[Federal Register Volume 86, Number 7 (Tuesday, January 12, 2021)]
[Notices]
[Pages 2481-2486]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-00390]
-----------------------------------------------------------------------
DEPARTMENT OF TRANSPORTATION
National Highway Traffic Safety Administration
[Docket No. NHTSA-2020-0087]
Cybersecurity Best Practices for the Safety of Modern Vehicles
AGENCY: National Highway Traffic Safety Administration (NHTSA),
Department of Transportation (DOT).
ACTION: Request for comments.
-----------------------------------------------------------------------
SUMMARY: NHTSA invites public comment on the Agency's updated draft
cybersecurity best practices document titled Cybersecurity Best
Practices for the Safety of Modern Vehicles. In 2016, NHTSA issued its
first edition, Cybersecurity Best Practices for Modern Vehicles, which
described NHTSA's nonbinding guidance to the automotive industry for
improving vehicle cybersecurity. With this document, NHTSA is docketing
and soliciting public feedback on a draft update based on the knowledge
gained through prior comments, continued research, motor vehicle
cybersecurity issues discovered by researchers, and related industry
activities over the past four years. To emphasize NHTSA's safety
mission, recommendations in the document focus on cybersecurity best
practices that have safety implications for motor vehicles and motor
vehicle equipment.
DATES: Written comments are due no later than March 15, 2021.
ADDRESSES: Comments must refer to the docket number above and be
submitted by one of the following methods:
Federal eRulemaking Portal: Go to http://www.regulations.gov. Follow the online instructions for submitting
comments.
Mail: Docket Management Facility, M-30, U.S. Department of
Transportation, West Building, Ground Floor, Room W12-140, 1200 New
Jersey Avenue SE, Washington, DC 20590.
Hand Delivery or Courier: U.S. Department of
Transportation, West Building, Ground Floor, Room W12-140, 1200 New
Jersey Avenue SE, Washington, DC, between 9 a.m. and 5 p.m. Eastern
time, Monday through Friday, except Federal holidays. To be sure
someone is there to help you, please call (202) 366-9322 before coming.
Fax: 202-493-2251.
Regardless of how you submit your comments, you must include the
docket number identified in the heading of this document.
Note that all comments received, including any personal information
provided, will be posted without change to http://www.regulations.gov.
Please see the ``Privacy Act'' heading below.
You may call the Docket Management Facility at 202-366-9322. For
access to the docket to read background documents or comments received,
go to http://www.regulations.gov or the street address listed above. To
be sure someone is there to help you, please call (202) 366-9322 before
coming. We will continue to file relevant information in the Docket as
it becomes available.
Privacy Act: In accordance with 5 U.S.C. 553(c), DOT solicits
comments from the public to inform its decision-making process. DOT
posts these comments, without edit, including any personal information
the commenter provides, to http://www.regulations.gov, as described in
the system of records notice (DOT/ALL-14 FDMS), which can be reviewed
at https://www.transportation.gov/privacy. Anyone can search the
electronic form of all comments received into any of our dockets by the
name of the individual submitting the comment (or signing the comment,
if submitted on behalf of an association, business, labor union, etc.).
FOR FURTHER INFORMATION CONTACT: For technical issues, please contact
Mr. Robert Kreeb of NHTSA's Office of Vehicle Safety Research at 202-
366-0587 or [email protected]. For legal issues, contact Ms. Sara R.
Bennett of NHTSA's Office of Chief Counsel at 202-366-2992 or
[email protected].
SUPPLEMENTARY INFORMATION: The evolution of automotive technology has
included an increasingly expanded use of electronic systems, software,
and wireless connectivity. While this development began in the late
1970s, the pace of technological evolution has increased significantly
over the past
[[Page 2482]]
decade. Automotive technology has developed to such an extent that
today's vehicles are some of the most complex computerized products
available to consumers. Enhanced wireless connectivity and continued
innovations in electronic control systems introduce substantial
benefits to highway transportation safety, mobility, and efficiency.
However, with the proliferation of computer-based control systems,
software, connectivity, and onboard digital data communication
networks, modern vehicles need to consider additional failure modes,
vulnerabilities, and threats that could jeopardize benefits if the new
safety risks are not appropriately addressed.
