It has been five years since the US agency NHTSA last released guidelines for cyber security in vehicles. Now comes an update. These are recommendations only, with no requirements.
“Merely physically hiding connectors or pins used for debug access should not be considered a sufficient form of protection”.
That’s one of the tips in a newly published guide from the American traffic safety agency NHTSA.
All communication interfaces to the car are potential entry points for cyber attacks. New examples of this appear at regular intervals.
A month ago, for example, an attack was reported on Kia and Hyundai cars via USB which was basically the equivalent of the classic driving a screwdriver into the ignition lock. The false security was that the USB port was hidden in the steering wheel behind a cover – which seems to be contrary to Nhtsa’s advice above.
Personal safety is a well-established tradition with plenty of demands on manufacturers. Not so for the fresher field of cyber security. One of the novelties of the new NHTSA guide, however, is that since the previous version, some design standards for vehicle cybersecurity have actually emerged, such as ISO/SAE 21434, and this is something that NHTSA’s new guidelines address.
NHTSA’s tips are about protecting the vehicle from data breaches via everything from OBD-II to Wifi. Today’s cars are “computers on wheels”, it is said, and the tips are really similar to any computer security guide for IT systems or embedded systems.
The advice is held at a general checklist level. For example, there is no specific advice about Wifi, but only for example the advice that TCP/IP ports that are not used should be closed and that those that are used should be encrypted.
Connections should be authenticated, backdoors should be closed after development is complete, and any ports open for debugging or diagnostics should not offer general access, but only a thoughtful selection of useful features. The encryption used must be of the latest cut.
As for the software, the system architecture should try to isolate its parts from each other, especially safety-critical systems.
The guidelines are largely based on the car manufacturers’ own research and experiences, for example in the organization Auto-ISAC where we find Volvo as a member together with other car manufacturers such as Toyota, Volkswagen, and Mazda, and component suppliers such as ZF and Bosch.
Read the guidelines here (link).