12/28/2019

Cybersecurity, Data, and Privacy

Subcommittee Meeting #1March 1st, 2019

22/28/2019

Welcome and Introductions

32/28/2019

Review of Round 1 Recommendationsand Round 2 Scoping Results

Round 1 Recommendations

Topics

• Preventing cyberattacks• Responding to cyberattacks• Protection of consumer privacy• Data management

Cybersecurity Requirements

• The manufacturer shall certify that the autonomous vehicle meets appropriate and applicable current industry standards to help defend against, detect, and respond to cyber-attacks, unauthorized intrusions, or false vehicle control commands

• To aid with transparency with the testing process, to increase public trust in autonomous vehicle design and cybersecurity practices, and to aid in the effort to protect related cybersecurity infrastructure, the task force encourages manufacturers to work with recognizes industry information sharing entities.

Data Privacy• Principle: Support for a framework that protects data privacy

52/28/2019

Task Force Round 2 Scoping ResultsPrinciples

• Review applicability of existing law and don’t reinvent the wheel

• Maintain consistency with other statesResources• Auto-ISAC• AICPA’s SSAE-18 Data Security Standards• SAE/Synopsys Report: Securing the Modern Vehicle• Upstream Security Report: Global Automotive

Cybersecurity Report 2019• NCHRP 03-127: Cybersecurity of Traffic Management

SystemsCybersecurity• Cybersecurity for road infrastructure/V2I• Responding to cybersecurity incidents• Accountability for cyber breaches• State authorities in relation to manufacturer’s

cybersecurity plan

Privacy and Intellectual Property• Secondary use of data• Protecting privacy and security of consumer and personal

data• Protecting private and proprietary dataData• Data standards• Data needs of vehicles• Flexibility to adapt to new technologies (5G, etc.): focus

on what data is needed rather than how it is accessed• Data transparency in the aggregate• Data sharing for public sector responsibilities, including

planning, operation, and funding• Public sector data infrastructure, storage, expertise,

analysis, and cost• Sideboards for data in underwriting• Preservation of crash data

62/28/2019

State, Federal, and Private Sector Rolesin Cybersecurity

72/28/2019

National and international guidance on AVs

82/28/2019

National Highway Traffic Safety Administration (NHTSA):Federal and State Regulatory Roles for Conventional Vehicles

Federal StateRegulating motor vehicles and motor vehicle equipment

Regulating the human driver and most other aspects of motor vehicle operation

• Set Federal Motor Vehicle Safety Standards (FMVSS) for motor vehicles and equipment

• Enforce compliance with FMVSS

• Manage safety recalls

• Educate public about safety

• License drivers

• Register motor vehicles

• Enact and enforce traffic laws

• Conduct safety inspections

• Regulate insurance and liability

92/28/2019

Federal and State Safety Roles for Automated Vehicles

• The National Highway Traffic Safety Administration (NHTSA) proposes that regulation of automated driving systems (ADSs) mirror existing roles

• NHTSA has proposed new safety areas for ADSs, such as cybersecurity, data recording, and human-machine interface, that it may regulate pending the development of FMVSS

• States are encouraged to provide licensing and registration procedures for AVs, reporting and communications methods for Public Safety Officials, and to review traffic laws and regulations that conflict with AVs

Learn more in NHTSA’s “Automated Vehicles 3.0” guidance here

102/28/2019

Background on National Efforts

112/28/2019

Auto-ISAC• Automotive Information Sharing and Analysis

Center (Auto-ISAC)

• Forum for industry, government, and cybersecurity experts to share information on threats, best practices, etc.

• Monthly calls to highlight new developments, security efforts, and other topics

• ODOT participates

122/28/2019

SAE/Synopsys Report: Securing the Modern Vehicle

• Survey of cybersecurity practices in automotive industry to identify risks

• Identified that many organizations still lack dedicated cybersecurity team, sufficient staff resources

• Vehicle connectivity presents an increasing risk to system safety, requiring additional attention

132/28/2019

Upstream Security Report:Global Automotive Cybersecurity Report 2019

• Tallies cyberattacks on vehicles in 2019 –rapid growth in previous years

• Malicious “black hat” attacks now outnumber attacks by security researchers

• Attacks range from penetrating back-end systems to direct attacks on vehicle security equipment, such as key fobs

142/28/2019

NCHRP 03-127: Cybersecurity of Traffic Management Systems

• National Cooperative Highway Research Project (NCHRP) has several projects related to connected/automated vehicles

• Project 03-127 seeks to develop guidance for state and local transportation agencies to mitigate cyber attacks on traffic systems

• Literature review already available, project expected to conclude August 2019

152/28/2019

Additional National Initiatives to Track?

162/28/2019

Revisions to Subcommittee Scopeand Discussion of Final Product

172/28/2019

Recap and Next Steps