Cybersecurity Best Practices for the Safety of Modern Vehicles, 2481-2486 [2021-00390]
Download as PDF
<![CDATA[
khammond on DSKJM1Z7X2PROD with NOTICES
Federal Register / Vol. 86, No. 7 / Tuesday, January 12, 2021 / Notices
Central Region Environmental, Caltrans
District 5, 50 Higuera Street, San Luis
Obispo, CA 93401, 805–542–4603,
matt.c.fowler@dot.ca.gov, Monday–
Friday, 9:00 a.m.–5:00 p.m. PDT. For
FHWA: David Tedrick at (916) 498–
5024 or email david.tedrick@dot.gov.
SUPPLEMENTARY INFORMATION: Effective
July 1, 2007, the FHWA assigned, and
Caltrans assumed, environmental
responsibilities for this project pursuant
to 23 U.S.C. 327. Notice is hereby given
that the Caltrans, have taken final
agency actions subject to 23 U.S.C.
139(l)(1) by issuing licenses, permits,
and approvals for the following highway
project in the State of California:
Santa Maria River Bridge
Replacement Project on State Route 1 at
postmile 0.0, in the San Luis Obispo
County, and north of the City of
Guadalupe, Santa Barbara County.
Caltrans proposes to replace the existing
Santa Maria River Bridge with a new
bridge structure. The replacement of the
existing bridge is necessary to remove
all traces of alkali-silica reactions
present in the concrete components of
the existing bridge. The presence of
alkali-silica reaction progressively
compromises the structural integrity of
concrete components. The project will
involve construction of a new bridge
structure, roadway repaving, guardrail
improvements, new pedestrian and
bicycle path, vegetation removal and
habitat restoration within existing
Caltrans right-of-way. Temporary
construction easements and permanent
new State right-of-way are required for
completion of the project. Federal EFIS
ID 05–160000074.
The actions by the Federal agencies,
and the laws under which such actions
were taken, are described in the Final
Environmental Assessment (FEA) with
Finding of No Significant Impact
(FONSI) for the project, approved on
December 9, 2020 and in other
documents in Caltrans’ project records.
The FEA, FONSI and other project
records are available by contacting
Caltrans at the addresses provided
above. This notice applies to all Federal
agency decisions as of the issuance date
of this notice and all laws under which
such actions were taken, including but
not limited to:
1. National Environmental Policy Act
(NEPA) [42 U.S.C. 4321–4335]
2. The National Historic Preservation
Act (NHPA) of 1966 [16 U.S.C. 470(f)
et seq.]
3. Native American Grave protection
and Repatriation Act (NAGPRA) [25
U.S.C. 30001–3013]
4. Clean Water Act [33 U.S.C. 1344]
5. Federal Endangered Species Act
(FESA) [16 U.S.C. 1531–1543]
VerDate Sep<11>2014
19:45 Jan 11, 2021
Jkt 253001
6. Migratory Bird Treaty Act [16 U.S.C.
760c–760g]
7. Invasive Species Executive Order
11988
8. Farmland Protection Policy Act, 7
U.S. Code 4201–4209
(Catalog of Federal Domestic Assistance
Program Number 20.205, Highway Planning
and Construction. The regulations
implementing Executive Order 12372
regarding intergovernmental consultation on
Federal programs and activities apply to this
program.)
Authority: 23 U.S.C. 139(l)(1).
Issued on: January 7, 2021.
Rodney Whitfield,
Director, Financial Services, Federal Highway
Administration, California Division.
[FR Doc. 2021–00431 Filed 1–11–21; 8:45 am]
BILLING CODE 4910–RY–P
DEPARTMENT OF TRANSPORTATION
National Highway Traffic Safety
Administration
[Docket No. NHTSA–2020–0087]
Cybersecurity Best Practices for the
Safety of Modern Vehicles
National Highway Traffic
Safety Administration (NHTSA),
Department of Transportation (DOT).
ACTION: Request for comments.
AGENCY:
NHTSA invites public
comment on the Agency’s updated draft
cybersecurity best practices document
titled Cybersecurity Best Practices for
the Safety of Modern Vehicles. In 2016,
NHTSA issued its first edition,
Cybersecurity Best Practices for Modern
Vehicles, which described NHTSA’s
nonbinding guidance to the automotive
industry for improving vehicle
cybersecurity. With this document,
NHTSA is docketing and soliciting
public feedback on a draft update based
on the knowledge gained through prior
comments, continued research, motor
vehicle cybersecurity issues discovered
by researchers, and related industry
activities over the past four years. To
emphasize NHTSA’s safety mission,
recommendations in the document
focus on cybersecurity best practices
that have safety implications for motor
vehicles and motor vehicle equipment.
DATES: Written comments are due no
later than March 15, 2021.
ADDRESSES: Comments must refer to the
docket number above and be submitted
by one of the following methods:
• Federal eRulemaking Portal: Go to
https://www.regulations.gov. Follow the
online instructions for submitting
comments.
SUMMARY:
PO 00000
Frm 00102
Fmt 4703
Sfmt 4703
2481
• Mail: Docket Management Facility,
M–30, U.S. Department of
Transportation, West Building, Ground
Floor, Room W12–140, 1200 New Jersey
Avenue SE, Washington, DC 20590.
• Hand Delivery or Courier: U.S.
Department of Transportation, West
Building, Ground Floor, Room W12–
140, 1200 New Jersey Avenue SE,
Washington, DC, between 9 a.m. and 5
p.m. Eastern time, Monday through
Friday, except Federal holidays. To be
sure someone is there to help you,
please call (202) 366–9322 before
coming.
• Fax: 202–493–2251.
Regardless of how you submit your
comments, you must include the docket
number identified in the heading of this
document.
Note that all comments received,
including any personal information
provided, will be posted without change
to https://www.regulations.gov. Please
see the ‘‘Privacy Act’’ heading below.
You may call the Docket Management
Facility at 202–366–9322. For access to
the docket to read background
documents or comments received, go to
https://www.regulations.gov or the street
address listed above. To be sure
someone is there to help you, please call
(202) 366–9322 before coming. We will
continue to file relevant information in
the Docket as it becomes available.
Privacy Act: In accordance with 5
U.S.C. 553(c), DOT solicits comments
from the public to inform its decisionmaking process. DOT posts these
comments, without edit, including any
personal information the commenter
provides, to https://www.regulations.gov,
as described in the system of records
notice (DOT/ALL–14 FDMS), which can
be reviewed at https://
www.transportation.gov/privacy.
Anyone can search the electronic form
of all comments received into any of our
dockets by the name of the individual
submitting the comment (or signing the
comment, if submitted on behalf of an
association, business, labor union, etc.).
FOR FURTHER INFORMATION CONTACT: For
technical issues, please contact Mr.
Robert Kreeb of NHTSA’s Office of
Vehicle Safety Research at 202–366–
0587 or robert.kreeb@dot.gov. For legal
issues, contact Ms. Sara R. Bennett of
NHTSA’s Office of Chief Counsel at
202–366–2992 or sara.bennett@dot.gov.
SUPPLEMENTARY INFORMATION: The
evolution of automotive technology has
included an increasingly expanded use
of electronic systems, software, and
wireless connectivity. While this
development began in the late 1970s,
the pace of technological evolution has
increased significantly over the past
E:\FR\FM\12JAN1.SGM
12JAN1
2482
Federal Register / Vol. 86, No. 7 / Tuesday, January 12, 2021 / Notices
khammond on DSKJM1Z7X2PROD with NOTICES
decade. Automotive technology has
developed to such an extent that today’s
vehicles are some of the most complex
computerized products available to
consumers. Enhanced wireless
connectivity and continued innovations
in electronic control systems introduce
substantial benefits to highway
transportation safety, mobility, and
efficiency. However, with the
proliferation of computer-based control
systems, software, connectivity, and
onboard digital data communication
networks, modern vehicles need to
consider additional failure modes,
vulnerabilities, and threats that could
jeopardize benefits if the new safety
risks are not appropriately addressed.
Connectivity and safety technologies
that can intervene to assist drivers with
control of their vehicles (e.g., automatic
emergency braking) could also increase
cybersecurity risks, and without
proactive measures taken across the
vehicle lifecycle, risks could result in
negative safety outcomes. As such,
motor vehicle cybersecurity remains a
top priority for NHTSA. NHTSA is
engaged in research and industry
outreach efforts to support enhanced
reliability and resiliency of vehicle
electronics, software, and related
vehicle control systems, not only to
mitigate safety risks associated with
failure or potential cyber compromise of
such systems, but also to ensure that
affected parties take appropriate actions
and such concerns do not pose public
acceptance barriers for proven safety
technologies.
NHTSA’s work in this area seeks to
support the automotive industry’s
continued improvements to motor
vehicle cybersecurity reliability and
resiliency. The Agency also expends
resources in understanding and
promoting contemporary methods in
software development, testing practices,
and requirements management as they
pertain to robust management of
underlying safety hazards and risks
across the vehicle life-cycle. These
activities include close collaboration
with industry to promote a strong risk
management culture and associated
organizational and systems engineering
processes.
