The Top Six Takeaways from Auto-ISAC's and NHTSA’s Cybersecurity Best Practices

02 March 2017 Dashboard Insights Blog
Author(s): Chanley T. Howell

As cars continue to rely more and more on systems that closely resemble those that run mobile phones and personal computers, it’s no surprise that the original equipment manufacturers (OEMs) and suppliers of car parts need to make major adjustments.

While meeting these evolving demands on the production end, OEMs and suppliers also need to carefully navigate the new legal and compliance landmines that come with the shifting emphasis on cybersecurity.

The modern-day car is less a computer on wheels and more a network of several computers on wheels. The individual computers control everything from the car’s stereo system to its breaking, and even ignition systems.

Our cars are collecting more and more information about our daily lives and personal interactions. It’s estimated that by 2020, some 250 million connected cars will be using over 200 sensors each to collect this information. As a result, the importance of privacy and security of connected cars has become a top priority for carmakers and suppliers alike.

The reality is that absolute security can never be guaranteed in complex systems such as telematics and infotainment systems in cars. Automakers and suppliers involved in developing these systems need to stay constantly vigilant in order to keep cars safe from cyberattacks. With that in mind, we’ve compiled the top 6 takeaways from the National Highway Transportation Safety Administration’s recent Cybersecurity Best Practices for Modern Vehicles and the Auto Information Sharing and Analysis Center’s Automotive Cybersecurity Best Practices.

1. Practice “security by design.”

This is a concept recently espoused by federal regulators, namely, the NHTSA and the Federal Trade Commission, as well as industry self-regulatory organizations. With security by design, a company addresses data security controls “day 1,” while products, components, and devices are still on the drawing board. Data security practices evolve over time, and the days of building it first and then layering security on top are now over. Security by designs should include the following during the design and development phases:

  • Risk assessments
  • Security design reviews
  • Addressing potential threats and attack targets
  • Product testing
  • Secure computing, software development, and networking practices

2. Practice “privacy by design.”

Privacy focuses on the right and desire of individuals to keep information about themselves confidential. During the design process, companies should understand and identify:

  • What personal information will be collected by a component or device;
  • What notice should be provided to or consent obtained from consumers before collecting that personal information;
  • How the personal information should be used
  • Are those intended uses legal
  • With whom will the personal information be shared
  • Is that sharing appropriate and legal.

With this information identified, the company can reconcile privacy requirements with security safeguards during the design and development process.

3. Establish an appropriate data security governance model.

Regulators, courts, and juries are demanding that executives senior management become involved in and accountable for data security. While the precise governance model will depend on the organization, companies should actively consider what level of executive oversight is appropriate, and then document those conclusions in a data security governance policy. This will help by both enhancing the data security of vehicles and component parts, and also bolstering the company’s defenses in the event of a security incident or investigation.

4. Address the entire supply chain.

Whether it is the finished vehicle or a component part, most companies relevant to the data security ecosystem will rely on suppliers that play a role in data security. Hardware, software, development tools, assembly, integration, and testing may all be provided by one or more suppliers. Companies impacted by this scenario should conduct appropriate due diligence and risk assessments with respect to its suppliers at the beginning and throughout the relationship. Contractual provisions should also be utilized to address data security requirements for the relevant suppliers.

5. Incident response and recovery.

Companies should develop and implement a security incident response plan. These plans identify what the organization should do if it or its products are the victim of a data security incident — a potential or actual breach of security impacting the confidentiality, integrity, or availability of data. The plan should address not only the company’s own networks, but also its products, if any of them impact the confidentiality or security of data. An incident response team should be in place to coordinate an enterprise-wide response to a cybersecurity incident. The plan should be periodically tested through incident simulations in order to promote response team preparedness.

6. Education and awareness.

An educated workforce is crucial to improving the cybersecurity posture of motor vehicles. Cybersecurity educational activities should not be limited to the current workforce or technical individuals, but should also enrich the future workforce and non-technical individuals.

For Additional Information About These Developments and More

Foley’s experienced Automotive Industry Team has prepared a full report, entitled Top Legal Issues Facing the Automotive Industry in 2017, that examines the road ahead regarding antitrust, security, labor and employment, M&A, and more. Download it today.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services