Connectivity and safety technologies that can intervene to assist
drivers with control of their vehicles (e.g., automatic emergency
braking) could also increase cybersecurity risks, and without proactive
measures taken across the vehicle lifecycle, risks could result in
negative safety outcomes. As such, motor vehicle cybersecurity remains
a top priority for NHTSA. NHTSA is engaged in research and industry
outreach efforts to support enhanced reliability and resiliency of
vehicle electronics, software, and related vehicle control systems, not
only to mitigate safety risks associated with failure or potential
cyber compromise of such systems, but also to ensure that affected
parties take appropriate actions and such concerns do not pose public
acceptance barriers for proven safety technologies.
NHTSA's work in this area seeks to support the automotive
industry's continued improvements to motor vehicle cybersecurity
reliability and resiliency. The Agency also expends resources in
understanding and promoting contemporary methods in software
development, testing practices, and requirements management as they
pertain to robust management of underlying safety hazards and risks
across the vehicle life-cycle. These activities include close
collaboration with industry to promote a strong risk management culture
and associated organizational and systems engineering processes.
Background
In October 2016, NHTSA issued its first best practices document
focusing on the cybersecurity of motor vehicles and motor vehicle
equipment.\1\ Cybersecurity Best Practices for Modern Vehicles (``2016
Best Practices'') was the culmination of years of extensive engagement
with public and private stakeholders and NHTSA research on vehicle
cybersecurity and methods of enhancing vehicle cybersecurity industry-
wide. As explained in the accompanying Federal Register document,
NHTSA's 2016 Best Practices was released with the goal of supporting
industry-led efforts to improve the industry's cybersecurity posture
and provide the Agency's views on how the automotive industry could
develop and apply sound risk-based cybersecurity management processes
during the vehicle's entire lifecycle.
---------------------------------------------------------------------------
\1\ Cybersecurity Best Practices for Modern Vehicles, announced
via the Federal Register, 81 FR 75190 (Oct. 28, 2016).
---------------------------------------------------------------------------
The 2016 Best Practices leveraged existing automotive domain
research as well as non-automotive and IT-focused standards such as the
National Institute of Standards and Technology (NIST) Cybersecurity
Framework and the Center for internet Security's Critical Security
Controls framework. NHTSA considered these sources to be reasonably
applicable and appropriate to augment the limited industry-specific
guidance that was available at the time. At publication, NHTSA noted
that the 2016 Best Practices were intended to be updated with new
information, research, and other cybersecurity best practices related
to the automotive industry. NHTSA invited comments from stakeholders
and interested parties in response to the document.
Below is a high-level summary of comments received and how NHTSA
integrated those comments into the 2020 draft Cybersecurity Best
Practices for the Safety of Modern Vehicles.
Summary of Public Comments Received in Response to NHTSA's 2016 Best
Practices
NHTSA received comments from government agencies, regulated
entities, trade associations, advocacy groups and organizations, and
individuals.\2\ Key topic areas, and how such comments are reflected in
NHTSA's revised 2020 Cybersecurity Best Practices for the Safety of
Modern Vehicles are listed below.
---------------------------------------------------------------------------
\2\ Comments on the 2016 Cybersecurity Best Practices for Modern
Vehicles can be found at https://beta.regulations.gov/document/NHTSA-2016-0104-0001/comment.
---------------------------------------------------------------------------
Guidance vs. Rules. Many commenters noted that
cybersecurity is a constantly evolving discipline and that best
practices may need frequent updating, and most commenters suggested
that NHTSA's cyber best practices should remain non-binding and
voluntary. NHTSA agrees with these commenters, and adoption of any of
the provisions listed in the 2020 Cybersecurity Best Practices for the
Safety of Modern Vehicles remains voluntary.
NHTSA's cyber best practices should be aligned with
industry initiatives. Commenters noted that industry initiatives were
under development at the time of the 2016 Best Practices publication.
NHTSA believes that the specific best practices outlined in today's
2020 revision reflect a strong linkage to key industry cybersecurity-
related initiatives and efforts by organizations such as SAE
International (SAE), the International Organization for Standardization
(ISO), NIST, and the Automotive Information Sharing and Analysis Center
(Auto-ISAC)--and are, in general, consistent with guidelines,
standards, and best practices developed by these organizations.
