The National Highway Traffic Safety Administration released the latest update to its cybersecurity guidelines on Wednesday. This is the first time in five years that NHTSA has revisited its cybersecurity best practices, after having updated the rules in 2016.
The latest NHTSA update isn’t so much a collection of immutable cybersecurity laws as much as an attempt to establish a baseline of what the U.S. agency thinks carmakers should implement. It’s just a broad overview of how carmakers can safeguard against hackers, data breaches, or worse. You can read the NHTSA document here.
The update makes recommendations about ECU security, wireless network security, external data ports, OTA updates, stricter access to firmware — which NHTSA says should be harder to modify — and even goes over how to make third-party devices (such as bluetooth dongles that plug into OBDII ports) safer.
NHTSA says this latest update comes after years of research and ongoing studies from specialized cybersecurity groups like the Automotive Information Sharing and Analysis Center. The Auto-ISAC counts major automakers and suppliers as members: Toyota, Volkswagen, Volvo, Mazda, Magna, ZF and Bosch just to name a few.
NHTSA and Auto-ISAC collaborated with carmakers and suppliers, then took this input and any public comments to come up with the latest guide. Again, these are non-binding guidelines, and carmakers are free to ignore them. But it’s still a good thing that NHTSA updates the list every few years.
Five years is basically a lifetime in the tech sector, and these last few years have been eventful as far the auto industry goes. More and more automakers are vying for ways to turn cars into rolling computers — for better or worse.
Even though cars have relied on computer systems and comparable electronics for decades, modern cars have sophisticated hardware and software that looks like it’s at the cutting edge of technology, until it isn’t.
Hackers are breaking into Hondas and Teslas; USB cables are rendering Kias and Hyundais helpless against theft; and state agencies can pull data from cars too easily. I mean, I get it. Drivers want convenience and a familiar interface. But if carmakers insist on blurring the line between cars and computers, at the very least, they need to pay attention to the backdoors that they’re leaving open.