This article was originally drive.
Most people don’t immediately jump to cybersecurity when thinking about the automotive industry. After all, his two-ton steel box on wheels isn’t exactly a ‘computer’.But as more cars Centralized system and connectivityeach other, and outside worldit became clear that cybersecurity is more important than ever for today’s vehicles.
On Wednesday, the National Highway Traffic Safety Administration published a set of best practices for automakers to follow as they build new vehicles and the software stacks that underpin them. The document, first published in the Federal Register last year, is an update to the agency’s 2016 guidance, focused on interconnected vehicles and their respective safety systems.
Perhaps one of the most important areas NHTSA is focusing on is vehicle sensors. Authorities point to sensor tampering as an emerging concern related to vehicle cybersecurity, noting that the possibility of manipulating sensor data could pose a risk to safety-critical systems. Lidar and radar are areas where NHTSA wants automakers to defend. jamming, GPS spoofing, Correction of road signsblinding the camera, and exciting false positives in machine learning.
Vehicles with over-the-air (OTA) update capabilities are also attracting attention from NHTSA. Specifically, automakers must maintain not only the integrity of critical vehicle updates, but also the underlying servers that host OTA updates, transmission mechanisms between vehicles and servers, and the update process, the agency said. says. done in a vehicle. Additionally, NHTSA requires automakers to consider common cybersecurity issues such as insider threats, man-in-the-middle attacks, protocol vulnerabilities, and compromised servers.
It is also recommended that both remotely updateable and non-remotely updated vehicles have enhanced access to vehicle firmware to thwart cybersecurity-related issues. Today, many automakers are ECU firmware encryptionhowever, this can be beaten with a bench flush. NHTSA calls on automakers to “adopt state-of-the-art technology” to prevent this. What it means for the aftermarket scenebut it’s unclear, but it probably won’t be good news for anyone trying to tune their car.
Finally, not everything NHTSA has included in its documents is state of the art. In fact, most of the recommendations are NIST security framework Or simply rewritten from the 2016 guide and still holds value today.
One of the key components drawn from 2016 best practices involves aftermarket devices. NHTSA may not appear to aftermarket manufacturers that their devices could affect life safety systems, but they still need to design with such considerations in mind. and a reminder that it must undergo the same kind of security screening as the vehicle itself. Seemingly harmless devices such as insurance dongles and telematics harvesting devices can be used as proxies for other attacks. For this reason, NHTSA recommends transmitting critical safety signals separately from general CAN bus traffic. For example, to prevent replay or spoofing attacks, isolate the messages sent to the traction control actuators that control the physical braking function.
Vehicle serviceability is another item drawn from the last iteration of best practices. NHTSA says cybersecurity protections should not unduly restrict access to third-party repair services. This is the claim used by industry groups. During a recent Massachusetts battle over repair rightsIn order to meet voter-passed right-to-repair requirements, automakers must “render non-functioning cybersecurity design elements” installed in vehicles, according to court filings. claimed. Had the industry followed his NHTSA’s 2016 (and now his 2022) guidelines, this might not have been such a big deal.
Despite all these recommendations, ultimately it is up to car manufacturers to follow them. NHTSA simply communicates these voluntary guidance for automakers to improve their cybersecurity maturity based on their acceptable level of risk. However, a rapidly growing industry like connected cars needs this kind of guidance.of attack surface today It could represent just a fraction of what the industry will see tomorrow, and if regulators aren’t pointing in the right direction, Much worse than unlocking a door.