Focus on Safety. Several commenters noted that NHTSA's
best practices should focus squarely on safety aspects of
cybersecurity. NHTSA agrees. The best practices presented in this
revision are tailored to focus on cybersecurity issues that impact the
safety of motor vehicles throughout the lifecycle of design, operation,
maintenance and disposal. This emphasis is reflected throughout the
document, including with a title change: Cybersecurity Best Practices
for the Safety of Modern Vehicles.
Consideration of cybersecurity as part of software
development process. Multiple commenters recommended greater and more
formal consideration of cybersecurity as part of the software
development lifecycle process. NHTSA's revised best practice outlined
today reflects a need to include cybersecurity considerations along the
entire software supply chain and throughout the lifecycle management
processes of developing, implementing and updating software-enabled
systems.
Additional cybersecurity terminology, definitions.
Commenters noted that the document would benefit from providing
expanded definitions for certain terms to add precision and clarity to
the recommended best practices. NHTSA has provided several additional
definitions for key terms used throughout the document.
The comments received, combined with continued research, outreach
to stakeholders, learnings from motor vehicle cybersecurity issues
discovered by researchers, and related industry activities over the
past four years have served as the foundation for the 2020 update. A
description of other important information that guided the changes
included in the 2020 Cybersecurity Best Practices for the Safety of
Modern
[[Page 2483]]
Vehicles is included in the following section.
2020 Update of Cybersecurity Best Practices
NHTSA is docketing a draft update to the agency's 2016 Best
Practices,\3\ titled Cybersecurity Best Practices for the Safety of
Modern Vehicles (2020 Best Practices) for public comments. This update
builds upon agency research and industry progress since 2016, including
emerging voluntary industry standards, such as the ISO/SAE Draft
International Standard (DIS) 21434, ``Road Vehicles--Cybersecurity
Engineering.'' \4\ In addition, the draft update references a series of
industry best practice guides developed by the Auto-ISAC through its
members.\5\
---------------------------------------------------------------------------
\3\ The 2016 guidance is titled Cybersecurity Best Practices for
Modern Vehicles and is available at: https://www.federalregister.gov/documents/2016/10/28/2016-26045/request-for-comment-on-cybersecurity-best-practices-for-modern-vehicles. The
2020 update has a modified title that emphasizes the document's
focus on, and NHTSA's commitment to, cybersecurity as an aspect of
safety in motor vehicles and motor vehicle equipment.
\4\ ISO/SAE 21434:2020 Road Vehicles--Cybersecurity Engineering,
available at: https://www.iso.org/standard/70918.html.
\5\ See https://automotiveisac.com/best-practices/.
---------------------------------------------------------------------------
The 2020 Best Practices also reflect findings from NHTSA's
continued research in motor vehicle cybersecurity, including over-the-
air updates, encryption methods, and building our capability in
cybersecurity penetration testing and diagnostics, and the new
learnings obtained through researcher and stakeholder engagement.
Finally, the updates included in the 2020 Best Practices incorporate
insights gained from public comments received in response to the 2016
guidance and from information obtained during the annual SAE/NHTSA
Vehicle Cybersecurity Workshops.
As with the 2016 Best Practices, NHTSA's updated draft,
Cybersecurity Best Practices for the Safety of Modern Vehicles, is
intended to serve as a resource for the industry as a whole and covers
safety-related cybersecurity issues for all motor vehicles and motor
vehicle equipment. As such, it is applicable to all individuals and
organizations involved in the design, manufacture, and assembly of a
motor vehicle and its electronic systems and software. These entities
include, but are not limited to, small and large volume motor vehicle
and motor vehicle equipment designers, suppliers, manufacturers, and
modifiers. What follows is a listing of each new best practice, and an
explanation of why NHTSA believes the inclusion is necessary in this
update.
[G.6] Manufacturers should consider the risks associated
with sensor vulnerabilities and potential sensor signal manipulation
efforts such as GPS spoofing,6 road sign
modification,7 Lidar/Radar jamming and spoofing,8
camera blinding,9 or excitation of machine learning false
positives.\10\
---------------------------------------------------------------------------
\6\ DefCon 23--Lin Huang and Qing Yang--Low cost GPS Simulator:
GPS Spoofing by SDR (2015). Video of the talk available at: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20video/.