Practices’’) was the culmination of years
of extensive engagement with public
and private stakeholders and NHTSA
research on vehicle cybersecurity and
methods of enhancing vehicle
cybersecurity industry-wide. As
explained in the accompanying Federal
Register document, NHTSA’s 2016 Best
Practices was released with the goal of
supporting industry-led efforts to
improve the industry’s cybersecurity
posture and provide the Agency’s views
on how the automotive industry could
develop and apply sound risk-based
cybersecurity management processes
during the vehicle’s entire lifecycle.
The 2016 Best Practices leveraged
existing automotive domain research as
well as non-automotive and IT-focused
standards such as the National Institute
of Standards and Technology (NIST)
Cybersecurity Framework and the
Center for internet Security’s Critical
Security Controls framework. NHTSA
considered these sources to be
reasonably applicable and appropriate
to augment the limited industry-specific
guidance that was available at the time.
At publication, NHTSA noted that the
2016 Best Practices were intended to be
updated with new information,
research, and other cybersecurity best
practices related to the automotive
industry. NHTSA invited comments
from stakeholders and interested parties
in response to the document.
Below is a high-level summary of
comments received and how NHTSA
integrated those comments into the 2020
draft Cybersecurity Best Practices for the
Safety of Modern Vehicles.
Summary of Public Comments Received
in Response to NHTSA’s 2016 Best
Practices
NHTSA received comments from
government agencies, regulated entities,
trade associations, advocacy groups and
organizations, and individuals.2 Key
topic areas, and how such comments are
reflected in NHTSA’s revised 2020
Cybersecurity Best Practices for the
Safety of Modern Vehicles are listed
below.
• Guidance vs. Rules. Many
commenters noted that cybersecurity is
a constantly evolving discipline and
that best practices may need frequent
Background
updating, and most commenters
In October 2016, NHTSA issued its
suggested that NHTSA’s cyber best
first best practices document focusing
practices should remain non-binding
on the cybersecurity of motor vehicles
and voluntary. NHTSA agrees with
and motor vehicle
these commenters, and adoption of any
equipment.1 Cybersecurity Best Practices of the provisions listed in the 2020
for Modern Vehicles (‘‘2016 Best
1 Cybersecurity
Best Practices for Modern
Vehicles, announced via the Federal Register, 81
FR 75190 (Oct. 28, 2016).
VerDate Sep<11>2014
17:09 Jan 11, 2021
Jkt 253001
2 Comments on the 2016 Cybersecurity Best
Practices for Modern Vehicles can be found at
https://beta.regulations.gov/document/NHTSA2016-0104-0001/comment.
PO 00000
Frm 00103
Fmt 4703
Sfmt 4703
Cybersecurity Best Practices for the
Safety of Modern Vehicles remains
voluntary.
• NHTSA’s cyber best practices
should be aligned with industry
initiatives. Commenters noted that
industry initiatives were under
development at the time of the 2016
Best Practices publication. NHTSA
believes that the specific best practices
outlined in today’s 2020 revision reflect
a strong linkage to key industry
cybersecurity-related initiatives and
efforts by organizations such as SAE
International (SAE), the International
Organization for Standardization (ISO),
NIST, and the Automotive Information
Sharing and Analysis Center (AutoISAC)—and are, in general, consistent
with guidelines, standards, and best
practices developed by these
organizations.
• Focus on Safety. Several
commenters noted that NHTSA’s best
practices should focus squarely on
safety aspects of cybersecurity. NHTSA
agrees. The best practices presented in
this revision are tailored to focus on
cybersecurity issues that impact the
safety of motor vehicles throughout the
lifecycle of design, operation,
maintenance and disposal. This
emphasis is reflected throughout the
document, including with a title change:
Cybersecurity Best Practices for the
Safety of Modern Vehicles.
• Consideration of cybersecurity as
part of software development process.
Multiple commenters recommended
greater and more formal consideration
of cybersecurity as part of the software
development lifecycle process.
NHTSA’s revised best practice outlined
today reflects a need to include
cybersecurity considerations along the
entire software supply chain and
throughout the lifecycle management
processes of developing, implementing
and updating software-enabled systems.
• Additional cybersecurity
terminology, definitions. Commenters
noted that the document would benefit
from providing expanded definitions for
certain terms to add precision and
clarity to the recommended best
practices. NHTSA has provided several
additional definitions for key terms
used throughout the document.
The comments received, combined
with continued research, outreach to
stakeholders, learnings from motor
vehicle cybersecurity issues discovered
by researchers, and related industry
activities over the past four years have
served as the foundation for the 2020
update. A description of other important
information that guided the changes
included in the 2020 Cybersecurity Best
Practices for the Safety of Modern
E:\FR\FM\12JAN1.SGM
12JAN1
Federal Register / Vol. 86, No. 7 / Tuesday, January 12, 2021 / Notices
Vehicles is included in the following
section.
khammond on DSKJM1Z7X2PROD with NOTICES
2020 Update of Cybersecurity Best
Practices
NHTSA is docketing a draft update to
the agency’s 2016 Best Practices,3 titled
Cybersecurity Best Practices for the
Safety of Modern Vehicles (2020 Best
Practices) for public comments. This
update builds upon agency research and
industry progress since 2016, including
emerging voluntary industry standards,
such as the ISO/SAE Draft International
Standard (DIS) 21434, ‘‘Road Vehicles—
Cybersecurity Engineering.’’ 4 In
addition, the draft update references a
series of industry best practice guides
developed by the Auto-ISAC through its
members.5
The 2020 Best Practices also reflect
findings from NHTSA’s continued
research in motor vehicle cybersecurity,
including over-the-air updates,
encryption methods, and building our
capability in cybersecurity penetration
testing and diagnostics, and the new
learnings obtained through researcher
and stakeholder engagement. Finally,
the updates included in the 2020 Best
Practices incorporate insights gained
from public comments received in
response to the 2016 guidance and from
information obtained during the annual
SAE/NHTSA Vehicle Cybersecurity
Workshops.
As with the 2016 Best Practices,
NHTSA’s updated draft, Cybersecurity
Best Practices for the Safety of Modern
Vehicles, is intended to serve as a
resource for the industry as a whole and
covers safety-related cybersecurity
issues for all motor vehicles and motor
vehicle equipment. As such, it is
applicable to all individuals and
organizations involved in the design,
manufacture, and assembly of a motor
vehicle and its electronic systems and
software. These entities include, but are
not limited to, small and large volume
motor vehicle and motor vehicle
equipment designers, suppliers,
manufacturers, and modifiers. What
follows is a listing of each new best
practice, and an explanation of why
NHTSA believes the inclusion is
necessary in this update.
3 The 2016 guidance is titled Cybersecurity Best
Practices for Modern Vehicles and is available at:
https://www.federalregister.gov/documents/2016/
10/28/2016-26045/request-for-comment-oncybersecurity-best-practices-for-modern-vehicles.
The 2020 update has a modified title that
emphasizes the document’s focus on, and NHTSA’s
commitment to, cybersecurity as an aspect of safety
in motor vehicles and motor vehicle equipment.
4 ISO/SAE 21434:2020 Road Vehicles—
Cybersecurity Engineering, available at: https://
www.iso.org/standard/70918.html.
5 See https://automotiveisac.com/best-practices/.
VerDate Sep<11>2014
19:45 Jan 11, 2021
Jkt 253001
• [G.6] Manufacturers should
consider the risks associated with sensor
vulnerabilities and potential sensor
signal manipulation efforts such as GPS
spoofing,6 road sign modification,7 Lidar/
Radar jamming and spoofing,8 camera
blinding,9 or excitation of machine
learning false positives.10
This best practice recommends that
industry consider ‘‘sensor
vulnerabilities’’ as part of their risk
assessment (examples: GPS spoofing,
road sign modification, Lidar/Radar
jamming and spoofing, camera blinding,
or excitation of machine learning false
positives). NHTSA added it to reflect
the new research that shows that
technology behavior could be
influenced via sensor spoofing, which
differs from traditional software
manipulation-based cyber issues.
• [G.7] Any unreasonable risk to
safety-critical systems should be
removed or mitigated to acceptable
levels through design, and any
functionality that presents an
unavoidable and unnecessary risk
should be eliminated where possible.
This best practice recommends
‘‘removal of risk’’ to be considered as
part of the development process.
NHTSA included this best practice to
align with the National Traffic and
Motor Vehicle Safety Act’s prohibition
of manufacturers selling motor vehicles
and motor vehicle equipment that may
contain unreasonable risks to safety.
This is a common practice element of
sound risk-based approaches. The 2016
Best Practices recommended assessing
and appropriately mitigating risks to
acceptable levels. While the 2016
documents implicitly included G.7 in
cases where risks could not be mitigated
with known tools and for a given
architecture appropriately, this
document makes the best practice
explicit.
6 DefCon 23—Lin Huang and Qing Yang—Low
cost GPS Simulator: GPS Spoofing by SDR (2015).
Video of the talk available at: https://
media.defcon.org/DEF%20CON%2023/
DEF%20CON%2023%20video/.
7 McAfee Labs, Model Hacking ADAS to Pave
Safer Roads for Autonomous Vehicles (2020),
available at: https://www.mcafee.com/blogs/otherblogs/mcafee-labs/model-hacking-adas-to-pavesafer-roads-for-autonomous-vehicles/.
8 Mark Harris, IEEE Spectrum Sept 4, 2015,
Researcher Hacks Self-driving Car Sensors.
