interfaces in ECUs will give attackers a way to interfere with both the operational and safety equipment in modern vehicles.
Potential attack scenarios run the gamut from attackers tampering with entertainment and temperature control systems to shutting down vehicles at highway speed and taking remote control of critical safety systems.
The concerns are not purely theoretical. In 2013, two researchers at the Defense Advanced Research Projects Agency (DARPA) showed how they could take remote control of a vehicle's steering and brake system by connecting directly to the control area network in the car.
The research prompted one concerned lawmaker to send a letter to the heads of several major automakers asking for details on the measures they are putting in place to mitigate such threats.
Automobile manufacturers will need to take a holistic approach to addressing such concerns, the NHTSA said. The focus should not be just on prevention but also on incident detection and response.
As a complement to preventive measures, automakers should consider technologies that are capable of detecting intrusions into vehicle systems through communication interfaces. Vehicular network communications is fairly predictable and therefore well suited for real-time monitoring and anomaly detection measures, the NHTSA noted.
Automakers should also integrate rapid response capabilities to mitigate the potential harmful effects of an intrusion. The measures could include temporarily shutting down the communication channel that is being exploited, recording and transmitting data back to the automaker for analysis, or simply informing the driver of the risk.
Currently, there are no formal cyber security standards or frameworks that the auto industry can adopt when implementing such measures, the NHTSA acknowledged. But the auto industry can learn and adopt from some of the general cyber security best-practices that are employed in other industries such as the information technology, aviation, financial services, and industrial-control system sectors, the NHTSA said.
Cyber security has become a lifecycle process in all of these industries and many of them have put in place similar standards for the entire supply chain as well.
The automotive-specific guidelines developed by the European Union's E-safety Vehicle Intrusion Protected Applications (EVITA) could also provide a starting point for the US industry to build on, it said.
"Our initial analyses indicate that an automotive sector-specific information-sharing forum... is beneficial to pursue," the agency said, noting that the Alliance of Automotive Manufacturers and the Association of Global Automakers have already embarked on such an initiative.
The Internet of Things demands reliable connectivity, but standards remain up in the air. Here's how to kick your IoT strategy into high gear. Get the new IoT Goes Mobile issue of InformationWeek Tech Digest today. (Free registration required.)