\7\ McAfee Labs, Model Hacking ADAS to Pave Safer Roads for
Autonomous Vehicles (2020), available at: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/model-hacking-adas-to-pave-safer-roads-for-autonomous-vehicles/.
\8\ Mark Harris, IEEE Spectrum Sept 4, 2015, Researcher Hacks
Self-driving Car Sensors.
\9\ Petit, J. et al., ``Remote Attacks on Automated Vehicles
Sensors: Experiments on Camera and LiDAR'' (2015), available at:
https://www.blackhat.com/docs/eu-15/materials/eu-15-Petit-Self-Driving-And-Connected-Cars-Fooling-Sensors-And-Tracking-Drivers-wp1.pdf.
\10\ Tencent Keen Security Lab, Experimental Security Research
of Tesla Autopilot 2019, available at: https://keenlab.tencent.com/en/whitepapers/Experimental_Security_Research_of_Tesla_Autopilot.pdf.
---------------------------------------------------------------------------
This best practice recommends that industry consider ``sensor
vulnerabilities'' as part of their risk assessment (examples: GPS
spoofing, road sign modification, Lidar/Radar jamming and spoofing,
camera blinding, or excitation of machine learning false positives).
NHTSA added it to reflect the new research that shows that technology
behavior could be influenced via sensor spoofing, which differs from
traditional software manipulation-based cyber issues.
[G.7] Any unreasonable risk to safety-critical systems
should be removed or mitigated to acceptable levels through design, and
any functionality that presents an unavoidable and unnecessary risk
should be eliminated where possible.
This best practice recommends ``removal of risk'' to be considered
as part of the development process. NHTSA included this best practice
to align with the National Traffic and Motor Vehicle Safety Act's
prohibition of manufacturers selling motor vehicles and motor vehicle
equipment that may contain unreasonable risks to safety. This is a
common practice element of sound risk-based approaches. The 2016 Best
Practices recommended assessing and appropriately mitigating risks to
acceptable levels. While the 2016 documents implicitly included G.7 in
cases where risks could not be mitigated with known tools and for a
given architecture appropriately, this document makes the best practice
explicit.
[G.9] Clear cybersecurity expectations should be specified
and communicated to the suppliers that support the intended
protections.
Vehicles are produced in a complex supply chain, and cybersecurity
roles and expectations need to be clarified and coordinated among
involved parties to support the cybersecurity goals of the
manufacturers. ISO/SAE 21434 Clause 15 discusses customer-supplier
relationships and provides various recommendations for how to manage
cybersecurity risks among these entities. Such recommendations extend,
among other aspects, to the interactions, dependencies, and
responsibilities between customers and suppliers for cybersecurity
activities.
[G.10] Manufacturers should maintain a database of
operational software components 11 12 used in each
automotive ECU, each assembled vehicle, and a history log of version
updates applied over the vehicle's lifetime; and [G.11] Manufacturers
should track sufficient details related to software
components,13 such that when a newly identified
vulnerability is identified related to an open source or off-the-shelf
software,14 manufacturers can quickly identify what ECUs and
specific vehicles would be affected by it.
---------------------------------------------------------------------------
\11\ This is also referred to as a software bill of materials
(SBOM), which is a list of components in a piece of software,
including assembled open source and commercial software components.
\12\ Multistakeholder Process on Promoting Software Component
Transparency, 83 FR 110 (June 4, 2018).
\13\ These details could include: The licenses that govern those
components, the versions of the components used in the codebase, and
their patch status.
\14\ A good example would be the vulnerability associated with
the Transport Layer Security(TLS) implementations in OpenSSL 1.0.1
before 1.0.1g in the Heartbleed vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160.
---------------------------------------------------------------------------
Through engagement in organized exercises, such as CyberStorm,\15\
the Agency recognized that the ability to identify whether an issue
with one component would affect a single or multiple makes and models
is critically important to determine the potential scope of risk.
Further, being able to recognize which software version is installed on
individual vehicles or items of equipment and differentiate between
versions is critical to respond to incidents quickly. The Food and Drug
Administration and National Telecommunications and Information
Administration developed detailed guidance around the same concept, and
[[Page 2484]]
NHTSA believes such guidance to be of value to the automotive industry.
