NHTSA Cybersecurity Guidance Emphasizes a Layered Response

Identify, protect, detect, respond, recover.

That’s the threat response sequence in a new guidance document on cybersecurity best practices for modern vehicles, issued late last month by the U.S. National Highway Traffic Safety Administration (NHTSA). The draft is open for comment until November 23. And while it focuses pretty much exclusively on vehicles, rather than the technology-enabled roadways that carry them, it’s an opportunity for input and dialogue on an issue that is very much on tolling agencies’ radar.

Judging by the guidance document, NHTSA is taking a common-sense approach to cybersecurity that aligns nicely with conversations that have gone on at recent IBTTA conferences. As a safety and privacy issue, the U.S. government is treating cybersecurity as a top priority.

"In the constantly changing environment of technology and cybersecurity, no single or static approach is sufficient," said NHTSA Administrator Dr. Mark Rosekind. "Everyone involved must keep moving, adapting, and improving to stay ahead of the bad guys."

The Onus is on Industry

In essence, NHTSA is taking a performance-based approach to cybersecurity—the agency is publishing best practices, but calling on industry to “self-audit and consider vulnerabilities and exploits that may impact their entire supply chain of operations,” the October 24 release states. “The safety agency also recommends employee training to educate the entire automotive workforce on new cybersecurity practices, and to share lessons learned with others.”

In the document itself, NHTSA emphasizes measures to “harden the vehicle’s electronic architecture against potential attacks, and to ensure vehicle systems take appropriate and safe actions, even when an attack is successful.” That echoes a piece of cornerstone advice the tolling industry has received from several cybersecurity specialists: Rather than assuming an attack will never occur, or never succeed, the first step in an effective response is to anticipate the worst and prepare for it.

NHTSA’s “comprehensive and systematic approach” to cybersecurity calls on technology providers to prioritize and protect “safety-critical vehicle control systems and personally identifiable information”, provide for timely incident detection and response, build systems that can recover rapidly from attacks, and rapidly share lessons learned that will help everyone in the system do a better job of protecting it.

The guidance document points readers to a report from the Center for Internet Security that lays out 20 priority areas for cybersecurity protection, based on actual experience with past attacks, and endorses the Center’s recommended approach to cybersecurity planning: gap analysis, development of implementation roadmaps, systematic execution of cybersecurity plans, integrating controls into vehicle systems and business operations, and successive cycles of reporting and monitoring progress.

So Far, So Good…But Time to be Vigilant

Tolling agencies have done a great job so far of keeping electronic systems safe from cyber-attacks. But one message came through loud and clear at IBTTA’s 84^th Annual Meeting and Exhibition in Denver, CO earlier this year: the threats are getting ever more sophisticated, and it is never the right time to let down our guard.

“For those of us who are responsible for critical infrastructure, often iconic infrastructure, security isn’t a new topic,” said former IBTTA President Kary Witt, Bridge Manager with the Golden Gate Bridge Highway and Transportation District. But with the advent of electronic tolling systems, agencies store and transmit sensitive data with every transaction, “and our customers have an expectation that their information is safe in our hands.”

While data breaches are less dramatic than physical attacks, Witt added, “the damage is no less devastating,” given the tremendous impact on customers’ financial and personal lives, and therefore on agencies’ operations and financial well-being.

Several panelists in Denver warned that the only question is when, not whether a tolling agency will eventually be targeted by a cybersecurity threat—and when one of those attempts will succeed. Data security specialists from the U.S. government and the private sector said the United States is a leading target for hackers, with 2,000 confirmed intrusions in 2015 costing an average of $15 million each to address.

The global cost is $575 billion and 200,000 jobs per year, and most experts consider that an underestimate.

And in highway transportation, the costs may go beyond the impact of an initial breach. Amid surging enthusiasm for connected and autonomous vehicles, you’ll often hear acknowledgement that a serious cybersecurity breach could delay public acceptance of a promising but unfamiliar new roadway technology. So when we talk about pro-active, layered cybersecurity measures, there’s a lot at stake.

Check out the cybersecurity presentations by Rhonda Bentz, Maj. Gen. John Davis, FBI special Agent Malcolm Palmore, and Rush Taggart at IBTTA’s 84^th Annual Meeting and Exhibition in Denver.