US govt issues cybersecurity guidance for car makers

The United States Department of Transport (DOT) has published draft guidelines on how car makers should protect against dangerous breaches of increasingly software-driven vehicles.

Issued by the DOT's National Highway Traffic Safety Administration (NHTSA) department, the guidance follows several high-profile reports and demonstrations that show how easy it could be to hack some cars, with potentially devastating results.

For example, researchers Charlie Miller and Chris Valasek hacked a Jeep Cherokee to control the vehicle's steering, accelerator and brakes while moving. Poor security could also explain a spate of mysterious thefts and burglaries of cars that took place without any physical evidence being present.

NHTSA developed the guidance [pdf] based on public feedback, and the US National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity.

The non-binding guidance suggest best practices for researching, investigating, testing and validating car cybersecurity measures, the department said.

NHTSA wants car makers to self-audit, and consider vulnerabilities and exploits that could impact their entire supply chain, educate their workforces and to share information with one another.

As part of the recommendations, the NHTSA suggests manufacturers limit and maybe even eliminate developer access to electronic control units in vehicles. This could mean removing diagnostics, debugging and serial console ports, and physical and logical isolation of critical electronic components.

The government agency also wants car makers to limit the ability of anyone other than manufacturers themselves to modify firmware for vehicle electronic components, through measures such as digital signing and encryption of code.

NHTSA is inviting the public to comment on the proposed cybersecurity guidance for car makers for the next 30 days, before releasing a final version of the text.