Auto-ISAC Keynote

As Prepared for Delivery

Kevin (Tierney), thank you for that welcome. It’s my pleasure to be here at this eighth annual Auto-ISAC Cybersecurity Summit and join you in recognizing October as National Cybersecurity Awareness Month. I would also like to recognize Faye Francy – thank you for your leadership of this vital organization. 

NHTSA proudly supports Auto-ISAC and your mission to strengthen cybersecurity through the open sharing of information. As your motto states, an attack on one is an attack on all.  

Auto-ISAC demonstrates that the industry is working together to hold a united front against potential attacks and malicious actors. 

We have supported numerous Auto-ISAC initiatives over the years, including the Automotive Cybersecurity Training Program. An educated workforce is a prepared workforce, and NHTSA developed this pilot program with Auto-ISAC to help engineers build these core competencies. 

Auto-ISAC developed certification and sustainment plans to make this program permanent, and we encourage you to explore these courses and make them available to your teams. 

Continuing education is critically important, especially in such a dynamic field. Your conference theme sums it up nicely, “Revving Up Resilience: Security Meets Innovation.” 

This is an energizing theme at an exciting time in the auto industry. The very nature of cybersecurity demands continued vigilance, strength, agility and resourcefulness. Threats can emerge at any time, and so we must ask ourselves: Are we going to be proactive or reactive? 

RESILIENCY 

Being proactive is not easy, or fast. Think about the time and energy each of you dedicate to preventing and responding to any possible intrusions. How do those steps help you reach that ultimate goal of building a cyber resilient system? 

Who are your best people who plan ahead and design the features, systems and processes that can quickly mitigate any adverse effects, limit the scalability of a potential attack, and facilitate rapid recovery? 

Again, as your conference theme suggests, securing innovation goes hand in hand with resilience. 

Many factors make resiliency a complex endeavor. While diversity in vehicle architectures, technologies, and functions makes applying general rules challenging, this diversity may also prevent a single exploit’s use across products, limiting scalability of an attack. 

Modern vehicles incorporate a range of safety, efficiency and convenience features driven by sophisticated software. However, developing, verifying, and validating this complex software can be challenging. 

Errors hidden in software – errors that can go undetected because they don’t impact the operation of the feature itself – can potentially be exploited later in unforeseen ways. 

As you all know, today’s vehicles commonly incorporate wireless connectivity technologies such as terrestrial cellular and satellite-based services, as well as local wireless technologies such as wi-fi and Bluetooth. 

These wireless pathways increase attack surfaces, which may allow an attacker to access a vehicle and exploit software weaknesses. In a worst-case scenario, this could lead to remote manipulation of the vehicle or a vehicle’s critical safety system. 

When it comes to cybersecurity, the industry is only as strong as your weakest link. A vulnerability in a supplier’s component can affect multiple OEMs. 

Malicious actors may discover a way into one company’s software and then exploit a similar weakness in other manufacturers’ products. A free flow of information, facilitated by Auto-ISAC, ensures everyone is strong, prepared and resilient in the face of attacks. 

Cyber resiliency principles can help guide a proactive approach to these risks and weak points. 

The National Institute of Standards and Technology offers four principles to be cyber resilient: Anticipate, withstand, recover and adapt. These principles may seem a bit obvious to everyone in the room, but they bear repeating. 

We proactively anticipate threats before they happen. We withstand threats by understanding them and mitigating them using strategies and recommendations from existing standards, guidance and best practices. 

Then we recover by implementing strategies that return the vehicle to a safe state. Finally, we adapt and develop new procedures and policies. 

NHTSA’s Vehicle Cybersecurity Best Practices align with and reinforce these four resiliency goals. Our best practices also encourage information sharing and collaboration. We encourage you to turn to them when you have questions and as you develop your own plans and procedures. 

AGENCY COLLABORATION 

And as we support and encourage the sharing of information here, we also take a collaborative approach by sharing information and expertise across the federal government. 

The White House’s National Security Council and National Cyber Director have taken the lead in coordinating these issues across the government, with agencies like NHTSA contributing technical assistance as requested. 

As a result of these inter-agency discussions, the U.S. Department of Commerce, through its Bureau of Industry and Security, recently proposed a rule to secure and safeguard the automotive industry’s supply chain from adversary threats. 

The Bureau of Industry and Security’s proposal would ban the import or sale of connected vehicles that integrate certain software and hardware made by foreign entities with a nexus to the People’s Republic of China and Russia.  

NHTSA provided technical assistance to the Commerce Department on this rulemaking as an inter-governmental working group participant. You will hear more details about this rule tomorrow from Ms. Liz Cannon, Executive Director of the Office of Information and Communications Technology and Services at the Bureau of Industry and Security. 

Just as everyone in this room knows, the work each of us does in this connected world complements other activities in the cybersecurity space. We recognize the critical links between national security, cybersecurity, and the personal privacy of U.S. citizens. 

Malicious, state-supported groups routinely attempt to infiltrate critical networks and high-profile targets, and we should all be vigilant that these same actors may look for pathways into vehicles and vehicle components as well. 

NHTSA also collaborates with the White House and other agencies to ensure that the digital technologies supporting the clean energy transition are secure and resilient by design. 

NHTSA also helped identify priority technologies for cybersecurity and resiliency improvements, including batteries, battery management systems, electric vehicles and EV supply equipment. 

We’ve provided technical assistance to our federal colleagues, and have committed to publishing three cybersecurity research reports on EVs and EV equipment in support of this effort. 

