The Top Six Takeaways from Auto-ISAC's and NHTSA’s Cybersecurity Best Practices

As cars continue to rely more and more on systems that closely resemble those that run mobile phones and personal computers, it’s no surprise that the original equipment manufacturers (OEMs) and suppliers of car parts need to make major adjustments.

While meeting these evolving demands on the production end, OEMs and suppliers also need to carefully navigate the new legal and compliance landmines that come with the shifting emphasis on cybersecurity.

The modern-day car is less a computer on wheels and more a network of several computers on wheels. The individual computers control everything from the car’s stereo system to its breaking, and even ignition systems.

Our cars are collecting more and more information about our daily lives and personal interactions. It’s estimated that by 2020, some 250 million connected cars will be using over 200 sensors each to collect this information. As a result, the importance of privacy and security of connected cars has become a top priority for carmakers and suppliers alike.

The reality is that absolute security can never be guaranteed in complex systems such as telematics and infotainment systems in cars. Automakers and suppliers involved in developing these systems need to stay constantly vigilant in order to keep cars safe from cyberattacks. With that in mind, we’ve compiled the top 6 takeaways from the National Highway Transportation Safety Administration’s recent Cybersecurity Best Practices for Modern Vehicles and the Auto Information Sharing and Analysis Center’s Automotive Cybersecurity Best Practices.

1. Practice “security by design.”

This is a concept recently espoused by federal regulators, namely, the NHTSA and the Federal Trade Commission, as well as industry self-regulatory organizations. With security by design, a company addresses data security controls “day 1,” while products, components, and devices are still on the drawing board. Data security practices evolve over time, and the days of building it first and then layering security on top are now over. Security by designs should include the following during the design and development phases:

• Risk assessments
• Security design reviews
• Addressing potential threats and attack targets
• Product testing
• Secure computing, software development, and networking practices

2. Practice “privacy by design.”

Privacy focuses on the right and desire of individuals to keep information about themselves confidential. During the design process, companies should understand and identify:

• What personal information will be collected by a component or device;
• What notice should be provided to or consent obtained from consumers before collecting that personal information;
• How the personal information should be used
• Are those intended uses legal
• With whom will the personal information be shared
• Is that sharing appropriate and legal.

With this information identified, the company can reconcile privacy requirements with security safeguards during the design and development process.

3. Establish an appropriate data security governance model.

Regulators, courts, and juries are demanding that executives senior management become involved in and accountable for data security. While the precise governance model will depend on the organization, companies should actively consider what level of executive oversight is appropriate, and then document those conclusions in a data security governance policy. This will help by both enhancing the data security of vehicles and component parts, and also bolstering the company’s defenses in the event of a security incident or investigation.

4. Address the entire supply chain.

Whether it is the finished vehicle or a component part, most companies relevant to the data security ecosystem will rely on suppliers that play a role in data security. Hardware, software, development tools, assembly, integration, and testing may all be provided by one or more suppliers. Companies impacted by this scenario should conduct appropriate due diligence and risk assessments with respect to its suppliers at the beginning and throughout the relationship. Contractual provisions should also be utilized to address data security requirements for the relevant suppliers.

5. Incident response and recovery.

Companies should develop and implement a security incident response plan. These plans identify what the organization should do if it or its products are the victim of a data security incident — a potential or actual breach of security impacting the confidentiality, integrity, or availability of data. The plan should address not only the company’s own networks, but also its products, if any of them impact the confidentiality or security of data. An incident response team should be in place to coordinate an enterprise-wide response to a cybersecurity incident. The plan should be periodically tested through incident simulations in order to promote response team preparedness.

6. Education and awareness.

An educated workforce is crucial to improving the cybersecurity posture of motor vehicles. Cybersecurity educational activities should not be limited to the current workforce or technical individuals, but should also enrich the future workforce and non-technical individuals.

For Additional Information About These Developments and More

Foley’s experienced Automotive Industry Team has prepared a full report, entitled Top Legal Issues Facing the Automotive Industry in 2017, that examines the road ahead regarding antitrust, security, labor and employment, M&A, and more. Download it today.