Traffic Safety Agency Issues Final Guidelines for Vehicle Cybersecurity

Busakorn Pongparnit/Getty Images

The National Highway Traffic Safety Administration will announce its final cybersecurity guidelines draft Friday as modern vehicles become more technologically-integrated.

The final version of the National Highway Traffic Safety Administration’s cybersecurity practices will be published in the Federal Register on Friday, focusing on cryptographic techniques to mitigate hacking risks as vehicles become more technologically integrated.

In the Cybersecurity Best Practices for the Safety of Modern Vehicles final draft, NHTSA officials took advice from the public during the draft publication’s open comment period and added more detail on key systems and cryptographic elements, as well as how attackers may use software updates to infiltrate a vehicle’s network. 

Other topics that were added to the scope of the guidance, pursuant to public comments, include right-to-repair issues, new references to source materials and rewording. 

“The recommendations contained within the best practices are intended to be applicable to all individuals and organizations involved in the design, development, manufacture and assembly of a motor vehicle and its electronic systems and software,” the Federal Register notice reads.  

The entities the recommendations cover include small and large motor vehicles alike, and are also intended for use by car equipment designers and manufacturers. Each guideline aims to prevent liabilities introduced with new technologies incorporated into modern cars. 

NHTSA authors behind the report notably acknowledged the lack of expansive knowledge within the automotive cybersecurity landscape, as it is still a burgeoning field. Given the diversity in the organizational structure of the automotive industry, officials noted that different suppliers and manufacturers have varying cybersecurity threat levels.

Regardless, officials recommended relevant companies and stakeholders take adequate security precautions.  

“Regarding benefits, entities that do not implement appropriate cybersecurity measures, like those guided by these recommendations, or other sound controls, face a higher risk of cyberattack or increased exposure in the event of a cyberattack, potentially leading to safety concerns for the public,” the notice said. 

NHTSA’s first cybersecurity guidelines for automotive vehicles were issued in 2016. The updated recommendations reflect changes in the automotive industry, namely the increased integration of car operations with internet of things access.