Does Implementation of ISO/SAE 21434 Bring NHTSA's Cybersecurity Best Practices Along For the Ride?
Significant changes in cybersecurity are underway in the automotive industry. Indicative of these changes is a new update to the National Highway Traffic Safety Association’s (NHTSA) Cybersecurity Best Practices for the Safety of Modern Vehicles. NHTSA has incorporated feedback on their 2016 version of this document, including recommendations to align with other industry initiatives. Many of the newly added best practices align with the ISO/SAE 21434 specification titled “Road Vehicles – Cybersecurity Engineering.” ISO/SAE 21434 is a cybersecurity framework for automotive companies to “define cybersecurity policies and processes, manage cybersecurity risk, and foster a cybersecurity culture.”
This article will address just how close the alignment is between NHTSA’s general best practice recommendations to ISO/SAE 21434. In particular, we will address the question: Are you meeting the NHTSA’s general best practices by implementing ISO/SAE 21434 recommendations? The short answer is no - most but not all of NHTSA’s general best practices will be covered. Below you’ll find 15 NHTSA’s recommendations that might not or will not be covered after applying ISO/SAE 21434. You should consider reviewing these remaining recommendations to ensure you are meeting all of NHTSA’s general best practices.
NHTSA General Best Practices' Alignment with ISO/SAE 21434
NHTSA’s document classifies its best practices into two categories: general best practices and technical best practices. A discussion on NHTSA’s technical best practices will be addressed in a subsequent article. NHTSA lists 43 general best practice recommendations in their new document. Direct reference is made by NHTSA to ISO/SAE 21434 for 14 out of the 43 recommendations. Another 14 can be directly aligned with clauses, requirements, work products, or annexes in ISO/SAE 21434. It’s expected another four will be covered as a result of the application of ISO/SAE 21434’s risk assessment process leading to matching requirements and controls. This leaves 11 NHTSA general best practices not necessarily covered by ISO/SAE 21434.
NHTSA General Best Practices Recommendations Not Covered by ISO/SAE 21434
There are eleven NHTSA general best practices recommendations not covered by ISO/SAE 21434 (see Table 1 below). These recommendations are not coming along for the ride because they are:
- Specific in nature and ISO/SAE 21434 “does not prescribe specific technology or solutions related to cybersecurity”;
- Related to industry collaboration, an area ISO/SAE 21434 does not address; and,
- U.S.-specific and would not apply.
Table 1. NHTSA General Best Practice Recommendations Not Covered By ISO/SAE 21434
|NHTSA Best Practice Number||Short Description of NHTSA General Best Practice Recommendation|
|G.17||Auto industry members should implement rapid incident detection to mitigate safety risks and transition the vehicle to a minimum risk condition.|
|G.23||Manufacturers should participate in best practices development and join Auto-ISAC.|
|G.24||Extended automotive industry companies are recommended to join Auto-ISAC.|
|G.25||Auto-ISAC members should collaborate expeditiously to contain vulnerabilities.|
|G.28||Manufacturers to assess metrics for a response process.|
|G.30||Manufacturers should plan for addressing new vulnerabilities for vehicles in the field, at dealers, in inventory, and in future vehicles.|
|G.31||Manufacturers should report incidents to CISA and US-CERT.|
|G.32||Auto industry members should participate in cyber incident response exercises such as CyberStorm.|
|G.38||Auto industry members should collaborate on workforce educational efforts.|
|G.40||Connections to 3rd party devices should be authenticated and only given limited access.|
|G.43||Cybersecurity protections should not unduly restrict access of 3rd party repair services.|
|Techncially Specific||Industry Collaboration||U.S.-Specific|
The five technically-specific recommendations not covered by ISO/SAE 21434 are G.17, G.28, G.30, G.32, and G.40. Recommendation G.17 is specific to incident response and calls for rapid detection, remediation, and transition of the vehicle to a minimal risk condition. BG Networks is developing a technology for real-time incident response capability and is a major leap forward in this cybersecurity protections. Contact BG Networks for more information on this exciting, new technology.
Recommendation G.40 is a specific recommendation with respect to authentication and limitation-of-access security controls for 3rd party devices. For this recommendation to be met by applying ISO/SAE 21434, automotive OEMs and 3rd party device manufacturers would need to collaborate. With this collaboration and proper application of ISO/SAE 21434 clauses 7, 8, and 9, goals aligned to the NHTSA recommendation would most likely be identified.