---------------------------------------------------------------------------
\15\ https://www.cisa.gov/cyber-storm-securing-cyber-space.
---------------------------------------------------------------------------
[G.12] Manufacturers should evaluate all commercial off-
the-shelf and open-source software components used in vehicle ECUs
against known vulnerabilities.16 17
---------------------------------------------------------------------------
\16\ MITRE Common Vulnerabilities and Exposures (CVE) may be
found at: https://cve.mitre.org/.
\17\ NIST's National Vulnerability Database may be found at:
https://nvd.nist.gov/.
---------------------------------------------------------------------------
This best practice highlights the importance of making informed
decisions about using open source and off-the-shelf software with
respect to documented vulnerabilities. This is a common practice in
other domains. NIST established a national database to facilitate such
action.\18\
---------------------------------------------------------------------------
\18\ See https://nvd.nist.gov/.
---------------------------------------------------------------------------
[G.22] Best practices for secure software development
should be followed, for example as outlined in NIST 8151 19
and ISO/SAE 21434.20
---------------------------------------------------------------------------
\19\ Black P., Badger M., Guttman B., Fong E., NISTIR 8151
Dramatically Reducing Software Vulnerabilities: Report to the White
House Office of Science and Technology Policy.
\20\ ISO/SAE 21434 clause 10 discusses software development
practices.
---------------------------------------------------------------------------
This best practice provides further detailed resources for
companies to consider for implementation, as appropriate. Comments
received on the 2016 Cybersecurity Best Practices requested that NHTSA
incorporate current industry guidance and standards.\21\ Pointing to
such resources is helpful for all companies, but particularly for
companies with less mature cybersecurity programs.
---------------------------------------------------------------------------
\21\ See public comments in response to the 2016 Best Practices,
such as NHTSA-2016-0104-0969, and NHTSA-2016-0104-0998.
---------------------------------------------------------------------------
[G.23] Manufacturers should actively participate in
automotive industry-specific best practices and standards development
activities through Auto-ISAC and other recognized standards development
organizations.
Industry standards, such as ISO/SAE 21434, are more broadly adopted
when entities actively participate in their establishment and ensure
their unique needs are considered and addressed. NHTSA's encouragement
of industry involvement in standards development organizations is long
standing.
[G.30] Commensurate to assessed risks, organizations
should have a plan for addressing newly identified vulnerabilities on
consumer-owned vehicles in the field, inventories of vehicles built but
not yet distributed to dealers, vehicles delivered to dealerships but
not yet sold to consumers, as well as future products and vehicles.
During a validated incident, the ability to address the issue for
the impacted population could vary for vehicles in different stages of
distribution. A plan that considers these stages can facilitate a more
effective organizational response. This addition also reflects Clause 7
of the ISO/SAE 21434 standard.
[G.40] Any connection to a third-party device should be
authenticated and provided with appropriate limited access.
During the life-cycle of a vehicle, consumer devices (e.g., mobile
phones, insurance dongles) or repair/maintenance tools may be connected
to the vehicle systems. These systems could enable wireless
connectivity to the vehicle interface and may not feature adequate
cyber controls on them. For example, research on an insurance dongle
inserted into the OBDII port during operation found that it did not
employ techniques, such as digital signing, that would prevent a cyber
attacker from reprogramming firmware.\22\ A similar issue is described
by Argus Cybersecurity on a connected car service.\23\ Accordingly,
this best practice recommends that vehicle systems should treat such
devices as untrusted and control their access to safety critical
systems.
---------------------------------------------------------------------------
\22\ See https://jalopnik.com/progressive-insurances-driver-tracking-tool-is-ridicul-1680720690.
\23\ See Argus Cyber Security, ``A remote attack on an
aftermarket telematics service'' (Nov. 7, 2014), available at:
https://argus-sec.com/remote-attack-aftermarket-telematics-service/
#:~:text=Zubie%20is%20a%20leading%20connected,II%20port%20of%20your%2
0car.
