Safety Regulators Tell Auto Industry to Outsmart Hackers

WASHINGTON, DC — With something like 100 million lines of software code in many models, today’s automobiles are a hacker’s playground, prompting federal regulators to ask the nation’s automakers to equip cars, trucks and vans as if the nation’s security depends upon it. And in a way, it does.

To protect vehicles against malicious cyberattacks and unauthorized access, the National Highway Traffic Safety Administration is asking automakers to use industry “best practices” and develop “layered approach to vehicle cybersecurity reduces the probability of an attack’s success and mitigates the ramifications of a potential unauthorized access.”

U.S. Transportation Secretary Anthony Foxx said in a statement that improving cybersecurity is a “top priority” for his department.

Regulators say that with layered firewalls recommended in the best practices guide, vehicle systems are designed to take appropriate and safe actions, even when an attack is successful. In that case, the vehicle will go into a fail-safe mode that protects critical vehicle controls and consumers’ personal data.

Further, the carmakers re asked to consider the full life-cycle of their vehicles and create a rapid response and recovery protocol from cybersecurity incidents, and engrain cybersecurity in their corporate culture, from top leadership down to assembly workers.

"In the constantly changing environment of technology and cybersecurity, no single or static approach is sufficient,” NHTSA Administrator Mark Rosekind said in the statement. “Everyone involved must keep moving, adapting, and improving to stay ahead of the bad guys.”

The vulnerability of today's loaded-with-extras automobiles was illustrated last year when Fiat Chrysler recalled 1.4 million vehicles due to a Uconnect radio system software glitch that allowed hackers to remotely break into certain cars and control their steering wheels from afar.

The transportation department proposal asks automakers to use guidelines from “recognized standards-setting bodies,” including NHTSA, the Institute of Standards and the Automotive Information Sharing and Analysis Center.

“The automotive industry should follow a robust product development process based on a systems-engineering approach with the goal of designing systems free of unreasonable safety risks including those from potential cybersecurity threats and vulnerabilities,” according to the statement. “Companies should make cybersecurity a priority by using a systematic and ongoing process to evaluate risks.”

Photo by Doug McCaughan via Flickr Commons