DETROIT – Automakers should make shielding the electronic and computer systems of vehicles from hackers a priority, developing layers of protection that can secure a vehicle throughout its life, U.S. regulators said on Monday.
The cybersecurity guidelines issued by the U.S. National Highway Traffic Safety Administration are recommendations, not enforceable rules. However, they mark a step toward establishing a road map for industry behavior as lawmakers and consumers pressure automakers to show how they will protect increasingly connected and automated vehicles from cyber attacks.
Some of the agency’s proposals, included in a paper titled “Cybersecurity Best Practices for Modern Vehicles,” echo moves major manufacturers are making already, including establishing a group to share information about cybersecurity threats.
Automakers will carefully review the technical aspects of the agency’s proposals as well as proposals related to the disclosure of information about “the secret sauce” of electrical and data systems, which is highly competitive, Jonathan Allen, acting executive director of the Automotive Information Sharing and Analysis Center, said in an interview on Monday. The group, often referred to as the AUTO-ISAC, was established by automakers as a clearinghouse for companies to share information about cyber security threats and countermeasures.
Automakers accelerated efforts to address hacking threats over the past year after data security researchers successfully took remote control of a Jeep Cherokee and publicized their feat. Fiat Chrysler Automobiles in July 2015 recalled 1.4 million vehicles to install software to protect against future data breaches.
Other automakers, including BMW AG and Tesla Motors Inc., have disclosed actions to fix potential data security gaps.
The security of data and communications systems in vehicles is also critical as more auto manufacturers gear up to follow Tesla’s lead and begin offering significant vehicle upgrades through wireless data links. The Federal Bureau of Investigation earlier this year warned that criminals could exploit online vehicle software updates.
The NHTSA recommends manufacturers conduct tests of vehicle systems to see if the cybersecurity systems can be breached, and document their testing and their assessment of the risks.
Democratic U.S. Sens. Ed Markey of Massachusetts and Richard Blumenthal of Connecticut said the NHTSA should do more. “If modern day cars are computers on wheels, we need mandatory standards, not voluntary guidance, to ensure that our vehicles cannot be hacked and lives and information put in danger,” the lawmakers said in a statement Monday.
The Alliance of Automobile Manufacturers said on Monday the NHTSA guidelines appear to support the steps being taken by the AUTO-ISAC. The Alliance represents General Motors Co., Ford Motor Co. and Daimler AG, among others.