9 Petit, J. et al., ‘‘Remote Attacks on Automated
Vehicles Sensors: Experiments on Camera and
LiDAR’’ (2015), available at: https://
www.blackhat.com/docs/eu-15/materials/eu-15Petit-Self-Driving-And-Connected-Cars-FoolingSensors-And-Tracking-Drivers-wp1.pdf.
10 Tencent Keen Security Lab, Experimental
Security Research of Tesla Autopilot 2019, available
at: https://keenlab.tencent.com/en/whitepapers/
Experimental_Security_Research_of_Tesla_
Autopilot.pdf.
PO 00000
Frm 00104
Fmt 4703
Sfmt 4703
2483
• [G.9] Clear cybersecurity
expectations should be specified and
communicated to the suppliers that
support the intended protections.
Vehicles are produced in a complex
supply chain, and cybersecurity roles
and expectations need to be clarified
and coordinated among involved parties
to support the cybersecurity goals of the
manufacturers. ISO/SAE 21434 Clause
15 discusses customer-supplier
relationships and provides various
recommendations for how to manage
cybersecurity risks among these entities.
Such recommendations extend, among
other aspects, to the interactions,
dependencies, and responsibilities
between customers and suppliers for
cybersecurity activities.
• [G.10] Manufacturers should
maintain a database of operational
software components 11 12 used in each
automotive ECU, each assembled
vehicle, and a history log of version
updates applied over the vehicle’s
lifetime; and [G.11] Manufacturers
should track sufficient details related to
software components,13 such that when a
newly identified vulnerability is
identified related to an open source or
off-the-shelf software,14 manufacturers
can quickly identify what ECUs and
specific vehicles would be affected by it.
Through engagement in organized
exercises, such as CyberStorm,15 the
Agency recognized that the ability to
identify whether an issue with one
component would affect a single or
multiple makes and models is critically
important to determine the potential
scope of risk. Further, being able to
recognize which software version is
installed on individual vehicles or items
of equipment and differentiate between
versions is critical to respond to
incidents quickly. The Food and Drug
Administration and National
Telecommunications and Information
Administration developed detailed
guidance around the same concept, and
11 This is also referred to as a software bill of
materials (SBOM), which is a list of components in
a piece of software, including assembled open
source and commercial software components.
12 Multistakeholder Process on Promoting
Software Component Transparency, 83 FR 110
(June 4, 2018).
13 These details could include: The licenses that
govern those components, the versions of the
components used in the codebase, and their patch
status.
14 A good example would be the vulnerability
associated with the Transport Layer Security(TLS)
implementations in OpenSSL 1.0.1 before 1.0.1g in
the Heartbleed vulnerability: https://cve.mitre.org/
cgi-bin/cvename.cgi?name=cve-2014-0160.
15 https://www.cisa.gov/cyber-storm-securingcyber-space.
E:\FR\FM\12JAN1.SGM
12JAN1
2484
Federal Register / Vol. 86, No. 7 / Tuesday, January 12, 2021 / Notices
NHTSA believes such guidance to be of
value to the automotive industry.
• [G.12] Manufacturers should
evaluate all commercial off-the-shelf
and open-source software components
used in vehicle ECUs against known
vulnerabilities.16 17
This best practice highlights the
importance of making informed
decisions about using open source and
off-the-shelf software with respect to
documented vulnerabilities. This is a
common practice in other domains.
NIST established a national database to
facilitate such action.18
• [G.22] Best practices for secure
software development should be
followed, for example as outlined in
NIST 8151 19 and ISO/SAE 21434.20
This best practice provides further
detailed resources for companies to
consider for implementation, as
appropriate. Comments received on the
2016 Cybersecurity Best Practices
requested that NHTSA incorporate
current industry guidance and
standards.21 Pointing to such resources
is helpful for all companies, but
particularly for companies with less
mature cybersecurity programs.
• [G.23] Manufacturers should
actively participate in automotive
industry-specific best practices and
standards development activities
through Auto-ISAC and other
recognized standards development
organizations.
Industry standards, such as ISO/SAE
21434, are more broadly adopted when
entities actively participate in their
establishment and ensure their unique
needs are considered and addressed.
NHTSA’s encouragement of industry
involvement in standards development
organizations is long standing.
• [G.30] Commensurate to assessed
risks, organizations should have a plan
for addressing newly identified
vulnerabilities on consumer-owned
vehicles in the field, inventories of
vehicles built but not yet distributed to
dealers, vehicles delivered to
dealerships but not yet sold to
consumers, as well as future products
and vehicles.
During a validated incident, the
ability to address the issue for the
impacted population could vary for
vehicles in different stages of
distribution. A plan that considers these
stages can facilitate a more effective
organizational response. This addition
also reflects Clause 7 of the ISO/SAE
21434 standard.
• [G.40] Any connection to a thirdparty device should be authenticated
and provided with appropriate limited
access.
During the life-cycle of a vehicle,
consumer devices (e.g., mobile phones,
insurance dongles) or repair/
maintenance tools may be connected to
the vehicle systems. These systems
could enable wireless connectivity to
the vehicle interface and may not
feature adequate cyber controls on them.
For example, research on an insurance
dongle inserted into the OBDII port
during operation found that it did not
employ techniques, such as digital
signing, that would prevent a cyber
attacker from reprogramming
firmware.22 A similar issue is described
by Argus Cybersecurity on a connected
car service.23 Accordingly, this best
practice recommends that vehicle
systems should treat such devices as
untrusted and control their access to
safety critical systems.
• [T.7] The use of global symmetric
keys and ad-hoc cryptographic
techniques for diagnostic access should
be minimized.24
This best practice discourages the use
of global symmetric keys or unproven
cryptographic techniques, which can
result in a false sense of security for
manufacturers and the consumer. This
addition is also responsive to a
comment from a diagnostic tool
manufacturer to the 2016 Best Practices.
Further, research shows the
ineffectiveness of symmetric keys (see
footnote in T.7).
• [T.8] Vehicle and diagnostic tool
manufacturers should control tools’
access to vehicle systems that can
perform diagnostic operations and
reprogramming by providing for
khammond on DSKJM1Z7X2PROD with NOTICES
22 See
16 MITRE Common Vulnerabilities and Exposures
(CVE) may be found at: https://cve.mitre.org/.
17 NIST’s National Vulnerability Database may be
found at: https://nvd.nist.gov/.
18 See https://nvd.nist.gov/.
19 Black P., Badger M., Guttman B., Fong E.,
NISTIR 8151 Dramatically Reducing Software
Vulnerabilities: Report to the White House Office of
Science and Technology Policy.
20 ISO/SAE 21434 clause 10 discusses software
development practices.
21 See public comments in response to the 2016
Best Practices, such as NHTSA–2016–0104–0969,
and NHTSA–2016–0104–0998.
VerDate Sep<11>2014
19:25 Jan 11, 2021
Jkt 253001
https://jalopnik.com/progressiveinsurances-driver-tracking-tool-is-ridicul1680720690.
23 See Argus Cyber Security, ‘‘A remote attack on
an aftermarket telematics service’’ (Nov. 7, 2014),
available at: https://argus-sec.com/remote-attackaftermarket-telematics-service/#:∼:text=Zubie%20
is%20a%20leading%20connected,II%20
port%20of%20your%20car.
24 Hogan G., Flashing ECU Firmware Updates
from a Web Browser, Talk at DefCon 27: Car
Hacking Village, Las Vegas. Video of the talk may
be found at: https://media.defcon.org/
DEF%20CON%2027/DEF%20CON%2027%20
villages/. Mr. Hogan describes reverse engineering
enciphered firmware updates.
PO 00000
Frm 00105
Fmt 4703
Sfmt 4703
appropriate authentication and access
control.25
This best practice responds to
research demonstrating the ability to
leverage diagnostic tools to reverse
engineer and implement vulnerabilities
in vehicle systems.
• [T.12] Such logs that can be
aggregated across vehicles should be
periodically reviewed to assess potential
trends of cyber-attacks.
Information aggregated across
multiple vehicles in a manufacturer’s
fleet can highlight trends and help a
manufacturer recognize a cybersecurity
attack more quickly, and potentially
prior to a successful breach, than
focusing on only a single vehicle or
compartmentalized information. This
approach is common in the enterprise
information technology domain,26 and
applies to the automotive realm. T.12
purposefully limits the recommendation
to logs that can be aggregated.
• [T.13] Manufacturers should treat
all networks and systems external to a
vehicle’s wireless interfaces as untrusted
and use appropriate techniques to
mitigate potential threats.
This is a common approach taken by
the stakeholder community and
NHTSA. Various forms of ‘‘man-in-themiddle’’ cyber attacks seen with
wireless interfaces suggest that
information outside the wireless
interfaces of vehicles should not be
trusted until appropriately
authenticated for intended uses. NHTSA
added this best practice to reflect
learnings from demonstrated man-inthe-middle attacks.
• [T.22] Maintain the integrity of OTA
updates, update servers, the
transmission mechanism and the
updating process in general.27 28
OTA updates are updates to vehicle or
equipment software that are pushed
remotely to the vehicle. The OTA
update process should not introduce
cybersecurity vulnerabilities in the
process, through either the update itself
or through the updating process.
NHTSA added this best practice to
reflect learnings discussed in the
25 ISO/SAE 21434 requirement [RQ–05–15] states
that ‘‘Tools that can impact the cybersecurity of an
item, system or component shall be managed.’’