---------------------------------------------------------------------------
[T.7] The use of global symmetric keys and ad-hoc
cryptographic techniques for diagnostic access should be minimized.\24\
---------------------------------------------------------------------------
\24\ Hogan G., Flashing ECU Firmware Updates from a Web Browser,
Talk at DefCon 27: Car Hacking Village, Las Vegas. Video of the talk
may be found at: https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20villages/. Mr. Hogan describes reverse engineering
enciphered firmware updates.
---------------------------------------------------------------------------
This best practice discourages the use of global symmetric keys or
unproven cryptographic techniques, which can result in a false sense of
security for manufacturers and the consumer. This addition is also
responsive to a comment from a diagnostic tool manufacturer to the 2016
Best Practices. Further, research shows the ineffectiveness of
symmetric keys (see footnote in T.7).
[T.8] Vehicle and diagnostic tool manufacturers should
control tools' access to vehicle systems that can perform diagnostic
operations and reprogramming by providing for appropriate
authentication and access control.\25\
---------------------------------------------------------------------------
\25\ ISO/SAE 21434 requirement [RQ-05-15] states that ``Tools
that can impact the cybersecurity of an item, system or component
shall be managed.''
---------------------------------------------------------------------------
This best practice responds to research demonstrating the ability
to leverage diagnostic tools to reverse engineer and implement
vulnerabilities in vehicle systems.
[T.12] Such logs that can be aggregated across vehicles
should be periodically reviewed to assess potential trends of cyber-
attacks.
Information aggregated across multiple vehicles in a manufacturer's
fleet can highlight trends and help a manufacturer recognize a
cybersecurity attack more quickly, and potentially prior to a
successful breach, than focusing on only a single vehicle or
compartmentalized information. This approach is common in the
enterprise information technology domain,\26\ and applies to the
automotive realm. T.12 purposefully limits the recommendation to logs
that can be aggregated.
---------------------------------------------------------------------------
\26\ See Chapter 4: Network based intrusion detection and
protection systems in NIST 800-94, available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-94.pdf.
---------------------------------------------------------------------------
[T.13] Manufacturers should treat all networks and systems
external to a vehicle's wireless interfaces as untrusted and use
appropriate techniques to mitigate potential threats.
This is a common approach taken by the stakeholder community and
NHTSA. Various forms of ``man-in-the-middle'' cyber attacks seen with
wireless interfaces suggest that information outside the wireless
interfaces of vehicles should not be trusted until appropriately
authenticated for intended uses. NHTSA added this best practice to
reflect learnings from demonstrated man-in-the-middle attacks.
[T.22] Maintain the integrity of OTA updates, update
servers, the transmission mechanism and the updating process in
general.27 28
---------------------------------------------------------------------------
\27\ Bar R., Hacking into Automotive Clouds, talk at DefCon 27
Car Hacking Village, Las Vegas 2019. Video of the talk: https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20villages/.
\28\ Rodgers M., Hahaffey K., How to Hack a Tesla Model S, talk
at DefCon 23, Las Vegas 2015. Video of the talk: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20video/.
---------------------------------------------------------------------------
OTA updates are updates to vehicle or equipment software that are
pushed remotely to the vehicle. The OTA update process should not
introduce cybersecurity vulnerabilities in the process, through either
the update itself or through the updating process. NHTSA added this
best practice to reflect learnings discussed in the
[[Page 2485]]
Agency's Cybersecurity of Firmware Updates research report.\29\
---------------------------------------------------------------------------
\29\ https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/cybersecurity_of_firmware_updates_oct2020.pdf
---------------------------------------------------------------------------
[T.23] Take into account, when designing security
measures, the risks associated with compromised servers, insider
threats, men-in-the-middle attacks, and protocol vulnerabilities.
This best practice provides more granular recommendations with
respect to risk considerations in T.22. As with T.22, NHTSA added this
to reflect learnings discussed in the Agency's Cybersecurity of
Firmware Updates research report.\30\
---------------------------------------------------------------------------
\30\ https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/cybersecurity_of_firmware_updates_oct2020.pdf
---------------------------------------------------------------------------
Public Comment
NHTSA is seeking public comments on the 2020 Best Practices and
additional ways to improve its usefulness to stakeholders. The updated
draft document is structured around five key areas: (1) General
Cybersecurity Best Practices, (2) Education, (3) Aftermarket/User Owned
Devices, (4) Serviceability, and (5) Technical Vehicle Cybersecurity
Best Practices, and NHTSA seeks comments on all areas.
