NIST sets up community of interest to deal with cybersecurity issues that affect automotive sector

The National Institute of Standards and Technology (NIST) called upon participants on Tuesday for a community of interest to allow the industry, academia, and government to discuss, comment, and provide input on the potential work that NIST is doing which will affect the automotive industry. The agency will reach out to the community to access expertise and perspective on cybersecurity topics that affect the automotive space. Members of the community may be offered the opportunity to participate and provide feedback on a variety of cybersecurity activities at NIST. 

The initiative comes at a time when the automotive industry is facing significant challenges from increased cybersecurity risk and the adoption of AI (artificial intelligence) and opportunities from rapid technological innovations. 

The topics of interest covered, but are not limited to, in the community of interest include cryptography, supply chain, and AI cybersecurity risk management in automated vehicles (AVs). As part of cryptography, the NIST is seeking comments from the community on cryptographic agility and migration to secure algorithms, such as quantum-resistant cryptography. 

The supply chain module covers code integrity and distribution; hardware, firmware, and software composition and inventory to manage cybersecurity vulnerabilities; and security of development, integration, build, and distribution environments. To deal with AI cybersecurity risk management in AVs, the NIST requests comments on the development measurement approaches for establishing safety and security criteria for AI in AV. It also looks to identify and quantify risks for AI algorithms used in AVs, adversarial attacks, and mitigation testing and evaluation.

The community of interest is open and will provide a way for NIST to facilitate the discussions and receive comments and feedback from the automotive industry, academia, and government. For example, NIST may ask the community to comment on publications; assist in developing use cases; and provide insight into cybersecurity challenges of innovative technologies.

The NIST document comes at a time when security researcher Sam Curry revealed the presence of numerous security flaws in vehicles from 16 different manufacturers. These flaws have the potential to compromise the privacy of car owners, apart from unlocking and starting cars and tracking their locations. The security flaws include unauthorized access to sensitive data, takeover of accounts, remote code execution (RCE) attacks. and manipulation of physical commands like turning car engines on/off. loopholes are present in web applications and APIs of car producers, telematics service providers, and fleet operators. These vulnerabilities need to be addressed immediately.

Last March, industrial cybersecurity firm Dragos identified consistent network communication between Emotet Command and Control (C2) servers and numerous automotive manufacturing companies. The Emotet servers are suspected to be controlled by the Conti ransomware group and have been recognized as a malware strain and a cybercrime operation, which has precipitated ransomware events in the past.

The NIST recently announced the publication of the second preliminary draft practice guide covering zero trust architecture (ZTA). The agency rolled out updated versions of the NIST Cybersecurity Practice Guide SP 1800-35 Vol A-D covering three additional ZTA implementations that have been added to the guide since the previous drafts were published, and the first preliminary draft of SP 1800-35 Vol E that provides a risk analysis and mapping of ZTA security characteristics to cybersecurity standards and recommended practices. The agency seeks public comments online on or before Feb. 6, 2023.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.