Federal regulators have attempted to address the need to protect cars and trucks against cybersecurity threats while ensuring that their owners are able to access less costly third-party repairs and maintenance.
The National Highway Traffic Safety Administration acknowledges that challenge in a “pre-final” version of its “Cybersecurity Best Practices for the Safety of Modern Vehicles,” released Wednesday. The new guidelines update a 2016 version, after soliciting comments on a draft version released in 2021.
Both the 2016 and 2022 versions say that the automotive industry should “consider the serviceability of vehicle components and systems by individuals and third parties,” and that the industry should “provide strong vehicle cybersecurity protections that do not unduly restrict access by authorized alternative third-party repair services.”
But NHTSA added to the updated guidelines a clarifying statement: “NHTSA recognizes the balance between third party serviceability and cybersecurity is not necessarily easy to achieve. However, cybersecurity should not become a reason to justify limiting serviceability. Similarly, serviceability should not limit strong cybersecurity controls.”
Commenting last year on the updated guidelines, the National Motor Freight Traffic Association (NMFTA) interpreted the serviceability section to focus mainly on passenger vehicles.
In a notice to be published in the Federal Register on Friday regarding the new cybersecurity guidelines, however, NHTSA states that while many commenters felt the agency “needed to address heavy trucks more explicitly and directly … NHTSA believes this would be unnecessary since the scope of the draft best practices already includes heavy trucks.”
The American Alliance for Vehicle Owners’ Rights (AAVOR), whose members include the Owner-Operator Independent Drivers Association, sees the updated guidelines as a positive step for truck owners.
“Former drafts of best practices written before telematics came on as a major feature in trucks could be interpreted as questioning whether telematics could be cyber-secure,” AAVOR Director Greg Scott told FreightWaves. “But the new guidelines seems to clarify that cybersecurity and serviceability can coexist.”
The American Trucking Associations also backs the nonrestriction of aftermarket maintenance and serviceability of vehicle systems and component technologies, it noted in comments on the guidelines last year.
“ATA supports motor carriers’ freedom of equipment maintenance and serviceability through both manufacturer and aftermarket solutions providers.” ATA did not respond in time to a request to comment on Wednesday’s final draft.
Aside from her organization’s interpretation that the guidelines have a “passenger-specific” focus, NMFTA Executive Director Debbie Sparks told FreightWaves that she was pleased with other aspects of the guidelines, including cyber risks associated with spoofing signals.
“However, we do feel that the lack of any changes to [guidelines related to drivers’ smart devices] is disappointing,” Sparks said, “as it frames the question on how smart devices gain access to vehicle networks as an OEM-only interaction, ignoring the important need of fleet authorization.”