NHTSA will further update and refine this draft document over time,
based on public comments received, the experience of NHTSA,
manufacturers, suppliers, consumers, and others, as well as from
further research findings and technological innovations. The updated
draft document is available in PDF format under Docket No. NHTSA-2020-
0087.
Economic Analysis for Cybersecurity Best Practices for the Safety of
Modern Vehicles
NHTSA is seeking comment on its Cybersecurity Best Practices for
the Safety of Modern Vehicles (2020 Best Practices), which is non-
binding (i.e., voluntary) guidance provided to serve as a resource for
industry on safety-related cybersecurity issues for motor vehicles and
motor vehicle equipment. As guidance, the document touches on a wide
array of issues related to safety-related cybersecurity practices, and
provides recommendations to industry on the following topics: (1)
General Cybersecurity Best Practices, (2) Education, (3) Aftermarket/
User Owned Devices, (4) Serviceability, and (5) Technical Vehicle
Cybersecurity Best Practices.
NHTSA has made a good faith effort to assess the potential costs
that companies in the automotive industry might bear if these companies
decide to integrate the recommendations in the 2020 Best Practices into
their business practices. The following is a summary of the
considerations that NHTSA evaluated for purposes of this section.
First, although, as guidance, the 2020 Best Practices is voluntary,
NHTSA expects that many entities will to conform their practices to the
recommendations endorsed by NHTSA. NHTSA believes that the
Cybersecurity Best Practices for the Safety of Modern Vehicles serve as
means of facilitating common understanding across industry regarding
best practices for cybersecurity.
Second, the diversity among the entities to which the 2020 Best
Practices apply is vast. The recommendations found in Cybersecurity
Best Practices for the Safety of Modern Vehicles are necessarily
general and flexible enough to be applied to any industry entity,
regardless of size or staffing. The recommendations contained within
the best practices are intended to be applicable to all individuals and
organizations involved in the design, manufacture, and assembly of a
motor vehicle and its electronic systems and software. These entities
include, but are not limited to, small and large volume motor vehicle
and motor vehicle equipment designers, suppliers, manufacturers, and
modifiers. NHTSA recognizes that there is much organizational diversity
among the intended audience, resulting in a variety of approaches,
organizational sizes, and staffing needs. NHTSA also expects that these
entities have varying levels of organizational maturity related to
cybersecurity, and varying levels of potential cybersecurity risks.
These expectations, combined with NHTSA's lack of detailed knowledge of
the organizational maturity and implementation of any recommendations
contained within the guidance, make it difficult for NHTSA to develop a
reasonable quantification of the per-organization cost of implementing
the recommendations.
Third, any costs associated with applying the 2020 Best Practices
would be limited to the incremental cost of applying the new
recommendations included in the document (as opposed to those in the
2016 Best Practices). The updated Cybersecurity Best Practices for the
Safety of Modern Vehicles document highlights a total of 65 enumerated
best practices, 16 of which could be considered ``new'' relative to the
first version published in 2016.
Fourth, costs could be limited by organizations who have
implemented some of the recommendations prior to this request for
comment. NHTSA is unaware of the extent to which various entities have
already implemented NHTSA's recommendations, and determining the
incremental costs associated with full implementation of the
recommendations is effectively impossible without detailed insight into
the organizational processes of every company.
Fifth, many of NHTSA's recommendations lean very heavily on
industry standards, such as Draft International Standard SAE/ISO 21434.
Three of the 16 ``new'' best practices simply reference the SAE/ISO
21434 industry standard. Since many aspects of NHTSA's recommendations
are mapped to an industry standard, costs would also be limited for
those companies who are adopting SAE/ISO 21434 already. Thus, it would
be impossible to parse whether a company implemented SAE/ISO 21434 or
whether it had decided to adopt NHTSA's voluntary recommendations.
While the 2020 Best Practices have some recommendations \31\ that
cannot be mapped to an industry standards document at this time, most
of those recommendations involve common vehicle engineering and sound
business management practices, such as risk assessment and supply-chain
management. For these recommendations, NHTSA's inclusion in the 2020
Cyber Best Practices serve as a reminder.
