Cybersecurity Best Practices for Modern Vehicles

The Policy

What it does

Proposes guidance for improving motor vehicle cybersecurity to prevent and speed recovery from cyber-attacks.


On October 16, 2016, the U.S. Department of Transportation's National Highway Traffic Safety Administration (NHTSA) released its proposed guidance for improving motor vehicle cybersecurity, Cybersecurity Best Practices for Modern Vehicles. The proposed cybersecurity guidance focuses on solutions to ensure vehicle systems are designed to take appropriate and safe actions against cyber-attacks, even when an attack is successful. The guidance recommends risk-based prioritized identification and protection of critical vehicle controls and consumers' personal data. Further, it recommends that companies should consider the full life-cycle of their vehicles and facilitate rapid response and recovery from cybersecurity incidents.

This guidance highlights the importance of making cybersecurity a priority for the automotive industry, and suggests that companies should demonstrate it by allocating appropriate and dedicated resources related to vehicle cybersecurity matters.

The guidance suggests voluntary best practices for researching, investigating, testing and validating cybersecurity measures. NHTSA recommends the industry self-audit and consider vulnerabilities and exploits that may impact their entire supply-chain of operations. The agency also recommends employee training to educate the entire automotive workforce on new cybersecurity practices and to share lessons learned with others.

The best practices guidance is based on public feedback gathered by NHTSA, as well as the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The proposed guidance follows actions by other entities on motor vehicle cybersecurity, including SAE J3061 Recommended Best Practice: Cybersecurity Guidebook for Cyber-Physical Vehicle Systems and the executive summary to the Automotive Cybersecurity Best Practices issued by the Auto-ISAC in, collaboration with the motor vehicle trade associations, in July 2016. NHTSA's guidance also suggests that organizations should consider and adopt all applicable industry best practices.

The comment period for the document ended on November 28, 2016.

This summary is adapted from the NHTSA press release announcing the release of the proposed guidance.