On September 7, 2022 the U.S. Department of Transportation’s National Highway Traffic Safety Administration (NHTSA) released an updated edition of its Cybersecurity Best Practices for the Safety of Modern Vehicles, the last edition of which was published in 2016. This most recent edition of this non-binding guidance leverages agency research, industry voluntary standards, and findings from cybersecurity research conducted over several years. Additionally, the guidance was updated based upon public comments received on the draft that was published in the Federal Register last year.
In the updated guidance, NHTSA separates its recommendations into general best practices, and technical best practices for cybersecurity. The best practices follow many of the same overarching topics as the previous guidance, including recommendations that the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework and best practices for secure software development be implemented, but have been updated to reflect changes in technology and the applicability of recent industry standards. For example, in the 2022 guidance NHTSA recommends following emerging voluntary standards such as ISO/SAE FDIS 21434 “Road vehicles – Cybersecurity engineering”, in addition to NIST. The updated guidance includes a total of 45 general best practices and 23 technical best practices with updated and new recommendations for items such as secure software development, electronic control unit (ECU) security, external data ports, and securing diagnostic tools.
Notably, the guidance still includes a strong suggestion that members of the automotive industry share information on potential attacks with each other through Auto-ISAC. NHTSA further recommends sharing information on potential attacks through other sharing mechanisms, including US-CERT at CISA.
With this guidance, NHTSA intends establish a baseline of cybersecurity for the automotive industry and to encourage industry members to continue to make vehicle and industry cybersecurity a priority. This is particularly important as cars become more connected and offer more internet connectivity and access points.