WASHINGTON -- The nation’s top auto safety regulator said his agency will take action this year to address automotive cybersecurity issues, as the spread of connectivity technologies threatens to expose vehicles to new paths of attack.
The National Highway Traffic Safety Administration currently lacks regulations for the security protocols governing the roughly 100 million lines of software code used to control many functions in modern cars. As Wi-fi hotspots, satellite radio and other network connections to vehicles become more common, NHTSA administrator Mark Rosekind said, the agency must define its role in how the security of those systems should be managed, and what tools it needs to ensure the safety of connected vehicle systems.
Rosekind told Automotive News that the effort has the backing of Transportation Secretary Anthony Foxx, though it’s still unclear what type of action the agency will take.
“I don’t know if there’s going to be regulation or standards, or what that’s going to look like,” Rosekind said on the sidelines of a NHTSA cybersecurity event today, “but I don’t think there’s any question that we have to get action on cybersecurity this year.”
Auto cybersecurity was thrust into the spotlight last summer when researchers Charlie Miller and Chris Valasek, working with a magazine reporter, exploited a network vulnerability in the infotainment system of a Jeep Cherokee to demonstrate that they could remotely take control of functions such as its steering and brakes.
Automakers fear that NHTSA regulations for cybersecurity could take years to formulate, and may stifle innovation in the meantime. At the same time, they don’t dispute that security is a critical issue as vehicles become increasingly connected to the Internet, and as autonomous driving technologies enter the marketplace.
At today's meeting, panelists identified a variety of potential threats, including so-called ransomware, or malicious software designed to extort money from vehicle owners by crippling the vehicle’s software controls until a ransom is paid.
Another topic of discussion was how to patch vulnerabilities in vehicle infotainment systems -- the gateway used in Miller and Valasek’s Jeep hack -- and whether features should be disabled until security updates can be installed.
Rosekind said NHTSA organized the daylong event to bring together automakers, suppliers, government officials and researchers, in part to help define the agency’s role in overseeing auto cybersecurity.
“Clearly we are the agency that could create mandates if they were needed,” he said.
He acknowledged the concerns about barriers to innovation but said safety was a paramount concern. For safety-critical issues where industrywide adoption is required, “that’s where you need regulation,” he said. “In some areas of safety, you need 100 percent adoption.”
Automakers have already begun to take the first steps of a broader approach to cybersecurity by launching an Information Sharing and Analysis Center, or ISAC, to serve as a clearinghouse to share cyber threat information.
Jonathan Allen, acting executive director of the auto industry’s ISAC, says the center is operational and automakers are beginning to share information.
Allen says automakers are still working on their internal processes for how to share information with other ISAC members. He also said he anticipated that suppliers would eventually join the ISAC.