We look forward to sharing these reports with you when they are complete and will continue to collaborate across the whole of government to help strengthen our national security and cybersecurity posture. 

NHTSA’S ROLE 

That’s because NHTSA’s mission – across the agency and in all of our work – is safety. A vehicle that is appropriately protected against cybersecurity threats will be safer for its occupants and others on the road. 

NHTSA maintains world-class capabilities that allow us to conduct independent risk assessments, which allows us to quickly respond and remedy any issues that could lead to unreasonable risks. 

We maintain a high level of vigilance because collectively we can never let our guard down when it comes to safety-critical systems. 

NHTSA continues to leverage our broad enforcement authorities to protect the public from unreasonable risks to safety. That includes overseeing the safety recall process to ensure defects are identified, reported and remedied promptly. 

RECALL OVERSIGHT 

Many of you may remember the first-ever cybersecurity safety recall back in 2015, known by many as the “Jeep Hack.” Fortunately for everyone, this OEM system defect was discovered by two ethical security researchers, eventually resulting in a recall of 1.4 million vehicles. 

Since then, we have continued to monitor the reporting of vehicle cybersecurity incidents and vulnerabilities through various channels. Over the last 10 years or so, we have closely assessed more than 75 such cases. 

Last month, one of those cases, again reported by ethical security researchers, resulted in a second cybersecurity safety recall. Unlike the “Jeep Hack”, this recall was for an aftermarket device, but this new recall also involved wireless connectivity. 

The recalled device interfaces with a heavy vehicle’s databus, opening up the possibility that a compromised device could be used as a proxy to influence the behavior of safety-critical vehicle systems. 

The device in question uses telematics for electronic data logging, and I’ll note that our cybersecurity best practices warn of safety vulnerabilities from non-safety related systems such as telematics devices. 

Our Vehicle Research and Test Center’s Cybersecurity Lab verified these reports through lab testing. 

Our researchers demonstrated that the vulnerability could present opportunities for an unauthorized third party to reprogram the units, allowing a malicious actor to potentially spoof packets on the vehicle’s databus. 

This device is considered a piece of motor vehicle equipment under the National Traffic and Motor Vehicle Safety Act, and the company involved subsequently recalled 140,000 units. 

This recall is a success story at the end of the day – the defect was identified by ethical researchers, and it was recalled before it could be exploited. It also serves as a case study for the industry because these risks are very real. 

RESEARCH 

Underpinning all of NHTSA’s work is our robust research program. This research provides invaluable insights that inform all of the agency’s policies, including rulemaking, enforcement, vehicle safety, behavioral safety, and more. 

Our cybersecurity research program is cross-cutting, as the results apply to conventional vehicles as well as those equipped with advanced driver assistance systems and automated driving systems. I’d like to touch briefly on several ongoing research projects of special interest to Auto-ISAC’s members. 

The first examines the cybersecurity and cyber resilience of vehicle electrical and electronics architecture. NHTSA’s researchers examined publicly available data and manuals and studied various architectures on a cross section of vehicle makes and models. 

Our researchers learned that repair manuals do not provide enough information for cybersecurity evaluation. They also found a lack of information about security architectures, and that cybersecurity implementation details are still generally treated as proprietary. 

I’ll say it again – free and open information sharing is vital to effectively protecting against cyberattacks, and organizations like Auto-ISAC are critical to facilitating these ongoing dialogues. 

The second project I’d like to highlight examines zero trust for in-vehicle networks. 

Zero trust is a foundational principle of cybersecurity – never trust, always verify. Access control and network segmentation add protected areas and prevent lateral movement if a system is breached. 

NHTSA is examining this concept to see if it can be applied to vehicle networks as well. 

Our third project looks at the cybersecurity and cyber resilience of wireless battery management systems between the controller boards and the batteries. 

These wireless systems introduce a different attack surface from wired battery management systems, and so their cyber resilience may present different challenges. 

Our project seeks to better understand how this impacts cyber resilience. 

And finally, our fourth project looks at over-the-air updates, an increasingly common way of remedying recalls and pushing updates to vehicles. 

This project is an update to our 2022 report entitled the Cybersecurity of Firmware Updates, and it will build on our understanding of OTA update methods. 

We look forward to publishing all of these reports when final. 

I’d also like to invite you to join us virtually next week for our annual Safety Research Portfolio Public Meeting. The event runs October 28-30, and on the 29th, we’ll hold a session on vehicle electronics, cybersecurity, and alternative fuels. 

We hope many of you can join us to learn more about the diverse research underway across our agency. 

We hope all of our research will further our collective understanding, readiness and resiliency in the face of cybersecurity threats. 

CLOSING 

As I said a few minutes ago, when it comes to cybersecurity, we are only as strong as our weakest link. NHTSA is here to answer your questions and be a resource for you in your efforts to be nimble, resilient and cyber safe. Our door is always open to you. 

Open communication is key, and a vulnerability affecting one vehicle or company may soon affect all, putting safety at risk and undermining the adoption of new technologies. I encourage you to share best practices, notify each other of vulnerabilities, and stay alert. 

Open communication makes everyone stronger and can prevent a vulnerability from becoming a full-fledged attack. You can make a difference by communicating and collaborating as colleagues, not competitors. 

I applaud Auto-ISAC for bringing us all together and facilitating a culture of information sharing. Thank you for everything you do to make the industry stronger and safer together, and thank you very much for your time today.