26 See Chapter 4: Network based intrusion
detection and protection systems in NIST 800–94,
available at https://nvlpubs.nist.gov/nistpubs/
Legacy/SP/nistspecialpublication800-94.pdf.
27 Bar R., Hacking into Automotive Clouds, talk at
DefCon 27 Car Hacking Village, Las Vegas 2019.
Video of the talk: https://media.defcon.org/
DEF%20CON%2027/
DEF%20CON%2027%20villages/.
28 Rodgers M., Hahaffey K., How to Hack a Tesla
Model S, talk at DefCon 23, Las Vegas 2015. Video
of the talk: https://media.defcon.org/
DEF%20CON%2023/
DEF%20CON%2023%20video/.
E:\FR\FM\12JAN1.SGM
12JAN1
Federal Register / Vol. 86, No. 7 / Tuesday, January 12, 2021 / Notices
Agency’s Cybersecurity of Firmware
Updates research report.29
• [T.23] Take into account, when
designing security measures, the risks
associated with compromised servers,
insider threats, men-in-the-middle
attacks, and protocol vulnerabilities.
This best practice provides more
granular recommendations with respect
to risk considerations in T.22. As with
T.22, NHTSA added this to reflect
learnings discussed in the Agency’s
Cybersecurity of Firmware Updates
research report.30
khammond on DSKJM1Z7X2PROD with NOTICES
Public Comment
NHTSA is seeking public comments
on the 2020 Best Practices and
additional ways to improve its
usefulness to stakeholders. The updated
draft document is structured around five
key areas: (1) General Cybersecurity Best
Practices, (2) Education, (3)
Aftermarket/User Owned Devices, (4)
Serviceability, and (5) Technical
Vehicle Cybersecurity Best Practices,
and NHTSA seeks comments on all
areas.
NHTSA will further update and refine
this draft document over time, based on
public comments received, the
experience of NHTSA, manufacturers,
suppliers, consumers, and others, as
well as from further research findings
and technological innovations. The
updated draft document is available in
PDF format under Docket No. NHTSA–
2020–0087.
Economic Analysis for Cybersecurity
Best Practices for the Safety of Modern
Vehicles
NHTSA is seeking comment on its
Cybersecurity Best Practices for the
Safety of Modern Vehicles (2020 Best
Practices), which is non-binding (i.e.,
voluntary) guidance provided to serve
as a resource for industry on safetyrelated cybersecurity issues for motor
vehicles and motor vehicle equipment.
As guidance, the document touches on
a wide array of issues related to safetyrelated cybersecurity practices, and
provides recommendations to industry
on the following topics: (1) General
Cybersecurity Best Practices, (2)
Education, (3) Aftermarket/User Owned
Devices, (4) Serviceability, and (5)
Technical Vehicle Cybersecurity Best
Practices.
NHTSA has made a good faith effort
to assess the potential costs that
companies in the automotive industry
29 https://www.nhtsa.gov/sites/nhtsa.dot.gov/
files/documents/cybersecurity_of_firmware_
updates_oct2020.pdf
30 https://www.nhtsa.gov/sites/nhtsa.dot.gov/
files/documents/cybersecurity_of_firmware_
updates_oct2020.pdf
VerDate Sep<11>2014
19:25 Jan 11, 2021
Jkt 253001
might bear if these companies decide to
integrate the recommendations in the
2020 Best Practices into their business
practices. The following is a summary of
the considerations that NHTSA
evaluated for purposes of this section.
First, although, as guidance, the 2020
Best Practices is voluntary, NHTSA
expects that many entities will to
conform their practices to the
recommendations endorsed by NHTSA.
NHTSA believes that the Cybersecurity
Best Practices for the Safety of Modern
Vehicles serve as means of facilitating
common understanding across industry
regarding best practices for
cybersecurity.
Second, the diversity among the
entities to which the 2020 Best Practices
apply is vast. The recommendations
found in Cybersecurity Best Practices
for the Safety of Modern Vehicles are
necessarily general and flexible enough
to be applied to any industry entity,
regardless of size or staffing. The
recommendations contained within the
best practices are intended to be
applicable to all individuals and
organizations involved in the design,
manufacture, and assembly of a motor
vehicle and its electronic systems and
software. These entities include, but are
not limited to, small and large volume
motor vehicle and motor vehicle
equipment designers, suppliers,
manufacturers, and modifiers. NHTSA
recognizes that there is much
organizational diversity among the
intended audience, resulting in a variety
of approaches, organizational sizes, and
staffing needs. NHTSA also expects that
these entities have varying levels of
organizational maturity related to
cybersecurity, and varying levels of
potential cybersecurity risks. These
expectations, combined with NHTSA’s
lack of detailed knowledge of the
organizational maturity and
implementation of any
recommendations contained within the
guidance, make it difficult for NHTSA
to develop a reasonable quantification of
the per-organization cost of
implementing the recommendations.
Third, any costs associated with
applying the 2020 Best Practices would
be limited to the incremental cost of
applying the new recommendations
included in the document (as opposed
to those in the 2016 Best Practices). The
updated Cybersecurity Best Practices for
the Safety of Modern Vehicles
document highlights a total of 65
enumerated best practices, 16 of which
could be considered ‘‘new’’ relative to
the first version published in 2016.
Fourth, costs could be limited by
organizations who have implemented
some of the recommendations prior to
PO 00000
Frm 00106
Fmt 4703
Sfmt 4703
2485
this request for comment. NHTSA is
unaware of the extent to which various
entities have already implemented
NHTSA’s recommendations, and
determining the incremental costs
associated with full implementation of
the recommendations is effectively
impossible without detailed insight into
the organizational processes of every
company.
Fifth, many of NHTSA’s
recommendations lean very heavily on
industry standards, such as Draft
International Standard SAE/ISO 21434.
Three of the 16 ‘‘new’’ best practices
simply reference the SAE/ISO 21434
industry standard. Since many aspects
of NHTSA’s recommendations are
mapped to an industry standard, costs
would also be limited for those
companies who are adopting SAE/ISO
21434 already. Thus, it would be
impossible to parse whether a company
implemented SAE/ISO 21434 or
whether it had decided to adopt
NHTSA’s voluntary recommendations.
While the 2020 Best Practices have
some recommendations 31 that cannot
be mapped to an industry standards
document at this time, most of those
recommendations involve common
vehicle engineering and sound business
management practices, such as risk
assessment and supply-chain
management. For these
recommendations, NHTSA’s inclusion
in the 2020 Cyber Best Practices serve
as a reminder.
Regarding benefits, entities that do
not implement appropriate
cybersecurity measures, like those
guided by these recommendations, or
other sound controls, face a higher risk
of cyberattack or increased exposure in
the event of a cyberattack, potentially
leading to safety concerns for the public.
Implementation of the best practices
can, therefore, facilitate ‘‘cost
prevention’’ in the sense that failure to
adopt appropriate cybersecurity
practices could result in other direct or
indirect costs to companies (i.e.,
personal injury, vehicle damage,
warranty, recall, or voluntary repair/
updates). A quantitative analysis would
require present value estimation of
future benefits, or a comparison of two
similar sample groups, one of which is
implementing the recommendations and
the other is not. This comparison would
illustrate the differences in groups in a
way that would allow the benefits
attributable to implementation of the
31 For example, G.6 in Section 4.2.3 recommends
consideration of sensor vulnerabilities as part of
risk assessment; and G.9 and G.10 in Section 4.2.6
recommend tracking software components on
vehicles in a manner similar to hardware
components.
E:\FR\FM\12JAN1.SGM
12JAN1
2486
Federal Register / Vol. 86, No. 7 / Tuesday, January 12, 2021 / Notices
best practices to be calculated. However,
neither is possible at this time.
The best practices outlined in this
document help organizations measure
their residual risks better, particularly
the safety risks associated with potential
cybersecurity issues in motor vehicles
and motor vehicle equipment that they
design and manufacture. Further, it
provides a toolset of techniques they
can utilize commensurate to their
measured risks, and take appropriate
actions to reduce or eliminate them, and
in doing so lower the future liabilities
these risks represent in terms of safety
risks to public and business costs
associated with addressing them.
In addition, quantitatively positive
externalities have been shown to stem
from vehicle safety and security
measures (Ayres & Levitt, 1998). The
high marginal cost of cybersecurity
failures (crashes) extend to third parties.
Widely accepted adoption of sound
cybersecurity practices limits these
potential costs and lessens incentives
for attempts at market disruption (i.e.,
signal manipulation, GPS spoofing, or
reverse engineering).
How do I prepare and submit
comments?
khammond on DSKJM1Z7X2PROD with NOTICES
Your comments must be written and
in English. To ensure that your
comments are filed correctly in the
docket, please include the docket
number of this document in your
comments. Your comments must not be
more than 15 pages long (49 CFR
553.21). NHTSA established this limit to
encourage you to write your primary
comments in a concise fashion.
However, you may attach necessary
additional documents to your
comments. There is no limit on the
length of the attachments. Please submit
one copy (two copies if submitting by
mail or hand delivery) of your
comments, including the attachments,
to the docket following the instructions
given above under ADDRESSES. Please
note, if you submit comments
electronically as a PDF (Adobe) file,
NHTSA asks that the documents
submitted be scanned using an Optical
Character Recognition (OCR) process,
thus allowing the Agency to search and
copy certain portions of your
submissions.
