NHTSA Publishes Cybersecurity RFI

Today the DOT’s National Highway Traffic Safety Administration (NHTSA) published a notice in the Federal Register (79 FR 60574-60583) concerning its research program on determining the need for safety standards with regard to electronic systems in passenger motor vehicles. Such standards could include cybersecurity requirements for such systems. NHTSA is seeking public comments on these issues.

On July 6, 2012 the President signed into law MAP-21 (PL 112-141). Section 31402 required DOT to examine electronic systems in passenger motor vehicles. Part of that examination was to include a look at “the security needs for those electronic systems to prevent unauthorized access” {§31402(a)(1)}. A portion of today’s notice specifically addresses that cybersecurity examination. In this section NHTSA identifies two general approaches to vehicular cybersecurity:

• Design and quality control processes that focus on cybersecurity issues throughout the lifecycle of a product; and

• Establishing robust information sharing forums such as an Information Sharing and Analysis Center (ISAC)

Cybersecurity Design

NHTSA notes that there are no current cybersecurity design standards for the automotive industry. It does point at the NIST Cybersecurity Framework and notes that “this framework could allow the automotive industry to develop a security program for modern-day automobiles analogous to information security programs [emphasis added] in place for information technology (IT) systems in general”. This would make it seem that NHTSA intends to treat automotive electronic systems as information systems rather than control systems.

NHTSA does note the European Union’s efforts in this area, specifically the EVITA program which has apparently done nothing since it produced its final report in 2012.

Information Sharing

NHTSA reports that it has examined [.PDF download link] the Information Sharing and Analysis Center (ISAC) that has been used by other industries. It also notes that the Alliance of Automotive Manufacturers (Alliance) and the Association of Global Automakers (Global Automakers) are considering [.PDF download link] the formation of an automotive sector ISAC.

NHTSA Ongoing Research

NHTSA reports that its ongoing automotive cybersecurity research program targets four areas:

• Preventive methods and techniques;

• Real-time intrusion detection methods;

• Real-time response methods; and

• Treatment methods.

Public Comments

Before they complete their required report to Congress on automotive cybersecurity NHTSA is soliciting public comments on this topic. They are specifically asking for input in the following topic areas:

• Suggested areas for further research;

• Security process standards; and

• Security performance standards.

Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #NHTSA-2014-0108). Public comments should be submitted by December 8^th, 2014.