---------------------------------------------------------------------------
\31\ For example, G.6 in Section 4.2.3 recommends consideration
of sensor vulnerabilities as part of risk assessment; and G.9 and
G.10 in Section 4.2.6 recommend tracking software components on
vehicles in a manner similar to hardware components.
---------------------------------------------------------------------------
Regarding benefits, entities that do not implement appropriate
cybersecurity measures, like those guided by these recommendations, or
other sound controls, face a higher risk of cyberattack or increased
exposure in the event of a cyberattack, potentially leading to safety
concerns for the public.
Implementation of the best practices can, therefore, facilitate
``cost prevention'' in the sense that failure to adopt appropriate
cybersecurity practices could result in other direct or indirect costs
to companies (i.e., personal injury, vehicle damage, warranty, recall,
or voluntary repair/updates). A quantitative analysis would require
present value estimation of future benefits, or a comparison of two
similar sample groups, one of which is implementing the recommendations
and the other is not. This comparison would illustrate the differences
in groups in a way that would allow the benefits attributable to
implementation of the
[[Page 2486]]
best practices to be calculated. However, neither is possible at this
time.
The best practices outlined in this document help organizations
measure their residual risks better, particularly the safety risks
associated with potential cybersecurity issues in motor vehicles and
motor vehicle equipment that they design and manufacture. Further, it
provides a toolset of techniques they can utilize commensurate to their
measured risks, and take appropriate actions to reduce or eliminate
them, and in doing so lower the future liabilities these risks
represent in terms of safety risks to public and business costs
associated with addressing them.
In addition, quantitatively positive externalities have been shown
to stem from vehicle safety and security measures (Ayres & Levitt,
1998). The high marginal cost of cybersecurity failures (crashes)
extend to third parties. Widely accepted adoption of sound
cybersecurity practices limits these potential costs and lessens
incentives for attempts at market disruption (i.e., signal
manipulation, GPS spoofing, or reverse engineering).
How do I prepare and submit comments?
Your comments must be written and in English. To ensure that your
comments are filed correctly in the docket, please include the docket
number of this document in your comments. Your comments must not be
more than 15 pages long (49 CFR 553.21). NHTSA established this limit
to encourage you to write your primary comments in a concise fashion.
However, you may attach necessary additional documents to your
comments. There is no limit on the length of the attachments. Please
submit one copy (two copies if submitting by mail or hand delivery) of
your comments, including the attachments, to the docket following the
instructions given above under ADDRESSES. Please note, if you submit
comments electronically as a PDF (Adobe) file, NHTSA asks that the
documents submitted be scanned using an Optical Character Recognition
(OCR) process, thus allowing the Agency to search and copy certain
portions of your submissions.
How do I submit confidential business information?
If you wish to submit any information under a claim of
confidentiality, you should submit three copies of your complete
submission, including the information you claim to be confidential
business information, to the Office of the Chief Counsel, NHTSA, at the
address given above under FOR FURTHER INFORMATION CONTACT. In addition,
you may submit a copy (two copies if submitting by mail or hand
delivery), from which you have deleted the claimed confidential
business information, to the docket by one of the methods given above
under ADDRESSES. When you send a comment containing information claimed
to be confidential business information, you should include a cover
letter setting forth the information specified in NHTSA's confidential
business information regulation (49 CFR part 512).
Will the Agency consider late comments?
NHTSA will consider all comments received before the close of
business on the comment closing date indicated above under DATES. To
the extent possible, the Agency will also consider comments received
after that date. Given that we intend for the guidance document to be a
living document and to be developed in an iterative fashion, subsequent
opportunities to comment will also be provided necessarily.
How can I read the comments submitted by other people?
You may read the comments received at the address given above under
Comments. The hours of the docket are indicated above in the same
location. You may also see the comments on the internet, identified by
the docket number at the heading of this document, at http://www.regulations.gov.
Issued in Washington, DC, under authority delegated in 49 CFR
1.95 and 501.8.
Cem Hatipoglu,
Associate Administrator for Vehicle Safety Research.
[FR Doc. 2021-00390 Filed 1-11-21; 8:45 am]
BILLING CODE 4910-59-P