How do I submit confidential business
information?
If you wish to submit any information
under a claim of confidentiality, you
should submit three copies of your
VerDate Sep<11>2014
19:25 Jan 11, 2021
Jkt 253001
complete submission, including the
information you claim to be confidential
business information, to the Office of
the Chief Counsel, NHTSA, at the
address given above under FOR FURTHER
INFORMATION CONTACT. In addition, you
may submit a copy (two copies if
submitting by mail or hand delivery),
from which you have deleted the
claimed confidential business
information, to the docket by one of the
methods given above under ADDRESSES.
When you send a comment containing
information claimed to be confidential
business information, you should
include a cover letter setting forth the
information specified in NHTSA’s
confidential business information
regulation (49 CFR part 512).
Will the Agency consider late
comments?
How can I read the comments
submitted by other people?
Issued in Washington, DC, under authority
delegated in 49 CFR 1.95 and 501.8.
Cem Hatipoglu,
Associate Administrator for Vehicle Safety
Research.
[FR Doc. 2021–00390 Filed 1–11–21; 8:45 am]
BILLING CODE 4910–59–P
DEPARTMENT OF TRANSPORTATION
Pipeline and Hazardous Materials
Safety Administration
Hazardous Materials: Notice of
Applications for Modifications to
Special Permit
Pipeline and Hazardous
Materials Safety Administration
(PHMSA), DOT.
Frm 00107
Fmt 4703
Sfmt 4703
Comments must be received on
or before January 27, 2021.
Record Center, Pipeline and
Hazardous Materials Safety
Administration, U.S. Department of
Transportation, Washington, DC 20590.
ADDRESSES:
Comments should refer to the
application number and be submitted in
triplicate. If confirmation of receipt of
comments is desired, include a selfaddressed stamped postcard showing
the special permit number.
FOR FURTHER INFORMATION CONTACT:
You may read the comments received
at the address given above under
Comments. The hours of the docket are
indicated above in the same location.
You may also see the comments on the
internet, identified by the docket
number at the heading of this document,
at https://www.regulations.gov.
PO 00000
In accordance with the
procedures governing the application
for, and the processing of, special
permits from the Department of
Transportation’s Hazardous Material
Regulations, notice is hereby given that
the Office of Hazardous Materials Safety
has received the application described
herein. Each mode of transportation for
which a particular special permit is
requested is indicated by a number in
the ‘‘Nature of Application’’ portion of
the table below as follows: 1—Motor
vehicle, 2—Rail freight, 3—Cargo vessel,
4—Cargo aircraft only, 5—Passengercarrying aircraft.
SUMMARY:
DATES:
NHTSA will consider all comments
received before the close of business on
the comment closing date indicated
above under DATES. To the extent
possible, the Agency will also consider
comments received after that date.
Given that we intend for the guidance
document to be a living document and
to be developed in an iterative fashion,
subsequent opportunities to comment
will also be provided necessarily.
AGENCY:
List of applications for
modification of special permits.
ACTION:
Donald Burger, Chief, Office of
Hazardous Materials Approvals and
Permits Division, Pipeline and
Hazardous Materials Safety
Administration, U.S. Department of
Transportation, East Building, PHH–30,
1200 New Jersey Avenue Southeast,
Washington, DC 20590–0001, (202) 366–
4535.
Copies of
the applications are available for
inspection in the Records Center, East
Building, PHH–30, 1200 New Jersey
Avenue Southeast, Washington, DC or at
https://regulations.gov.
SUPPLEMENTARY INFORMATION:
This notice of receipt of applications
for special permit is published in
accordance with part 107 of the Federal
hazardous materials transportation law
(49 U.S.C. 5117(b); 49 CFR 1.53(b)).
Issued in Washington, DC, on January 5,
2021.
Donald P. Burger,
Chief, General Approvals and Permits
Branch.
E:\FR\FM\12JAN1.SGM
12JAN1
]]>Agencies
[Federal Register Volume 86, Number 7 (Tuesday, January 12, 2021)]
[Notices]
[Pages 2481-2486]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-00390]
-----------------------------------------------------------------------
DEPARTMENT OF TRANSPORTATION
National Highway Traffic Safety Administration
[Docket No. NHTSA-2020-0087]
Cybersecurity Best Practices for the Safety of Modern Vehicles
AGENCY: National Highway Traffic Safety Administration (NHTSA),
Department of Transportation (DOT).
ACTION: Request for comments.
-----------------------------------------------------------------------
SUMMARY: NHTSA invites public comment on the Agency's updated draft
cybersecurity best practices document titled Cybersecurity Best
Practices for the Safety of Modern Vehicles. In 2016, NHTSA issued its
first edition, Cybersecurity Best Practices for Modern Vehicles, which
described NHTSA's nonbinding guidance to the automotive industry for
improving vehicle cybersecurity. With this document, NHTSA is docketing
and soliciting public feedback on a draft update based on the knowledge
gained through prior comments, continued research, motor vehicle
cybersecurity issues discovered by researchers, and related industry
activities over the past four years. To emphasize NHTSA's safety
mission, recommendations in the document focus on cybersecurity best
practices that have safety implications for motor vehicles and motor
vehicle equipment.
DATES: Written comments are due no later than March 15, 2021.
ADDRESSES: Comments must refer to the docket number above and be
submitted by one of the following methods:
Federal eRulemaking Portal: Go to https://www.regulations.gov. Follow the online instructions for submitting
comments.
Mail: Docket Management Facility, M-30, U.S. Department of
Transportation, West Building, Ground Floor, Room W12-140, 1200 New
Jersey Avenue SE, Washington, DC 20590.
Hand Delivery or Courier: U.S. Department of
Transportation, West Building, Ground Floor, Room W12-140, 1200 New
Jersey Avenue SE, Washington, DC, between 9 a.m. and 5 p.m. Eastern
time, Monday through Friday, except Federal holidays. To be sure
someone is there to help you, please call (202) 366-9322 before coming.
Fax: 202-493-2251.
Regardless of how you submit your comments, you must include the
docket number identified in the heading of this document.
Note that all comments received, including any personal information
provided, will be posted without change to https://www.regulations.gov.
Please see the ``Privacy Act'' heading below.
You may call the Docket Management Facility at 202-366-9322. For
access to the docket to read background documents or comments received,
go to https://www.regulations.gov or the street address listed above. To
be sure someone is there to help you, please call (202) 366-9322 before
coming. We will continue to file relevant information in the Docket as
it becomes available.
Privacy Act: In accordance with 5 U.S.C. 553(c), DOT solicits
comments from the public to inform its decision-making process. DOT
posts these comments, without edit, including any personal information
the commenter provides, to https://www.regulations.gov, as described in
the system of records notice (DOT/ALL-14 FDMS), which can be reviewed
at https://www.transportation.gov/privacy. Anyone can search the
electronic form of all comments received into any of our dockets by the
name of the individual submitting the comment (or signing the comment,
if submitted on behalf of an association, business, labor union, etc.).
FOR FURTHER INFORMATION CONTACT: For technical issues, please contact
Mr. Robert Kreeb of NHTSA's Office of Vehicle Safety Research at 202-
366-0587 or [email protected]. For legal issues, contact Ms. Sara R.
Bennett of NHTSA's Office of Chief Counsel at 202-366-2992 or
[email protected].
SUPPLEMENTARY INFORMATION: The evolution of automotive technology has
included an increasingly expanded use of electronic systems, software,
and wireless connectivity. While this development began in the late
1970s, the pace of technological evolution has increased significantly
over the past
[[Page 2482]]
decade. Automotive technology has developed to such an extent that
today's vehicles are some of the most complex computerized products
available to consumers. Enhanced wireless connectivity and continued
innovations in electronic control systems introduce substantial
benefits to highway transportation safety, mobility, and efficiency.
However, with the proliferation of computer-based control systems,
software, connectivity, and onboard digital data communication
networks, modern vehicles need to consider additional failure modes,
vulnerabilities, and threats that could jeopardize benefits if the new
safety risks are not appropriately addressed.
Connectivity and safety technologies that can intervene to assist
drivers with control of their vehicles (e.g., automatic emergency
braking) could also increase cybersecurity risks, and without proactive
measures taken across the vehicle lifecycle, risks could result in
negative safety outcomes. As such, motor vehicle cybersecurity remains
a top priority for NHTSA. NHTSA is engaged in research and industry
outreach efforts to support enhanced reliability and resiliency of
vehicle electronics, software, and related vehicle control systems, not
only to mitigate safety risks associated with failure or potential
cyber compromise of such systems, but also to ensure that affected
parties take appropriate actions and such concerns do not pose public
acceptance barriers for proven safety technologies.
NHTSA's work in this area seeks to support the automotive
industry's continued improvements to motor vehicle cybersecurity
reliability and resiliency. The Agency also expends resources in
understanding and promoting contemporary methods in software
development, testing practices, and requirements management as they
pertain to robust management of underlying safety hazards and risks
across the vehicle life-cycle. These activities include close
collaboration with industry to promote a strong risk management culture
and associated organizational and systems engineering processes.
