Washington — Federal regulators want automakers to voluntarily agree to a set of “best practices” for cybersecurity as car manufacturers are racing to develop connected and self-driving vehicles.
The National Highway Traffic Safety Administration released a set of guidelines on Monday that call for automakers to voluntarily adopt “existing standards and best practices” for cybersecurity that are structured around the National Institute of Standards and Technology’s existing Cybersecurity Framework.
The new guidelines for cars call for automakers to develop a “layered approach to vehicle cybersecurity reduces the probability of an attack’s success and mitigates the ramifications of a potential unauthorized access.” The proposal focuses on five principal functions that were identified by the institute: identify, protect, detect, respond and recover.
U.S. Transportation Secretary Anthony Foxx said NHTSA was announcing the proposed guidelines because, “Cybersecurity is a safety issue, and a top priority at the department. Our intention with today’s guidance is to provide best practices to help protect against breaches and other security failures that can put motor vehicle safety.”
Two longtime critics of NHTSA, however, say the guidelines are weak.
“This new cybersecurity guidance from the Department of Transportation is like giving a take-home exam on the honor code to failing students,” Sens. Edward J. Markey, D-Mass., and Richard Blumenthal, D-Conn., said in a joint statement. “If modern day cars are computers on wheels, we need mandatory standards, not voluntary guidance, to ensure that our vehicles cannot be hacked and lives and information put in danger.”
The transportation department’s proposal calls for automakers to use guidelines from “recognized standards-setting bodies” such as NHTSA, the Institute of Standards and the Automotive Information Sharing and Analysis Center.
A statement from the agency said, “The automotive industry should follow a robust product development process based on a systems-engineering approach with the goal of designing systems free of unreasonable safety risks including those from potential cybersecurity threats and vulnerabilities. Companies should make cybersecurity a priority by using a systematic and ongoing process to evaluate risks.”
NHTSA Administrator Mark Rosekind said it is important to get ahead of potential hackers as cars become more computerized with each passing year.
“In the constantly changing environment of technology and cybersecurity, no single or static approach is sufficient,” Rosekind said in a statement. “Everyone involved must keep moving, adapting, and improving to stay ahead of the bad guys.”
NHTSA is soliciting public comments on the proposed cybersecurity framework for 30 days. The formal title is, “Cybersecurity Best Practices for Modern Vehicles.”
NHTSA is also recommending “employee training to educate the entire automotive workforce on new cybersecurity practices and to share lessons learned with others.”
General Motors Co. released a statement applauding the guidelines. “We look forward to working with NHTSA and the industry at large to achieve our mutual goals of advancing automotive cybersecurity through the implementation of best practices. To that end, our dedicated product cybersecurity organization continues to undertake a multifaceted approach to protect against potential cybersecurity threats.”
The Washington, D.C.-based Alliance of Automobile Manufacturers says it is reviewing the proposed cybersecurity guidelines.
The auto alliance group issued a statement saying, “The auto industry has been forward leaning and proactive and has already established the Automotive Information Sharing and Analysis Center (Auto-ISAC), as well as a cybersecurity best practices framework.”
The alliance represents Fiat Chrysler Automobiles, Ford Motor Co., General Motors Co., BMW Group, Jaguar Land Rover, Mazda, Mercedes-Benz USA, Mitsubishi Motors, Porsche, Toyota, Volkswagen Group of America and Volvo Car USA.