NHTSA/SAE Cybersecurity Workshop Keynote

Marc (LeDuc), thank you very much for that introduction. While this is my first NHTSA/SAE Cybersecurity Workshop, I know many of you attend every year. This is the seventh annual cybersecurity workshop, and I thank SAE for their longstanding collaboration with NHTSA. 
We value our close working relationship and thank you for your help in making today’s workshop a reality. I also want to thank our NHTSA staff who were integral in planning this event.

Technology is changing rapidly in every field, and the automotive industry is no exception. Remote wireless communications interacting with driving control technologies create an expanded attack surface, resulting in increased risk due to the variety of new interfaces and automated capabilities. This should concern all of us. At NHTSA, our focus is on the safety implications of cybersecurity, especially related to new vehicle safety systems.

New technologies have the potential to save lives, reduce injuries and prevent crashes, but these technologies will only be adopted widely if the public trusts them and believes they are safe, both in performance and in resilience against cyberattacks.

After all, the hacking of vehicles is a frequent plot point in movies and TV. The idea of a remote takeover of a fleet of vehicles with advanced driver assistance systems may be exciting in fiction, but it’s terrifying in reality. So, that’s what the industry is facing when it looks at public trust and confidence. Will we have a safe and trustworthy rollout of increasingly advanced technologies, or will we see the worst-case scenario?

As an industry, you have the power to strengthen public trust and promote safe technology adoption. And you can do this by shoring up your cybersecurity posture by sharing information. A weakness in one vehicle or component could quickly become an industry-wide vulnerability.
A National Institute of Standards and Technology security principle really says it best: System security should not depend on the secrecy of the implementation or its components. Transparency and security go hand in hand. 

That’s why NHTSA supported and helped establish Auto-ISAC, and why we encourage everyone in the automotive space to actively participate and collaborate within this important organization. And NHTSA’s cybersecurity best practices promote information sharing through organizations like Auto-ISAC. 

Our Cybersecurity Best Practices for the Safety of Modern Vehicles, which we updated in 2022, is an excellent resource for everyone interested in strengthening their cybersecurity posture. It provides general best practices as well as technical best practices to protect in-vehicle networks. Recommendations include authentication and boundary controls with the goal of keeping safety-critical communications separate. These best practices leverage research, industry best standards, and learning from the motor vehicle cybersecurity issues discovered by researchers over the past several years. They reflect NHTSA’s continued cybersecurity research findings, including over-the-air updates, formal verification methods, and static code analysis. They also emphasize that a strong cybersecurity posture through information sharing can and should be a critical part of the industry’s safety culture. In addition to general best practices on organizational processes, this document encourages an emphasis on education. We cannot overstate the importance of training the workforce to be prepared for today and tomorrow’s threats. It also considers aftermarket devices, serviceability, and contemporary technical approaches to securing vehicle systems. This is for anyone involved in designing, developing, manufacturing, and assembling a vehicle and its electronic systems and software. Cybersecurity isn’t the sole domain of OEMs – anyone involved in components and software has a role to play.

NHTSA tests and researches components and software at our Vehicle Research and Test Center in Ohio, where we have an established cybersecurity laboratory. This lab supports the investigation of reported cybersecurity incidents and researches new tools and techniques to continually build capabilities. The VRTC, as we call it, is an outstanding resource that helps us strengthen vehicle safety in many ways. The VRTC plays a critical role in our work to ensure the safety of vehicles with increasing levels of automation. NHTSA continues to research whether higher levels of driving automation may introduce unique cybersecurity challenges in finding, mitigating, and managing cybersecurity risks. 

In addition to automation, we are looking toward an electric future by researching the cybersecurity of battery management systems. Our ongoing EV study looks at cybersecurity and resiliency issues with different battery management systems, architectures, and designs. We are evaluating potential mitigation strategies, cyber design best practices, and the resiliency posture of current systems in the face of a cybersecurity attack. We look forward to sharing our results with you when complete.

NHTSA also funds research that looks for vehicle cybersecurity risks with the assumption of compromised charging infrastructure. However, a resilient vehicle architecture would assume that external systems like chargers that interface with the vehicle could be compromised and, therefore, vehicle systems must be designed to provide a safe response regardless. At NHTSA, we are interested in such zero-trust concepts and are further researching this area.

We are also examining security implications of a more connected world. After all, drivers and passengers expect to be able to connect their phones to their vehicles and interact seamlessly.

We have an ongoing research project examining in-vehicle infotainment systems to better understand the cybersecurity and risks associated with various vehicle and mobile device pairing technologies and applications.

As you can see, NHTSA is engaged in cybersecurity issues in many ways, and we’re also here to support you. If you have questions about any aspect of our work in cybersecurity, please reach out to NHTSA’s experts. We are here to help in your efforts to ensure the public’s safety.

We have an exciting lineup for you this afternoon. We’ve structured this year’s workshop a little differently to facilitate deeper discussions on the following key issue areas and questions. First, we’ll look at aftermarket devices, which can be linked with critical systems in a motor vehicle. How should the broader stakeholder community respond to aftermarket device vulnerabilities? Second, we’ll discuss the criticality of securing vehicle systems. Given that attack surfaces and criticality vary from device to device, how should cybersecurity efforts be prioritized? Next, we’ll address web-based functionality. How should the broader community approach the security of web-based services? Then, we’ll look at real-world threat analysis. Can we have standardized threat analysis techniques, and which ones deserve a particular focus? And finally, we’ll have some time for open discussion about “what keeps you up at night.”

We are eager to hear from our panelists as well as the audience, and we’re looking forward to a robust afternoon of discussion and debate. Many thanks to all of you for being here today, and I’ll turn back to Marc to start our panel discussion.

Thank you very much.