Privacy & Cybersecurity Law Blog

On October 14, 2016, the National Highway Transportation Administration (“NHTSA”) indicated in a letter to Congress that it intends to issue new best practices on vehicle cybersecurity. This letter came in response to an earlier request from the House Committee on Energy and Commerce (“Energy and Commerce Committee”) that NHTSA convene an industry-wide effort to develop a plan to address vulnerabilities posed to vehicles by On-Board Diagnostics (“OBD-II”) ports. Since 1994, the Environmental Protection Agency has required OBD-II ports be installed in all vehicles so that they can be tested for compliance with the Clean Air Act. OBD-II ports provide valuable vehicle diagnostic information and allow for aftermarket devices providing services such as “good driver” insurance benefits and vehicle tracking. Because OBD-II ports provide direct access to a vehicle’s internal network; however, OBD-II ports are widely cited as the central vulnerability to vehicle cybersecurity.

Although the Energy and Commerce Committee requested a plan regarding OBD-II ports specifically, the NHTSA letter reiterates previous NHTSA statements that vehicle cybersecurity should be addressed more comprehensively than “each entry port at a time.” The letter says that NHTSA’s forthcoming guidance will be based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework’s five principles: identify, protect, detect, respond and recover.

Coming not long after NHTSA released guidance on autonomous vehicles which called for increased information sharing within the automotive sector, NHTSA’s reliance on the NIST Cybersecurity Framework in its vehicle cybersecurity guidance indicates that NHTSA is increasingly seeking to apply cybersecurity measures to passenger vehicles currently utilized within critical infrastructure. Indeed, the NIST Cybersecurity Framework was developed pursuant President Obama’s E.O. 13636, Improving Critical Infrastructure Cybersecurity.