Recommendations G.28 and G.32 are to improve incident response. They are not directly covered by ISO/SAE 21434 but could be an outcome because process improvements are generally addressed in requirement RQ-05-09, which calls for continuous improvement for all processes.
Finally, recommendation G.30 relates to scenarios addressing vulnerabilities in the field and throughout the chain of distribution. Give this specific nature, auto manufacturers should carefully consider this recommendation when applying ISO/SAE 21434 processes.
Four NHTSA recommendations related to industry collaboration are G.23, G.24, G.25, and G.38. NHTSA’s recommendations G.23, G.24, and G.25 encourage participation in industry best practices, standards-setting, and participating in the Auto-ISAC, an industry-driven community for sharing, tracking and analyzing intelligence about cyber threats, vulnerabilities, and incidents related to the connected vehicle. Best practice G.38 encourages an automotive industry-wide effort, in collaboration with universities, to train the workforce for automotive cybersecurity roles to address the cybersecurity skill gap in the industry.
Finally, NHTSA best practices G.31 and G.43 are U.S.-specific and not covered by ISO/SAE 21434 given it is a world-wide standard. Recommendation G.31 calls for incident reporting to CISA/US-CERT, and G.43 touches upon the right to repair.
NHTSA General Best Practice Recommendations Covered by the Application of ISO/SAE 21434
There are four NHTSA general best practices not directly aligned with ISO/SAE 21434 but are expected to be met as a result of applying certain ISO/SAE 21434 processes (see Table 2 below).
Table 2. NHTSA General Best Practice Recommendations Covered by the Application of ISO/SAE 21434
|NHTSA Best Practice Number||Short Description of NHTSA General Best Practice Recommendation|
|G.6||Evaluate risks from sensor spoofing and jamming (e.g., GPS)|
|G.10||Create a database of operational software components maintained|
|G.11||Track software details to know which ECUs are effected|
|G.14||Employ incentivized testers who are not part of the development team|
NHTSA’s G.6 recommendation covers a specific threat vector (e.g., sensors used to determine the position and the location of objects) that is particularly important to autonomous vehicles and would be addressed with a proper application of ISO/SAE 21434 processes.
Best practices G.10 and G.11 align with a new European Union Regulation (WP.29-2020-80) concerning software updates and software management systems. By applying the processes described in ISO/SAE 21434 clauses 9 and 10 (Concept Phase and Product Development), manufacturers will most likely be complying with these NHTSA best practices.
Finally, NHTSA G.14 is a specific recommendation that could be covered in ISO/SAE 21434’s RQ-05-08 requirement stating personnel involved in cybersecurity need to have the competencies to fulfill their responsibilities. However, it is possible that G.14 may not be an outcome from this ISO/SAE 21434 requirement, so manufacturers should independently consider implementing NHTSA recommendation G.14.
Aligning NHTSA Cybersecurity Recommendations and ISO/SAE 21434 Will Benefit the Entire Automotive Industry
NHTSA has done an excellent job of aligning its automotive cybersecurity general best practices to industry standards. ISO/SAE 21434 is most relevant now because it is a reference implementation for the two new regulations that have gone into effect in UNECE countries. While ISO/SAE 21434 will impact automotive companies’ world-wide operations, NHTSA recommendations certainly will help with the adoption of ISO/SAE 21434 for vehicles used in the U.S.
The alignment of these recommendations brings the automotive industry closer to a single world-wide standard for an automotive cybersecurity framework. This is an incredibly positive development as the pace for automotive innovation has accelerated but can be threatened by weak cybersecurity. By following this article’s recommendation of applying NHTSA and ISO/SAE 21434 general best practices, auto manufacturers can help prevent weak cybersecurity and advance the adoption of a single cybersecurity framework standard for the entire industry.
If you need assistance implementing the processes outlined in ISO/SAE 21434, BG Networks’ consulting services can help. BG Networks offers services for cybersecurity risk and vulnerability assessments and the development of cybersecurity goals, concepts, and requirements for new product developments. After cybersecurity requirements for ECUs are developed, BG Networks can leverage this knowledge and offer cybersecurity software development and testing services. We love talking about embedded cybersecurity and offer free consultations.