Following on from a warning in March from the Federal Bureau of Investigation that cars with computer systems can be hacked, the National Highway Traffic Safety Administration has issued a set of recommended cyber security guidelines for connected cars.

The best practice guidelines cover two aspects of car hacking: how to best prevent an attack on a vehicle to begin with, and then how to respond effectively if an attack happens. Meant to be non-binding and to serve purely as guidance for automakers, the 22-page document recommends prioritized identification and protection of critical vehicle controls and consumers’ personal data based on risk assessments.

Companies are also advised that they should consider the full life-cycle of their vehicles, that is to not abandon support for cars they have sold as they get older and that they should facilitate a rapid response and recovery from any cyber security incident. The document also recommends that automakers make cyber security of their vehicles a “top leadership priority” and that they should allocate appropriate and dedicated resources to cyber security issues, including implementing best practices for researching, investigating, testing and validating cyber security measures.

“Cybersecurity is a safety issue, and a top priority at the Department,” United States Transportation Secretary Anthony Foxx said in a statement. “Our intention with today’s guidance is to provide best practices to help protect against breaches and other security failures that can put motor vehicle safety at risk.”

Self-auditing

While the guidelines are a start, they recommend that automakers undertake self-auditing, a process that the industry should in practice be able to do. But industry often fails at it, with cases such as the Ford Explorer rollovers through to the more recent Volkswagon emissions scandal. The Volkswagon case is notable as the excess emissions coming from cars made by the company were only detected when they were tested by the International Council on Clean Transportation, a not for profit third party group.

While it may be government overreach to interfere in the cyber security practices of the automotive industry, a set of guidelines from a lame duck administration will likely result in little or no change on an issue that could in the very near future become a major one.

Image credit: Thue/ Wikimedia Commons/ Public Domain CC0