Auto-ISAC Cybersecurity Summit Remarks
Tuesday, October 17, 2023 |
Torrance, California
As Prepared for Delivery
Stephen (Roberts), thank you for that warm welcome. And thank you to Faye Francy and Auto-ISAC for the invitation to join you for this year’s conference. I had the pleasure of speaking at your conference last year in Dearborn, and I’m happy to welcome you to my home state of California.
Auto-ISAC is all about collaboration and cooperation, which is why NHTSA worked with industry to stand up this organization. And it’s why we continue to support it, because it’s critical to work together to ensure cybersecurity is a priority every step of the way.
NHTSA and Auto-ISAC have a history of close cooperation to advance cybersecurity. One area we’re both focused on is training and developing the next generation of cybersecurity professionals. We recently wrapped up our cooperative agreement on the Auto-ISAC Automotive Cybersecurity Training Pilot Test. Not only did Auto-ISAC research and develop a comprehensive automotive cybersecurity training program, it developed certification and sustainment plans to make the program permanent.
The curriculum has two phases – fundamentals and advanced. The fundamentals course is available online, and the advanced course will be held in person in Michigan next year. I encourage you all to take a look at these courses and register – continuing education is so very important, especially in the dynamic field of cybersecurity.
Supporting initiatives like this training is just one way NHTSA is advancing cybersecurity. Our agency’s cybersecurity program is designed to maintain a high level of awareness and vigilance. Because that’s how we stand strong against cybersecurity threats and prepare to act at a moment’s notice.
Cybersecurity is motor vehicle safety. The two cannot be separated.
MORE CONNECTED THAN EVER
Our world is more connected than ever. We can order groceries from our fridge and start our oven with our phone. Our houses are smart, and we can watch our front door from half a world away.
The same goes for vehicles. Technology is embedded in every aspect of a vehicle, and the consumer expects more and more connected features. They expect their phone to connect seamlessly to their vehicle and access directions, music, messages, calls and more. Mobile keys are increasingly more common, and telematics can help diagnose issues.
And there’s no going back. That’s why CASE – Connected, Autonomous, Shared and Electric – is so important, and not just a phrase for the future. Many of these advances are here now, and that’s why Auto-ISAC chose Accelerating CASE Security as this year’s conference theme.
NHTSA is researching several aspects of connected vehicles. One such project is the cybersecurity of in-vehicle infotainment systems paired with mobile devices. Our experts are performing a technical evaluation of the cybersecurity and resilience of in-vehicle networks while paired with a mobile device. After all, anytime something is connected to a vehicle, a new point of vulnerability is introduced.
We are also finalizing work on another project, the cybersecurity of vehicle electronics and electrical architectures, which will provide insight into cybersecurity and cyber resilience within the automotive industry. We are studying architectures on a cross-section of makes and models to better understand them, as well as how architectures are changing over time. We look forward to sharing this research with you.
While research can take years, there’s something you can do now, and that’s planning and working now for the future that’s coming – and the one that’s already here. Cybersecurity must be the foundation of a connected world.
That brings me to an issue at the forefront of the auto industry right now – right to repair.
RIGHT TO REPAIR
Right to repair is a growing topic among consumer electronics, from washers and dryers to cell phones. The automotive industry is also considering right to repair and the role of cybersecurity, as is NHTSA.
Our agency and the entire U.S. Department of Transportation strongly support the right to repair and are eager to promote consumers’ ability to choose independent or DIY repairs without compromising their safety or that of others on our roads. NHTSA has engaged with state and federal partners to ensure a path forward to promote competition and give consumers more options, while mitigating a dangerous risk to safety.
SHARING
As an industry, you have the power to strengthen your resilience by sharing information. You collectively are only as strong as your weakest link. Collaboration and information sharing are vital, and I know it’s not intuitive. After all, this is a competitive industry, and working with one’s rivals doesn’t come naturally. But, for everyone’s sake – and to fulfill the responsibility we all have to protect the American public – it is critical that we work together to ensure cybersecurity is a priority every step of the way.
I want to highlight a security principle from the National Institute of Standards and Technology: “System security should not depend on the secrecy of the implementation or its components.”
There may be commercial reasons for secrecy, but security is in everyone’s interest. Communication shouldn’t only happen between OEMs but between suppliers and to and from suppliers to OEMs. Constant communication – that’s the key.
BEST PRACTICES
NHTSA is here to support information sharing and collaboration; it’s why Auto-ISAC is such a valued safety partner.
Safety is paramount at NHTSA – it’s at the heart of everything we do. That includes cybersecurity because a safe vehicle must also be a secure vehicle.
We follow NIST’s cybersecurity framework and its five key functions: identify, protect, detect, respond and recover. NIST’s cybersecurity framework has informed our research, and our best practices state that the automotive industry should follow that framework.
I’ll touch briefly on NHTSA’s updated Cybersecurity Best Practices for the Safety of Motor Vehicles, which I unveiled at this conference last year.
