The agency also suggests designing connected systems with cyber security in mind from the outset. "If a cyber-attack is detected, the safety risk to vehicle occupants and surrounding road users should be mitigated and the vehicle should be transitioned to a reasonable risk state," the paper reads. As a way to minimize the amount of intrusions in the first place, the NHTSA writes that developer and debugging access to engine control units (ECU) should be "limited or eliminated" if there's no reason for them to be open after a vehicle rolls off the assembly line.
There are a slew of other propositions as well: control keys shouldn't apply to multiple vehicles, access to diagnostic settings that could be "misused or abused outside of their intended purposes" should be limited and firmware access should be secured to prevent reverse engineering. NHTSA also wants limits on firmware modification ability, OEMS to lock up network protocols and ports (especially on the cellular data side) and encryption for communications between the vehicle and its OEM "home." Oh, and for manufacturers to extensively test for data breaches, and document the process.
The potentially scary part about this is that while protecting drivers, it also could further lock any sort of backyard tinkering or performance away for good -- something that hobbyist mechanics and tuners haven't really had to worry about before.
That even includes taking into account vulnerabilities presented from hooking your phone to a car's infotainment system via Bluetooth. "Aftermarket device manufacturers should consider that their devices are interfaced with cyber-physical systems and they could impact safety-of-life," the paper reads. "Even though the primary purpose of the system may not be safety-related, if not properly protected, they could be used as proxy to influence the safety-critical system behavior on vehicles."
This may also affect the business of independent shop owners who won't be able to service new vehicles thanks to diagnostic features being locked behind manufacturer-specific tools. But the outfit seems to have that covered, at least a little, too, but with a catch; emphasis is our own.
"The automotive industry should provide strong vehicle cybersecurity protections that do not unduly restrict access by authorized alternative third-party repair services." So, if you've been going to the same mechanic you know and trust, chances are that the automaker might not feel the same way.
As Reuters reports, the Alliance of Automobile Manufacturers is already onboard with putting the voluntary best practices into place. "In the constantly changing environment of technology and cybersecurity, no single or static approach is sufficient," NHTSA administrator Dr. Mark Rosekind said in a statement. "Everyone involved must keep moving, adapting and improving to stay ahead of the bad guys."