— With self-driving cars on the horizon, the National Highway Traffic Safety Administration (NHTSA) is getting more serious about the subjects of hacking and cybersecurity.
After the fallout from a Jeep Cherokee being taken over by friendly hackers, members of Congress upped the game by requesting from NHTSA details about the cybersecurity of on-board diagnostic" (OBD-II) ports. Those ports first arrived on the scene when the Internet was still in the cradle and NHTSA has been asked to make sure the ports are safe.
Now the government has released proposed guidelines to help the auto industry improve the odds of surviving the very real threat to safety from not-so-friendly hackers.
NHTSA admits there is nothing binding about the proposed guidance, with one section under the heading, "Self-Auditing," which describes leaving much of the policing to automakers. The guidance leaves automakers the job of auditing, accountability, revising documents and "self-review," and because it's only "guidance," NHTSA won't have the right to enforce anything.
Titled, "Cybersecurity Best Practices for Modern Vehicles," the document will apply to all companies that supply, design, manufacturer or alter vehicles or equipment related to vehicles.
NHTSA wants the entire auto industry to apply two main general principles for cybersecurity: To create systems that are consistent with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework; and to adapt existing security standards and controls used by the Center for Internet Security’s Critical Security Controls for Effective Cyber Defense.
One point of the proposed guidance involves every automaker sharing information, an idea that has made companies uncomfortable in the past because of privacy issues. However, NHTSA wants the sharing of reports concerning security vulnerabilities when they are discovered, then companies would need to use external researchers to find the vulnerabilities.
Automakers are also asked to create plans for responding to real-world incidents and to report if their systems have been exploited.
NHTSA says automakers should also take notice of aftermarket devices and manufacturers to find any security risks involved and then decide what to do in an effort to mitigate those risks.
Talking Cars (Vehicle-to-Vehicle Technology)
One reason the issue of cybersecurity is front and center is the coming day when all cars will "talk" to each other and to surrounding infrastructure.
Believing vehicle-to-vehicle (V2V) technology has the potential to greatly reduce crashes, the U.S. Department of Transportation issued a proposed rule to make sure future light-duty vehicles are connected to know what other vehicles are doing on the roads. Regulators say once all vehicles are equipped with V2V technology, the systems will provide 360-degree situational awareness on the roads.
The National Highway Traffic Safety Administration (NHTSA) has been ordered to create rules that all automakers will use to require V2V devices to “speak the same language” through standardized messaging developed with industry.
In addition to V2V technology, guidance will soon be laid on the table concerning vehicle-to-infrastructure (V2I) communications so transportation planners can start designing roadway infrastructure to talk with vehicles. Ideas for infrastructure include traffic lights, stop signs and work zones to allegedly reduce congestion and improve safety.
NHTSA estimates up to 80 percent of crashes will be erased, at least if those crashes don't involve a driver affected by drugs or alcohol.
Based on what NHTSA envisions, V2V devices would use dedicated short range communications to transmit data such as location, direction and speed to nearby vehicles. That data would be updated and broadcast up to 10 times per second to nearby vehicles and using that information, V2V-equipped vehicles would identify risks and provide warnings to drivers to avoid crashes.
As for issues of consumer privacy, NHTSA says privacy is protected in V2V transmissions because the technology "does not involve the exchange of information linked to or, as a practical matter, linkable to an individual, and the rule would require extensive privacy and security controls in any V2V devices."
For consumers worried about issues of privacy, a driver could turn off the warnings, but they would not be allowed to disable the technology.