DOT publishes federal policy for self-driving vehicles, stops short of requiring cybersecurity standards

US Department of Transportation has released a set of guidelines for self-driving vehicle manufacturers. The 116-page NHTSA policy guide is intended to establish a foundation for regulation of self-driving car development. Unfortunately, the policy offers only very broad recommendations when it comes to the cybersecurity of the self-driving vehicle systems:

“Manufacturers and other entities should follow a robust product development process based on a systems-engineering approach to minimize risks to safety, including those due to cybersecurity threats and vulnerabilities. This process should include systematic and ongoing safety risk assessment for the HAV system, the overall vehicle design into which it is being integrated, and when applicable, the broader transportation ecosystem.”

NHTSA does go on to recommend that the manufacturers consider the best practices from organizations like NIST and SAE, but fails to provide any concrete cybersecurity requirements.  In the entire 116-page document, the topic of vehicle cybersecurity is covered in less than one page. Such minimal focus is a bit befuddling given the multiple recent reports of vehicle security vulnerabilities and recalls. Many of the recent vehicle hacks affect critical vehicle drive and safety systems, posing a very real physical danger to the safety of the vehicle occupants. Self-driving cars rely on more numerous and more complex technologies aboard and outside the vehicle, which always means more opportunities for vulnerabilities.

Clearly, the disciple of vehicle cybersecurity is still emerging, but there is a huge body of knowledge and expertise pertaining to the security of information systems and networks, and much of it can be applied to the design of in-vehicle systems, such as using a firewall to filter network connections, segregating the safety-critical systems from the infotainment ones, and encrypting all communication between the systems, to name just a few. It’s disappointing to see that DOT missed the opportunity to set even the most basic security standards in the first release of this policy. Hopefully, they will follow up with more helpful guidelines soon, for both self-driving and regular vehicles.


No comments

Comment on this article