle privacy and security, as well as creating a “cyber dashboard” ratings system to help car buyers differentiate on security.

What’s Hot on Infosecurity Magazine?