Cybersecurity, Data, and Privacy - Oregon · Cybersecurity Requirements • The manufacturer shall...
Transcript of Cybersecurity, Data, and Privacy - Oregon · Cybersecurity Requirements • The manufacturer shall...
12/28/2019
Cybersecurity, Data, and Privacy
Subcommittee Meeting #1March 1st, 2019
22/28/2019
Welcome and Introductions
32/28/2019
Review of Round 1 Recommendationsand Round 2 Scoping Results
Round 1 Recommendations
Topics
• Preventing cyberattacks• Responding to cyberattacks• Protection of consumer privacy• Data management
Cybersecurity Requirements
• The manufacturer shall certify that the autonomous vehicle meets appropriate and applicable current industry standards to help defend against, detect, and respond to cyber-attacks, unauthorized intrusions, or false vehicle control commands
• To aid with transparency with the testing process, to increase public trust in autonomous vehicle design and cybersecurity practices, and to aid in the effort to protect related cybersecurity infrastructure, the task force encourages manufacturers to work with recognizes industry information sharing entities.
Data Privacy• Principle: Support for a framework that protects data privacy
52/28/2019
Task Force Round 2 Scoping ResultsPrinciples
• Review applicability of existing law and don’t reinvent the wheel
• Maintain consistency with other statesResources• Auto-ISAC• AICPA’s SSAE-18 Data Security Standards• SAE/Synopsys Report: Securing the Modern Vehicle• Upstream Security Report: Global Automotive
Cybersecurity Report 2019• NCHRP 03-127: Cybersecurity of Traffic Management
SystemsCybersecurity• Cybersecurity for road infrastructure/V2I• Responding to cybersecurity incidents• Accountability for cyber breaches• State authorities in relation to manufacturer’s
cybersecurity plan
Privacy and Intellectual Property• Secondary use of data• Protecting privacy and security of consumer and personal
data• Protecting private and proprietary dataData• Data standards• Data needs of vehicles• Flexibility to adapt to new technologies (5G, etc.): focus
on what data is needed rather than how it is accessed• Data transparency in the aggregate• Data sharing for public sector responsibilities, including
planning, operation, and funding• Public sector data infrastructure, storage, expertise,
analysis, and cost• Sideboards for data in underwriting• Preservation of crash data
62/28/2019
State, Federal, and Private Sector Rolesin Cybersecurity
72/28/2019
National and international guidance on AVs
82/28/2019
National Highway Traffic Safety Administration (NHTSA):Federal and State Regulatory Roles for Conventional Vehicles
Federal StateRegulating motor vehicles and motor vehicle equipment
Regulating the human driver and most other aspects of motor vehicle operation
• Set Federal Motor Vehicle Safety Standards (FMVSS) for motor vehicles and equipment
• Enforce compliance with FMVSS
• Manage safety recalls
• Educate public about safety
• License drivers
• Register motor vehicles
• Enact and enforce traffic laws
• Conduct safety inspections
• Regulate insurance and liability
92/28/2019
Federal and State Safety Roles for Automated Vehicles
• The National Highway Traffic Safety Administration (NHTSA) proposes that regulation of automated driving systems (ADSs) mirror existing roles
• NHTSA has proposed new safety areas for ADSs, such as cybersecurity, data recording, and human-machine interface, that it may regulate pending the development of FMVSS
• States are encouraged to provide licensing and registration procedures for AVs, reporting and communications methods for Public Safety Officials, and to review traffic laws and regulations that conflict with AVs
Learn more in NHTSA’s “Automated Vehicles 3.0” guidance here
102/28/2019
Background on National Efforts
112/28/2019
Auto-ISAC• Automotive Information Sharing and Analysis
Center (Auto-ISAC)
• Forum for industry, government, and cybersecurity experts to share information on threats, best practices, etc.
• Monthly calls to highlight new developments, security efforts, and other topics
• ODOT participates
122/28/2019
SAE/Synopsys Report: Securing the Modern Vehicle
• Survey of cybersecurity practices in automotive industry to identify risks
• Identified that many organizations still lack dedicated cybersecurity team, sufficient staff resources
• Vehicle connectivity presents an increasing risk to system safety, requiring additional attention
132/28/2019
Upstream Security Report:Global Automotive Cybersecurity Report 2019
• Tallies cyberattacks on vehicles in 2019 –rapid growth in previous years
• Malicious “black hat” attacks now outnumber attacks by security researchers
• Attacks range from penetrating back-end systems to direct attacks on vehicle security equipment, such as key fobs
142/28/2019
NCHRP 03-127: Cybersecurity of Traffic Management Systems
• National Cooperative Highway Research Project (NCHRP) has several projects related to connected/automated vehicles
• Project 03-127 seeks to develop guidance for state and local transportation agencies to mitigate cyber attacks on traffic systems
• Literature review already available, project expected to conclude August 2019
152/28/2019
Additional National Initiatives to Track?
162/28/2019
Revisions to Subcommittee Scopeand Discussion of Final Product
172/28/2019
Recap and Next Steps