Background
In October 2016, NHTSA issued its first best practices document
focusing on the cybersecurity of motor vehicles and motor vehicle
equipment.\1\ Cybersecurity Best Practices for Modern Vehicles (``2016
Best Practices'') was the culmination of years of extensive engagement
with public and private stakeholders and NHTSA research on vehicle
cybersecurity and methods of enhancing vehicle cybersecurity industry-
wide. As explained in the accompanying Federal Register document,
NHTSA's 2016 Best Practices was released with the goal of supporting
industry-led efforts to improve the industry's cybersecurity posture
and provide the Agency's views on how the automotive industry could
develop and apply sound risk-based cybersecurity management processes
during the vehicle's entire lifecycle.
---------------------------------------------------------------------------
\1\ Cybersecurity Best Practices for Modern Vehicles, announced
via the Federal Register, 81 FR 75190 (Oct. 28, 2016).
---------------------------------------------------------------------------
The 2016 Best Practices leveraged existing automotive domain
research as well as non-automotive and IT-focused standards such as the
National Institute of Standards and Technology (NIST) Cybersecurity
Framework and the Center for internet Security's Critical Security
Controls framework. NHTSA considered these sources to be reasonably
applicable and appropriate to augment the limited industry-specific
guidance that was available at the time. At publication, NHTSA noted
that the 2016 Best Practices were intended to be updated with new
information, research, and other cybersecurity best practices related
to the automotive industry. NHTSA invited comments from stakeholders
and interested parties in response to the document.
Below is a high-level summary of comments received and how NHTSA
integrated those comments into the 2020 draft Cybersecurity Best
Practices for the Safety of Modern Vehicles.
Summary of Public Comments Received in Response to NHTSA's 2016 Best
Practices
NHTSA received comments from government agencies, regulated
entities, trade associations, advocacy groups and organizations, and
individuals.\2\ Key topic areas, and how such comments are reflected in
NHTSA's revised 2020 Cybersecurity Best Practices for the Safety of
Modern Vehicles are listed below.
---------------------------------------------------------------------------
\2\ Comments on the 2016 Cybersecurity Best Practices for Modern
Vehicles can be found at https://beta.regulations.gov/document/NHTSA-2016-0104-0001/comment.
---------------------------------------------------------------------------
Guidance vs. Rules. Many commenters noted that
cybersecurity is a constantly evolving discipline and that best
practices may need frequent updating, and most commenters suggested
that NHTSA's cyber best practices should remain non-binding and
voluntary. NHTSA agrees with these commenters, and adoption of any of
the provisions listed in the 2020 Cybersecurity Best Practices for the
Safety of Modern Vehicles remains voluntary.
NHTSA's cyber best practices should be aligned with
industry initiatives. Commenters noted that industry initiatives were
under development at the time of the 2016 Best Practices publication.
NHTSA believes that the specific best practices outlined in today's
2020 revision reflect a strong linkage to key industry cybersecurity-
related initiatives and efforts by organizations such as SAE
International (SAE), the International Organization for Standardization
(ISO), NIST, and the Automotive Information Sharing and Analysis Center
(Auto-ISAC)--and are, in general, consistent with guidelines,
standards, and best practices developed by these organizations.
Focus on Safety. Several commenters noted that NHTSA's
best practices should focus squarely on safety aspects of
cybersecurity. NHTSA agrees. The best practices presented in this
revision are tailored to focus on cybersecurity issues that impact the
safety of motor vehicles throughout the lifecycle of design, operation,
maintenance and disposal. This emphasis is reflected throughout the
document, including with a title change: Cybersecurity Best Practices
for the Safety of Modern Vehicles.
Consideration of cybersecurity as part of software
development process. Multiple commenters recommended greater and more
formal consideration of cybersecurity as part of the software
development lifecycle process. NHTSA's revised best practice outlined
today reflects a need to include cybersecurity considerations along the
entire software supply chain and throughout the lifecycle management
processes of developing, implementing and updating software-enabled
systems.
Additional cybersecurity terminology, definitions.
Commenters noted that the document would benefit from providing
expanded definitions for certain terms to add precision and clarity to
the recommended best practices. NHTSA has provided several additional
definitions for key terms used throughout the document.
The comments received, combined with continued research, outreach
to stakeholders, learnings from motor vehicle cybersecurity issues
discovered by researchers, and related industry activities over the
past four years have served as the foundation for the 2020 update. A
description of other important information that guided the changes
included in the 2020 Cybersecurity Best Practices for the Safety of
Modern
[[Page 2483]]
Vehicles is included in the following section.
2020 Update of Cybersecurity Best Practices
NHTSA is docketing a draft update to the agency's 2016 Best
Practices,\3\ titled Cybersecurity Best Practices for the Safety of
Modern Vehicles (2020 Best Practices) for public comments. This update
builds upon agency research and industry progress since 2016, including
emerging voluntary industry standards, such as the ISO/SAE Draft
International Standard (DIS) 21434, ``Road Vehicles--Cybersecurity
Engineering.'' \4\ In addition, the draft update references a series of
industry best practice guides developed by the Auto-ISAC through its
members.\5\
---------------------------------------------------------------------------
\3\ The 2016 guidance is titled Cybersecurity Best Practices for
Modern Vehicles and is available at: https://www.federalregister.gov/documents/2016/10/28/2016-26045/request-for-comment-on-cybersecurity-best-practices-for-modern-vehicles. The
2020 update has a modified title that emphasizes the document's
focus on, and NHTSA's commitment to, cybersecurity as an aspect of
safety in motor vehicles and motor vehicle equipment.
\4\ ISO/SAE 21434:2020 Road Vehicles--Cybersecurity Engineering,
available at: https://www.iso.org/standard/70918.html.
\5\ See https://automotiveisac.com/best-practices/.
---------------------------------------------------------------------------
The 2020 Best Practices also reflect findings from NHTSA's
continued research in motor vehicle cybersecurity, including over-the-
air updates, encryption methods, and building our capability in
cybersecurity penetration testing and diagnostics, and the new
learnings obtained through researcher and stakeholder engagement.
Finally, the updates included in the 2020 Best Practices incorporate
insights gained from public comments received in response to the 2016
guidance and from information obtained during the annual SAE/NHTSA
Vehicle Cybersecurity Workshops.
As with the 2016 Best Practices, NHTSA's updated draft,
Cybersecurity Best Practices for the Safety of Modern Vehicles, is
intended to serve as a resource for the industry as a whole and covers
safety-related cybersecurity issues for all motor vehicles and motor
vehicle equipment. As such, it is applicable to all individuals and
organizations involved in the design, manufacture, and assembly of a
motor vehicle and its electronic systems and software. These entities
include, but are not limited to, small and large volume motor vehicle
and motor vehicle equipment designers, suppliers, manufacturers, and
modifiers. What follows is a listing of each new best practice, and an
explanation of why NHTSA believes the inclusion is necessary in this
update.
[G.6] Manufacturers should consider the risks associated
with sensor vulnerabilities and potential sensor signal manipulation
efforts such as GPS spoofing,6 road sign
modification,7 Lidar/Radar jamming and spoofing,8
camera blinding,9 or excitation of machine learning false
positives.\10\
---------------------------------------------------------------------------
\6\ DefCon 23--Lin Huang and Qing Yang--Low cost GPS Simulator:
GPS Spoofing by SDR (2015). Video of the talk available at: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20video/.
\7\ McAfee Labs, Model Hacking ADAS to Pave Safer Roads for
Autonomous Vehicles (2020), available at: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/model-hacking-adas-to-pave-safer-roads-for-autonomous-vehicles/.
\8\ Mark Harris, IEEE Spectrum Sept 4, 2015, Researcher Hacks
Self-driving Car Sensors.
\9\ Petit, J. et al., ``Remote Attacks on Automated Vehicles
Sensors: Experiments on Camera and LiDAR'' (2015), available at:
https://www.blackhat.com/docs/eu-15/materials/eu-15-Petit-Self-Driving-And-Connected-Cars-Fooling-Sensors-And-Tracking-Drivers-wp1.pdf.
\10\ Tencent Keen Security Lab, Experimental Security Research
of Tesla Autopilot 2019, available at: https://keenlab.tencent.com/en/whitepapers/Experimental_Security_Research_of_Tesla_Autopilot.pdf.
---------------------------------------------------------------------------
This best practice recommends that industry consider ``sensor
vulnerabilities'' as part of their risk assessment (examples: GPS
spoofing, road sign modification, Lidar/Radar jamming and spoofing,
camera blinding, or excitation of machine learning false positives).
NHTSA added it to reflect the new research that shows that technology
behavior could be influenced via sensor spoofing, which differs from
traditional software manipulation-based cyber issues.
[G.7] Any unreasonable risk to safety-critical systems
should be removed or mitigated to acceptable levels through design, and
any functionality that presents an unavoidable and unnecessary risk
should be eliminated where possible.
This best practice recommends ``removal of risk'' to be considered
as part of the development process. NHTSA included this best practice
to align with the National Traffic and Motor Vehicle Safety Act's
prohibition of manufacturers selling motor vehicles and motor vehicle
equipment that may contain unreasonable risks to safety. This is a
common practice element of sound risk-based approaches. The 2016 Best
Practices recommended assessing and appropriately mitigating risks to
acceptable levels. While the 2016 documents implicitly included G.7 in
cases where risks could not be mitigated with known tools and for a
given architecture appropriately, this document makes the best practice
explicit.
