Auto-ISAC Cybersecurity Summit Keynote

AS PREPARED FOR DELIVERY

Josh, thank you very much, and good morning, everyone. Faye and Josh, thank you for your leadership of Auto-ISAC, a longstanding partner with NHTSA. Auto-ISAC does outstanding work in the cybersecurity space, bringing us all together for information sharing and relationship building. NHTSA’s leaders have spoken at this conference every year since 2016, and I’m pleased to be here today continuing that tradition. 

As the nation’s vehicle safety agency, we are vested in the success of Auto-ISAC. Software permeates every aspect of modern vehicles and grows more complex with every model year. New technologies and connectivity create the potential and promise of meaningfully increased safety and occupant comfort. But the dynamically evolving extent of software-enabled technologies means that vehicles offer abundant attack surfaces to malicious actors. Through the great work of all of you and your colleagues we have avoided major vehicle-related cyber incidents. Thank you and congratulations.  

NHTSA supported Auto-ISAC’s creation a decade ago because of the clear benefits of a collaborative approach to addressing vehicle cybersecurity. Information sharing doesn’t come naturally in competitive industries, but it’s to everyone’s benefit to learn about vulnerabilities and manage risks. Auto-ISAC facilitates these relationships, and I’m confident you’ll use the next few days to strengthen existing connections and forge new ones. 

Cybersecurity isn’t something the average driver or vehicle occupant gives any thought to, and that’s because of your dedicated work. We at NHTSA greatly appreciate and applaud everything that you do through the Auto-ISAC to reduce cyber-risk. We want to thank all the companies – currently more than 80 – throughout the automotive industry who participate in the ISAC. We strongly encourage membership and participation. We are grateful for everything you do to make America’s vehicles – our freedom machines – safer. 

The public trusts the cyber safety of their cars and devices because of the work you and others do to protect them. Your work includes the publication of the cybersecurity best practices papers – there have been six to date – and they are uniformly excellent and helpful resources. We also want to acknowledge Auto-ISAC’s leadership in exploring Software Build of Materials next steps for the automotive industry.  (Work is timely and extremely helpful.) 

NHTSA stands ready to support you. Just as you share information with each other, I encourage you to share information with us as well. Our experts continuously examine real-world incidents to add to our knowledge and best practices. If there’s something you think we should know, a vulnerability you’ve recently discovered, or an issue where you’d like our expertise, we want to hear from you. NHTSA’s vehicle safety research teams are actively researching and exploring many aspects of vehicle cybersecurity, and we look forward to sharing our work when it’s ready for external review.

Federal Role 

Cybersecurity is a priority across the entire Trump Administration and Department of Transportation, and NHTSA stands ready to support other agencies and departments. You may be familiar with the President’s June 2025 Executive Order called “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity.” It focuses on several areas key to the automotive industry, including securing third-party software supply chains, artificial intelligence, the Internet of Things, and the future of access security, all of which are integral to vehicle technology. It also directs several agencies to develop updated standards, security software development guidance, and encryption measures considering the emerging threats.   

Many agencies are now examining the national security risks that may come with vehicle connectivity pathways, and we will continue to help as requested. For example, NHTSA provided technical assistance to the Commerce Department’s Bureau of Industry and Security as they developed their connected vehicle supply chain final rule. In fact, the bureau’s executive director will be speaking on that rule and other activities tomorrow, and I encourage you to attend and learn more about them. 

AVs 

Our work at NHTSA focuses on vehicle safety and reducing the number of people killed and injured on our nation’s roads. Vehicle technology is a critical part of our portfolio. One area we’re particularly interested in is automation, and ensuring that the United States continues to be the world leader in automated vehicles. Because of NHTSA’s primary federal role in vehicle safety regulation, we have a principal stake in facilitating the safe development, testing, and deployment of automated vehicles. 

