Cybersecurity, Data, and Privacy Subcommittee Meeting #1 March 1 st - - PowerPoint PPT Presentation

1

2/28/2019

Cybersecurity, Data, and Privacy

Subcommittee Meeting #1 March 1st, 2019

2

2/28/2019

Welcome and Introductions

3

2/28/2019

Review of Round 1 Recommendations and Round 2 Scoping Results

Round 1 Recommendations

Topics

• Preventing cyberattacks
• Responding to cyberattacks
• Protection of consumer privacy
• Data management

Cybersecurity Requirements

• The manufacturer shall certify that the autonomous vehicle meets appropriate and applicable current

industry standards to help defend against, detect, and respond to cyber-attacks, unauthorized intrusions, or false vehicle control commands

• To aid with transparency with the testing process, to increase public trust in autonomous vehicle

design and cybersecurity practices, and to aid in the effort to protect related cybersecurity infrastructure, the task force encourages manufacturers to work with recognizes industry information sharing entities. Data Privacy

• Principle: Support for a framework that protects data privacy

5

2/28/2019

Task Force Round 2 Scoping Results

Principles

• Review applicability of existing law and don’t reinvent

the wheel

• Maintain consistency with other states

Resources

• Auto-ISAC
• AICPA’s SSAE-18 Data Security Standards
• SAE/Synopsys Report: Securing the Modern Vehicle
• Upstream Security Report: Global Automotive

Cybersecurity Report 2019

• NCHRP 03-127: Cybersecurity of Traffic Management

Systems Cybersecurity

• Cybersecurity for road infrastructure/V2I
• Responding to cybersecurity incidents
• Accountability for cyber breaches
• State authorities in relation to manufacturer’s

cybersecurity plan Privacy and Intellectual Property

• Secondary use of data
• Protecting privacy and security of consumer and personal

data

• Protecting private and proprietary data

Data

• Data standards
• Data needs of vehicles
• Flexibility to adapt to new technologies (5G, etc.): focus
• n what data is needed rather than how it is accessed
• Data transparency in the aggregate
• Data sharing for public sector responsibilities, including

planning, operation, and funding

• Public sector data infrastructure, storage, expertise,

analysis, and cost

• Sideboards for data in underwriting
• Preservation of crash data

6

2/28/2019

State, Federal, and Private Sector Roles in Cybersecurity

7

2/28/2019

National and international guidance on AVs

8

2/28/2019

National Highway Traffic Safety Administration (NHTSA): Federal and State Regulatory Roles for Conventional Vehicles

Federal State

Regulating motor vehicles and motor vehicle equipment Regulating the human driver and most other aspects of motor vehicle

• peration
• Set Federal Motor Vehicle Safety

Standards (FMVSS) for motor vehicles and equipment

• Enforce compliance with FMVSS
• Manage safety recalls
• Educate public about safety
• License drivers
• Register motor vehicles
• Enact and enforce traffic laws
• Conduct safety inspections
• Regulate insurance and liability

9

2/28/2019

Federal and State Safety Roles for Automated Vehicles

• The National Highway Traffic Safety Administration (NHTSA) proposes that

regulation of automated driving systems (ADSs) mirror existing roles

• NHTSA has proposed new safety areas for ADSs, such as cybersecurity, data

recording, and human-machine interface, that it may regulate pending the development of FMVSS

• States are encouraged to provide licensing and registration procedures for AVs,

reporting and communications methods for Public Safety Officials, and to review traffic laws and regulations that conflict with AVs Learn more in NHTSA’s “Automated Vehicles 3.0” guidance here

10

2/28/2019

Background on National Efforts

11

2/28/2019

Auto-ISAC

• Automotive Information Sharing and Analysis

Center (Auto-ISAC)

• Forum for industry, government, and

cybersecurity experts to share information on threats, best practices, etc.

• Monthly calls to highlight new developments,

security efforts, and other topics

• ODOT participates

12

2/28/2019

SAE/Synopsys Report: Securing the Modern Vehicle

• Survey of cybersecurity practices in

automotive industry to identify risks

• Identified that many organizations still lack

dedicated cybersecurity team, sufficient staff resources

• Vehicle connectivity presents an increasing

risk to system safety, requiring additional attention

13

2/28/2019

Upstream Security Report: Global Automotive Cybersecurity Report 2019

• Tallies cyberattacks on vehicles in 2019 –

rapid growth in previous years

• Malicious “black hat” attacks now
• utnumber attacks by security researchers
• Attacks range from penetrating back-end

systems to direct attacks on vehicle security equipment, such as key fobs

14

2/28/2019

NCHRP 03-127: Cybersecurity of Traffic Management Systems

• National Cooperative Highway Research

Project (NCHRP) has several projects related to connected/automated vehicles

• Project 03-127 seeks to develop guidance

for state and local transportation agencies to mitigate cyber attacks on traffic systems

• Literature review already available, project

expected to conclude August 2019

15

2/28/2019

Additional National Initiatives to Track?

16

2/28/2019

Revisions to Subcommittee Scope and Discussion of Final Product

17

2/28/2019

Recap and Next Steps