This update is a substantive update to our 2016 guidance, and it was crafted after receiving extensive feedback from industry and other stakeholders. We appreciate everyone’s input and support for this important project. While this document is non-binding, it contains important guidance and tools for industry to apply to your work.
These best practices leverage research, industry voluntary standards, and learnings from the motor vehicle cybersecurity issues discovered by researchers over the past several years. They reflect NHTSA’s continued cybersecurity research findings, including over-the-air updates, formal verification methods, and static code analysis.
In addition to general best practices on organizational processes, this document also provides recommendations on education. It also considers aftermarket devices, serviceability, and contemporary technical approaches to securing vehicle systems.
This is for anyone involved in designing, developing, manufacturing, and assembling a vehicle and its electronic systems and software. Cybersecurity isn’t in the sole domain of OEMs – anyone involved in components and software has a role to play.
TRUST IN TECHNOLOGY
Cybersecurity and everyone’s role in it are vitally important because lives are at stake. Technology holds the promise to save lives and reduce or even prevent crashes. But it is imperative that this technology is safe, both in performance and in resilience against cyberattacks.
Let’s look at pedestrian safety and how technology can help address a rising, tragic trend on our roads.
October is National Pedestrian Safety Month, an important time to consider how we all can improve safety for vulnerable road users. On average, a pedestrian was killed every 71 minutes in 2021.
Pedestrians have borne a disproportional share of the fatality increases in the past decade. In fact, pedestrian fatalities increased more than 53 percent from 2012 to 2021 – truly a crisis.
That’s why NHTSA recently published a Notice of Proposed Rulemaking that would require automatic emergency braking, or AEB, and pedestrian AEB systems on passenger cars and light trucks. This rulemaking includes pedestrian AEB at night when 70 percent of fatal pedestrian crashes occur. When finalized, we expect the standards to dramatically reduce crashes associated with pedestrians and vehicle rear-end crashes. Many crashes will be avoided altogether, while others will be less severe, ultimately saving lives.
Technology, and the software that powers it, can change and save lives. But it’s up to you – the industry – to ensure it is secure against intrusions, and that you are prepared to act when a threat emerges. Because it will.
ELECTRIFICATION
The importance of preparation also applies to emerging technologies like electric vehicles, which may have some unique cybersecurity concerns. EVs are claiming a larger share of the marketplace, and charging stations are popping up in communities across the country.
Any vehicles themselves could be subject to a cyberattack, and infrastructure presents a point of vulnerability as well. The infrastructure that powers EVs is far from complete, and its final form may look very different.
The emergent behavior of loosely coupled distributed systems, like EV charging infrastructure, cannot always be well predicted in the design process. It will require vigilance and monitoring.
NHTSA has and continues to fund research that looks for vehicle vulnerabilities with the assumption of compromised charging infrastructure. While this research did not discover issues with vehicle hardware or software, our work continues.
We are also researching the cybersecurity of battery management systems. Our ongoing EV study looks at cybersecurity and resiliency issues with different battery management systems and designs. We are evaluating potential mitigation strategies, cyber design best practices, and the resiliency posture of current systems in the face of a cybersecurity attack. We look forward to sharing our results with you when complete.
It should be noted that our research is limited to the cyber protections implemented on the vehicles themselves; the cybersecurity of EV charging infrastructure falls under the purview of the U.S. Department of Energy, FHWA, and the Joint Office of Energy and Transportation.
ADS
Speaking of the future that’s here now, companies are increasingly testing vehicles with automated driving systems across the country. Emerging technologies often come with unique risks and challenges, and that’s no different with automated vehicles.
NHTSA continues to research whether higher levels of driving automation may introduce unique cybersecurity challenges in finding, mitigating, and managing cybersecurity risks. We are also examining what new tools and methods may be needed to mitigate these risks.
We are also making changes within our agency to address the growing field of automation. Earlier this year, we established the Office of Automation Safety under NHTSA’s existing Office of Rulemaking. The office will focus on ADS and certain other advanced vehicle technologies. That office will be responsible for developing the next generation of safety standards, evaluating and processing petitions, managing exemptions, and overseeing safety demonstrations. Cybersecurity will certainly be part of their work and a resource for companies seeking to strengthen their posture.
If you have questions about any aspect of cybersecurity, please reach out to NHTSA’s experts. We are here to help and support you in your efforts to ensure the public’s safety.
CLOSING
The stakes are incredibly high because lives are on the line. You can make a difference by communicating and collaborating as colleagues, not competitors. It’s in everyone’s interest to be prepared for cyberattacks and to learn from each other when vulnerabilities are identified.
I encourage you to continue to engage with others to share best practices, alert each other to vulnerabilities, and conduct exercises. Auto-ISAC facilitates this information sharing and cooperation, so please stay connected and continue communicating with each other.
A safer, more secure future is in reach – and you can do the work now to prepare for it. A safer vehicle is not only one that protects people inside and outside the vehicle, but one that is resilient and protected against intrusions and threats.
Thank you so much for your time today, for your commitment to strengthening vehicle cybersecurity, and for welcoming me to this important conference.