[G.9] Clear cybersecurity expectations should be specified
and communicated to the suppliers that support the intended
protections.
Vehicles are produced in a complex supply chain, and cybersecurity
roles and expectations need to be clarified and coordinated among
involved parties to support the cybersecurity goals of the
manufacturers. ISO/SAE 21434 Clause 15 discusses customer-supplier
relationships and provides various recommendations for how to manage
cybersecurity risks among these entities. Such recommendations extend,
among other aspects, to the interactions, dependencies, and
responsibilities between customers and suppliers for cybersecurity
activities.
[G.10] Manufacturers should maintain a database of
operational software components 11 12 used in each
automotive ECU, each assembled vehicle, and a history log of version
updates applied over the vehicle's lifetime; and [G.11] Manufacturers
should track sufficient details related to software
components,13 such that when a newly identified
vulnerability is identified related to an open source or off-the-shelf
software,14 manufacturers can quickly identify what ECUs and
specific vehicles would be affected by it.
---------------------------------------------------------------------------
\11\ This is also referred to as a software bill of materials
(SBOM), which is a list of components in a piece of software,
including assembled open source and commercial software components.
\12\ Multistakeholder Process on Promoting Software Component
Transparency, 83 FR 110 (June 4, 2018).
\13\ These details could include: The licenses that govern those
components, the versions of the components used in the codebase, and
their patch status.
\14\ A good example would be the vulnerability associated with
the Transport Layer Security(TLS) implementations in OpenSSL 1.0.1
before 1.0.1g in the Heartbleed vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160.
---------------------------------------------------------------------------
Through engagement in organized exercises, such as CyberStorm,\15\
the Agency recognized that the ability to identify whether an issue
with one component would affect a single or multiple makes and models
is critically important to determine the potential scope of risk.
Further, being able to recognize which software version is installed on
individual vehicles or items of equipment and differentiate between
versions is critical to respond to incidents quickly. The Food and Drug
Administration and National Telecommunications and Information
Administration developed detailed guidance around the same concept, and
[[Page 2484]]
NHTSA believes such guidance to be of value to the automotive industry.
---------------------------------------------------------------------------
\15\ https://www.cisa.gov/cyber-storm-securing-cyber-space.
---------------------------------------------------------------------------
[G.12] Manufacturers should evaluate all commercial off-
the-shelf and open-source software components used in vehicle ECUs
against known vulnerabilities.16 17
---------------------------------------------------------------------------
\16\ MITRE Common Vulnerabilities and Exposures (CVE) may be
found at: https://cve.mitre.org/.
\17\ NIST's National Vulnerability Database may be found at:
https://nvd.nist.gov/.
---------------------------------------------------------------------------
This best practice highlights the importance of making informed
decisions about using open source and off-the-shelf software with
respect to documented vulnerabilities. This is a common practice in
other domains. NIST established a national database to facilitate such
action.\18\
---------------------------------------------------------------------------
\18\ See https://nvd.nist.gov/.
---------------------------------------------------------------------------
[G.22] Best practices for secure software development
should be followed, for example as outlined in NIST 8151 19
and ISO/SAE 21434.20
---------------------------------------------------------------------------
\19\ Black P., Badger M., Guttman B., Fong E., NISTIR 8151
Dramatically Reducing Software Vulnerabilities: Report to the White
House Office of Science and Technology Policy.
\20\ ISO/SAE 21434 clause 10 discusses software development
practices.
---------------------------------------------------------------------------
This best practice provides further detailed resources for
companies to consider for implementation, as appropriate. Comments
received on the 2016 Cybersecurity Best Practices requested that NHTSA
incorporate current industry guidance and standards.\21\ Pointing to
such resources is helpful for all companies, but particularly for
companies with less mature cybersecurity programs.
---------------------------------------------------------------------------
\21\ See public comments in response to the 2016 Best Practices,
such as NHTSA-2016-0104-0969, and NHTSA-2016-0104-0998.
---------------------------------------------------------------------------
[G.23] Manufacturers should actively participate in
automotive industry-specific best practices and standards development
activities through Auto-ISAC and other recognized standards development
organizations.
Industry standards, such as ISO/SAE 21434, are more broadly adopted
when entities actively participate in their establishment and ensure
their unique needs are considered and addressed. NHTSA's encouragement
of industry involvement in standards development organizations is long
standing.
[G.30] Commensurate to assessed risks, organizations
should have a plan for addressing newly identified vulnerabilities on
consumer-owned vehicles in the field, inventories of vehicles built but
not yet distributed to dealers, vehicles delivered to dealerships but
not yet sold to consumers, as well as future products and vehicles.
During a validated incident, the ability to address the issue for
the impacted population could vary for vehicles in different stages of
distribution. A plan that considers these stages can facilitate a more
effective organizational response. This addition also reflects Clause 7
of the ISO/SAE 21434 standard.
[G.40] Any connection to a third-party device should be
authenticated and provided with appropriate limited access.
During the life-cycle of a vehicle, consumer devices (e.g., mobile
phones, insurance dongles) or repair/maintenance tools may be connected
to the vehicle systems. These systems could enable wireless
connectivity to the vehicle interface and may not feature adequate
cyber controls on them. For example, research on an insurance dongle
inserted into the OBDII port during operation found that it did not
employ techniques, such as digital signing, that would prevent a cyber
attacker from reprogramming firmware.\22\ A similar issue is described
by Argus Cybersecurity on a connected car service.\23\ Accordingly,
this best practice recommends that vehicle systems should treat such
devices as untrusted and control their access to safety critical
systems.
---------------------------------------------------------------------------
\22\ See https://jalopnik.com/progressive-insurances-driver-tracking-tool-is-ridicul-1680720690.
\23\ See Argus Cyber Security, ``A remote attack on an
aftermarket telematics service'' (Nov. 7, 2014), available at:
https://argus-sec.com/remote-attack-aftermarket-telematics-service/
#:~:text=Zubie%20is%20a%20leading%20connected,II%20port%20of%20your%2
0car.
---------------------------------------------------------------------------
[T.7] The use of global symmetric keys and ad-hoc
cryptographic techniques for diagnostic access should be minimized.\24\
---------------------------------------------------------------------------
\24\ Hogan G., Flashing ECU Firmware Updates from a Web Browser,
Talk at DefCon 27: Car Hacking Village, Las Vegas. Video of the talk
may be found at: https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20villages/. Mr. Hogan describes reverse engineering
enciphered firmware updates.
---------------------------------------------------------------------------
This best practice discourages the use of global symmetric keys or
unproven cryptographic techniques, which can result in a false sense of
security for manufacturers and the consumer. This addition is also
responsive to a comment from a diagnostic tool manufacturer to the 2016
Best Practices. Further, research shows the ineffectiveness of
symmetric keys (see footnote in T.7).
[T.8] Vehicle and diagnostic tool manufacturers should
control tools' access to vehicle systems that can perform diagnostic
operations and reprogramming by providing for appropriate
authentication and access control.\25\
---------------------------------------------------------------------------
\25\ ISO/SAE 21434 requirement [RQ-05-15] states that ``Tools
that can impact the cybersecurity of an item, system or component
shall be managed.''
---------------------------------------------------------------------------
This best practice responds to research demonstrating the ability
to leverage diagnostic tools to reverse engineer and implement
vulnerabilities in vehicle systems.
[T.12] Such logs that can be aggregated across vehicles
should be periodically reviewed to assess potential trends of cyber-
attacks.
Information aggregated across multiple vehicles in a manufacturer's
fleet can highlight trends and help a manufacturer recognize a
cybersecurity attack more quickly, and potentially prior to a
successful breach, than focusing on only a single vehicle or
compartmentalized information. This approach is common in the
enterprise information technology domain,\26\ and applies to the
automotive realm. T.12 purposefully limits the recommendation to logs
that can be aggregated.
---------------------------------------------------------------------------
\26\ See Chapter 4: Network based intrusion detection and
protection systems in NIST 800-94, available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-94.pdf.
---------------------------------------------------------------------------
[T.13] Manufacturers should treat all networks and systems
external to a vehicle's wireless interfaces as untrusted and use
appropriate techniques to mitigate potential threats.
This is a common approach taken by the stakeholder community and
NHTSA. Various forms of ``man-in-the-middle'' cyber attacks seen with
wireless interfaces suggest that information outside the wireless
interfaces of vehicles should not be trusted until appropriately
authenticated for intended uses. NHTSA added this best practice to
reflect learnings from demonstrated man-in-the-middle attacks.
[T.22] Maintain the integrity of OTA updates, update
servers, the transmission mechanism and the updating process in
general.27 28
---------------------------------------------------------------------------
\27\ Bar R., Hacking into Automotive Clouds, talk at DefCon 27
Car Hacking Village, Las Vegas 2019. Video of the talk: https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20villages/.
\28\ Rodgers M., Hahaffey K., How to Hack a Tesla Model S, talk
at DefCon 23, Las Vegas 2015. Video of the talk: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20video/.