We have been directed by President Trump and Secretary Duffy to establish a lasting federal regulatory framework for AVs. We are excited to embrace this initiative. The new framework will unleash American ingenuity, maintain key safety standards, and move us forward to a single national standard that spurs innovation and prioritizes safety. And, of course, the cybersecurity of automated vehicles is paramount. Movies and books love a “hacker takes over a self-driving vehicle” plotline, but it’s thanks to your continued vigilance that this fiction doesn’t become a reality.

What We're Seeing  

There are three major trends we’re researching and monitoring that pose increasing challenges for vehicle cybersecurity. 

The first is the growth in wireless access paths into vehicles. Nearly all new vehicles today come with Wi-Fi, cellular, and Bluetooth-type connectivity paths. While these enable over-the-air updates and consumer convenience features, they introduce potential access points for threat actors. 

The second trend involves the continuing integration of actuators in safety critical functions, such as steering, braking, throttle and other manual controls. More and more vehicle functions can be controlled electronically, with or without driver input. 

Third, there’s the growth in software-designed features in modern vehicles. Software now implements numerous functions on a vehicle, and this will only increase in the coming years. 

While these trends support important safety features and satisfy consumer demand, they enable the potential for a bad actor to cause harm.

NHTSA's Work 

NHTSA closely monitors and reviews vehicle cybersecurity incidents, including those disclosed by researchers, presented at hacker conferences, reported by media, or disclosed by companies. While most of the incidents may not raise imminent scalable risks, we continue to monitor them. 

We are also monitoring potential exploitations that could affect the safety of vehicles. These include vulnerabilities in short-range wireless communications like Bluetooth, as well as physical access points. There are also social engineering exploitations that threat actors could use to gain access to vehicles via web-based features. We also are concerned about potential exploitation of access controls for auto dealer websites that can host sensitive data. 

NHTSA especially continues to focus on the cybersecurity of infotainment systems, which is typically where external wireless connectivity pathways are hosted. More specifically, we are looking at the cybersecurity implications in cell phone pairings through interfaces like CarPlay and Android Auto. Consumers love these convenience features, but we must ensure they aren’t introducing new attack surfaces. 

NHTSA also is studying EV battery management system cybersecurity, including charging interfaces. Integrating low-power wireless connectivity to high-voltage battery systems can help share cell level diagnostics info, but it can also pose new cybersecurity threats and risks. If you’d like to learn more about these and other projects, we would love to see you at our upcoming NHTSA Safety Research Portfolio Public Meeting. It will be held Oct. 21 and 22 at USDOT headquarters here in Washington and it’s free of charge. We’ll have recordings available later for those unable to make the trip. 

While NHTSA’s concerns are primarily focused on addressing imminent safety risks, we know that manufacturers need to address much more when it comes to cyber. For example, key fob vulnerabilities impact consumers, insurance, and brand equity, even though the underlying issue may not pose a specific safety concern. Cybersecurity is not only necessary for safety, but also vital for your brand’s reputation and the overall public confidence in the industry.

Emerging Areas 

Moving forward, NHTSA is keeping a close eye on several emerging areas. The first is the future of computing and its potential effects on vehicle cybersecurity risks. Edge computing, for example, pushes more computation to the vehicle itself and could raise new vulnerabilities. 

The second is AI. AI offers many potential benefits, but AI-driven cyber threat exploitations need to be considered as well. And additionally, there’s the need for a workforce that’s nimble and ready to address issues as they arise. Workforce development and training remains vital. Just as cyber risks continue to evolve, so must training and continuing education. A well-trained workforce is part of a strong defense against cyberattacks and malicious actors.

I’ll wrap up where I began: our strongest defense is a united front. We commend Auto-ISAC for your leadership and encourage everyone to remain active, engaged and transparent. We hope you will view one another not as competition but as allies in the fight against threat actors. NHTSA wants to be a strong partner. Please consider us a resource and don’t hesitate to reach out should you have questions, need advice, or want to alert us to something you’re seeing. Our door is always open, and safety remains the driving force behind everything we do. 

Thank you for the opportunity to be here today, and I wish you the very best for the rest of your conference.