Cyber Security practices of automakers & NHSTA questioned

congreessletterheadMembers of the House Energy and Commerce Committee asked seventeen automakers  and the National Highway Traffic Safety Administration(NHTSA)  how the they will address cyber security issues for connected cars.

GM, Ford, FCA North America, Toyota, Honda, Nissan, Hyundai, Mazda, Mitsubishi, Kia, Subaru, Mercedes-Benz, Volvo, Volkswagen, Audi, Porsche, and Tesla were sent letters with cyber security questions.

The letters note that connected cars offer consumers convenience and safety that depend on consumer confidence. Though threats are currently slim, as the technology becomes more prevalent, there may be more risks. The committee wants NHTSA and automakers to be prepared and develop strategies to mitigate risks.

The committee has done its research. They predict as many as many as 300 million lines of code in cars in the future. Because software is complex it can be vulnerable.

The committee wants to know:

  • What kind of organization structure is dedicated to evaluating, testing and monitoring cyber threats.
  • How the automakers use cyber security in its products.
  • What polices do automakers use to evaluate cyber threats in design and testing
  • How cyber security is monitored for products from suppliers and how the automakers work with suppliers to reduce risks.
  • How cyber threats tracked in products.
  • How will the automakers will re-mediate cyber security problems after the car is on the market.
  • If the company use over-the-updates OTA to patch vulnerabilities.
  • If automakers use public key, certifications for secure communications.
  • What steps have been taken to secure Wi-Fi/infotainment systems with interactions with safety systems and outside mobile devices.
  • They also want to know how automakers work with the security research communities, their greatest challenges and how they are working with federal government.

Similar questions were sent to NHSTA. The committee leaders are requesting responses by June 11, 2015.

Earlier this year, Senator Ed Markey released a report warning of security and privacy issues based on information provided by automakers. He is currently working legislation that would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure cars and protect drivers’ privacy.

Although automakers generally don’t discuss specifics in public, they do have cyber security practices and cooperate with the federal government.

“Automakers lead the way in developing and utilizing innovative technologies in vehicle hardware,” said auto industry group Alliance of Automobile Manufacturers Federal Affairs Director Michael Spierto.  “Our absolute top priorities include driver safety and the safety of our vehicles.  Today that means network security must be incorporated from design to delivery.”

The Association of Global Automakers is part of the Smart Transportation Innovation Coalition that would like Congress to accelerate the deployment of existing and future connected smart vehicle technologies.

The staff of the Federal Trade Commission in a report recommended best practice measures to enhance and protect consumers’ privacy and security, to deal with the Internet of Things in America.

Global Automakers and the Alliance of Automobile Manufacturers  agreed to auto industry consumer privacy protection principles for vehicle technologies and services in November, 2014.