---------------------------------------------------------------------------
OTA updates are updates to vehicle or equipment software that are
pushed remotely to the vehicle. The OTA update process should not
introduce cybersecurity vulnerabilities in the process, through either
the update itself or through the updating process. NHTSA added this
best practice to reflect learnings discussed in the
[[Page 2485]]
Agency's Cybersecurity of Firmware Updates research report.\29\
---------------------------------------------------------------------------
\29\ https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/cybersecurity_of_firmware_updates_oct2020.pdf
---------------------------------------------------------------------------
[T.23] Take into account, when designing security
measures, the risks associated with compromised servers, insider
threats, men-in-the-middle attacks, and protocol vulnerabilities.
This best practice provides more granular recommendations with
respect to risk considerations in T.22. As with T.22, NHTSA added this
to reflect learnings discussed in the Agency's Cybersecurity of
Firmware Updates research report.\30\
---------------------------------------------------------------------------
\30\ https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/cybersecurity_of_firmware_updates_oct2020.pdf
---------------------------------------------------------------------------
Public Comment
NHTSA is seeking public comments on the 2020 Best Practices and
additional ways to improve its usefulness to stakeholders. The updated
draft document is structured around five key areas: (1) General
Cybersecurity Best Practices, (2) Education, (3) Aftermarket/User Owned
Devices, (4) Serviceability, and (5) Technical Vehicle Cybersecurity
Best Practices, and NHTSA seeks comments on all areas.
NHTSA will further update and refine this draft document over time,
based on public comments received, the experience of NHTSA,
manufacturers, suppliers, consumers, and others, as well as from
further research findings and technological innovations. The updated
draft document is available in PDF format under Docket No. NHTSA-2020-
0087.
Economic Analysis for Cybersecurity Best Practices for the Safety of
Modern Vehicles
NHTSA is seeking comment on its Cybersecurity Best Practices for
the Safety of Modern Vehicles (2020 Best Practices), which is non-
binding (i.e., voluntary) guidance provided to serve as a resource for
industry on safety-related cybersecurity issues for motor vehicles and
motor vehicle equipment. As guidance, the document touches on a wide
array of issues related to safety-related cybersecurity practices, and
provides recommendations to industry on the following topics: (1)
General Cybersecurity Best Practices, (2) Education, (3) Aftermarket/
User Owned Devices, (4) Serviceability, and (5) Technical Vehicle
Cybersecurity Best Practices.
NHTSA has made a good faith effort to assess the potential costs
that companies in the automotive industry might bear if these companies
decide to integrate the recommendations in the 2020 Best Practices into
their business practices. The following is a summary of the
considerations that NHTSA evaluated for purposes of this section.
First, although, as guidance, the 2020 Best Practices is voluntary,
NHTSA expects that many entities will to conform their practices to the
recommendations endorsed by NHTSA. NHTSA believes that the
Cybersecurity Best Practices for the Safety of Modern Vehicles serve as
means of facilitating common understanding across industry regarding
best practices for cybersecurity.
Second, the diversity among the entities to which the 2020 Best
Practices apply is vast. The recommendations found in Cybersecurity
Best Practices for the Safety of Modern Vehicles are necessarily
general and flexible enough to be applied to any industry entity,
regardless of size or staffing. The recommendations contained within
the best practices are intended to be applicable to all individuals and
organizations involved in the design, manufacture, and assembly of a
motor vehicle and its electronic systems and software. These entities
include, but are not limited to, small and large volume motor vehicle
and motor vehicle equipment designers, suppliers, manufacturers, and
modifiers. NHTSA recognizes that there is much organizational diversity
among the intended audience, resulting in a variety of approaches,
organizational sizes, and staffing needs. NHTSA also expects that these
entities have varying levels of organizational maturity related to
cybersecurity, and varying levels of potential cybersecurity risks.
These expectations, combined with NHTSA's lack of detailed knowledge of
the organizational maturity and implementation of any recommendations
contained within the guidance, make it difficult for NHTSA to develop a
reasonable quantification of the per-organization cost of implementing
the recommendations.
Third, any costs associated with applying the 2020 Best Practices
would be limited to the incremental cost of applying the new
recommendations included in the document (as opposed to those in the
2016 Best Practices). The updated Cybersecurity Best Practices for the
Safety of Modern Vehicles document highlights a total of 65 enumerated
best practices, 16 of which could be considered ``new'' relative to the
first version published in 2016.
Fourth, costs could be limited by organizations who have
implemented some of the recommendations prior to this request for
comment. NHTSA is unaware of the extent to which various entities have
already implemented NHTSA's recommendations, and determining the
incremental costs associated with full implementation of the
recommendations is effectively impossible without detailed insight into
the organizational processes of every company.
Fifth, many of NHTSA's recommendations lean very heavily on
industry standards, such as Draft International Standard SAE/ISO 21434.
Three of the 16 ``new'' best practices simply reference the SAE/ISO
21434 industry standard. Since many aspects of NHTSA's recommendations
are mapped to an industry standard, costs would also be limited for
those companies who are adopting SAE/ISO 21434 already. Thus, it would
be impossible to parse whether a company implemented SAE/ISO 21434 or
whether it had decided to adopt NHTSA's voluntary recommendations.
While the 2020 Best Practices have some recommendations \31\ that
cannot be mapped to an industry standards document at this time, most
of those recommendations involve common vehicle engineering and sound
business management practices, such as risk assessment and supply-chain
management. For these recommendations, NHTSA's inclusion in the 2020
Cyber Best Practices serve as a reminder.
---------------------------------------------------------------------------
\31\ For example, G.6 in Section 4.2.3 recommends consideration
of sensor vulnerabilities as part of risk assessment; and G.9 and
G.10 in Section 4.2.6 recommend tracking software components on
vehicles in a manner similar to hardware components.
---------------------------------------------------------------------------
Regarding benefits, entities that do not implement appropriate
cybersecurity measures, like those guided by these recommendations, or
other sound controls, face a higher risk of cyberattack or increased
exposure in the event of a cyberattack, potentially leading to safety
concerns for the public.
Implementation of the best practices can, therefore, facilitate
``cost prevention'' in the sense that failure to adopt appropriate
cybersecurity practices could result in other direct or indirect costs
to companies (i.e., personal injury, vehicle damage, warranty, recall,
or voluntary repair/updates). A quantitative analysis would require
present value estimation of future benefits, or a comparison of two
similar sample groups, one of which is implementing the recommendations
and the other is not. This comparison would illustrate the differences
in groups in a way that would allow the benefits attributable to
implementation of the
[[Page 2486]]
best practices to be calculated. However, neither is possible at this
time.
The best practices outlined in this document help organizations
measure their residual risks better, particularly the safety risks
associated with potential cybersecurity issues in motor vehicles and
motor vehicle equipment that they design and manufacture. Further, it
provides a toolset of techniques they can utilize commensurate to their
measured risks, and take appropriate actions to reduce or eliminate
them, and in doing so lower the future liabilities these risks
represent in terms of safety risks to public and business costs
associated with addressing them.
In addition, quantitatively positive externalities have been shown
to stem from vehicle safety and security measures (Ayres & Levitt,
1998). The high marginal cost of cybersecurity failures (crashes)
extend to third parties. Widely accepted adoption of sound
cybersecurity practices limits these potential costs and lessens
incentives for attempts at market disruption (i.e., signal
manipulation, GPS spoofing, or reverse engineering).
How do I prepare and submit comments?
Your comments must be written and in English. To ensure that your
comments are filed correctly in the docket, please include the docket
number of this document in your comments. Your comments must not be
more than 15 pages long (49 CFR 553.21). NHTSA established this limit
to encourage you to write your primary comments in a concise fashion.
However, you may attach necessary additional documents to your
comments. There is no limit on the length of the attachments. Please
submit one copy (two copies if submitting by mail or hand delivery) of
your comments, including the attachments, to the docket following the
instructions given above under ADDRESSES. Please note, if you submit
comments electronically as a PDF (Adobe) file, NHTSA asks that the
documents submitted be scanned using an Optical Character Recognition
(OCR) process, thus allowing the Agency to search and copy certain
portions of your submissions.
How do I submit confidential business information?
If you wish to submit any information under a claim of
confidentiality, you should submit three copies of your complete
submission, including the information you claim to be confidential
business information, to the Office of the Chief Counsel, NHTSA, at the
address given above under FOR FURTHER INFORMATION CONTACT. In addition,
you may submit a copy (two copies if submitting by mail or hand
delivery), from which you have deleted the claimed confidential
business information, to the docket by one of the methods given above
under ADDRESSES. When you send a comment containing information claimed
to be confidential business information, you should include a cover
letter setting forth the information specified in NHTSA's confidential
business information regulation (49 CFR part 512).
Will the Agency consider late comments?
NHTSA will consider all comments received before the close of
business on the comment closing date indicated above under DATES. To
the extent possible, the Agency will also consider comments received
after that date. Given that we intend for the guidance document to be a
living document and to be developed in an iterative fashion, subsequent
opportunities to comment will also be provided necessarily.
How can I read the comments submitted by other people?
You may read the comments received at the address given above under
Comments. The hours of the docket are indicated above in the same
location. You may also see the comments on the internet, identified by
the docket number at the heading of this document, at https://www.regulations.gov.
Issued in Washington, DC, under authority delegated in 49 CFR
1.95 and 501.8.
Cem Hatipoglu,
Associate Administrator for Vehicle Safety Research.
[FR Doc. 2021-00390 Filed 1-11-21; 8:45 am]
BILLING CODE 4910-59-P
