NHTSA Tells US Automakers Must Make Cyber Security Top Prority
Washington DC October 26, 2016; Today The U.S. National Highway Traffic Safety Administration issued cybersecurity guidelines today telling automakers they need yo make shielding electronic and computer systems in vehicles from hackers a top priority.
Creighton Magid is a partner at the international law firm Dorsey & Whitney and head of its Washington DC office. He's also the co-Chair of the firm-wide Products Liability practice. Magid works with clients to reduce their liability risks and to help them navigate the federal regulatory system, particularly in connection with the U.S. Consumer Product Safety Commission. He's been following this issue today closely and says:
NHTSAâ€™s â€œCybersecurity Best Practices for Modern Vehiclesâ€??? guidance document, while general in its guidance, makes the point that automobile manufacturers have to take cybersecurity very seriously, and have to make cybersecurity a top priority in the design, testing, and monitoring of vehicles,â€??? Magid says.
Although NHTSAâ€™s guidance document is non-binding, meaning that it canâ€™t be enforced like a Federal Motor Vehicle Safety Standard, nonetheless establishes an important baseline against which vehicle manufacturers will be measured â€“ particularly by private parties in litigation,â€??? Magid says.
The guidance document is notable as well because it represents the application to manufacturers of consumer goods the cybersecurity best practices developed for critical infrastructure, such as the energy grid and the financial sector,â€??? Magid says.
The key takeaways from NHTSAâ€™s guidance are the importance of making cybersecurity central to vehicle design; performing robust risk assessment and penetration testing; developing a means of identifying and responding to as-yet-unknown attacks; and collaborating closely with others in the automotive industry to share information about cyber vulnerabilities and cybersecurity improvements,â€??? Magid says.
Automakers â€“ like manufacturers of other interconnected (â€œInternet-of-Thingsâ€???) devices â€“ must treat their products as cyber-physical systems, with as much attention given to electronically interconnected systems as to the rest of the vehicle. Cybersecurity must be given the highest possible priority, in both word and deed. Cyber concerns must be treated as central to the design process, and considered as much of a safety consideration as brakes and crash protection. Automakers also need to give serious thought, up front, to responding to post-sale exploitation of cyber-vulnerabilities, including remote downloading of patches and redundancies of vehicle systems that ensure safe operation of the vehicle even in the event of an attack,â€??? Magid says.