Privacy & Information Security Law Blog

The National Highway Safety Administration (“NHTSA”) recently issued non-binding guidance that outlines best practices for automobile manufacturers to address automobile cybersecurity. The guidance, entitled Cybersecurity Best Practices for Modern Vehicles (the “Cybersecurity Guidance”), was recently previewed in correspondence with the House of Representatives' Committee on Energy and Commerce (“Energy and Commerce Committee”).

According to the NHTSA, the Cybersecurity Guidance is “non-binding guidance” that contains “voluntary best practices” to improve motor vehicle cybersecurity. The Cybersecurity Guidance generally encourages automobiles manufactures to utilize a “layered approach” through adopting the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and its five principles: identify, protect, detect, respond and recover. NHTSA also recommends the use of certain industry standards such as ISO 27000 series standards, and other best practices, such as the Center for Internet Security’s Critical Security Controls for Effective Cyber Defense. While the Cybersecurity Guidance admits that these standards were developed to mitigate threats against networks and not necessarily automotive devices, it nevertheless contends that they can still be adopted for use in the automotive industry. As with NHTSA’s cyber guidance for autonomous vehicles, the Cybersecurity Guidance also encourages automobile manufacturers to engage in information sharing as well as have a process for vulnerability reporting.

The month before the Cybersecurity Guidance was released, the Energy and Commerce Committee sent NHTSA a letter raising questions concerning cybersecurity risks related to On Board Diagnostics (“OBD-II”) ports, calling on NHTSA to establish an industry-wide working group on the subject. The Cybersecurity Guidance does not directly address OBD-II ports, though it does call for operational limits on “control vehicle maintenance diagnostic access” and calls on the automotive industry to consider the effects of aftermarket devices like insurance dongles and cell phones that are connected to vehicle information systems. Furthermore, in its response to the Energy and Commerce Committee, NHTSA indicated that at their request, “SAE International has started a working group that is looking to explore ways to harden the OBD-II port.”

On October 28, 2016, NHTSA published a request for public comments on the Cybersecurity Guidance and has opened a docket for those comments. Comments are due on November 28, 2016.