Understanding the US Department of Commerce ANPRM on Connected Vehicles, Supply Chain, & Cyber security

On 1 March 2024, the United States Department of Commerce's Bureau of Industry and Security (BIS) released an Advanced Notice of Proposed Rule Making (ANPRM) entitled, Securing Information and Communications Technology and Services Supply Chain: Connected Vehicles via the Federal Register.

Ultimately, the ANPRM outlines the concerns that the incorporation of technologies from foreign adversaries identified in Title 15 CFR 7.4 (i.e., Cuba, Iran, North Korea, Russia, the Venezuelan Maduro Regime), and specifically China) within the automotive supply chain may open the United States to malicious cyber activity and result in substantial risk to critical infrastructure. The ANPRM also signals the potential regulation of certain vehicle technologies and prohibition of those technologies originating from "foreign adversaries."

The timing of the ANPRM coincided with the White House Statement from President Biden Addressing National Security Risks to the US Auto Industry and FACT SHEET: Biden-⁠Harris Administration Takes Action to Address Risks of Autos from China and Other Countries of Concern summarizing the White House concerns.

The proposal falls within the purview of Executive Order (EO) 13873: Securing the Information and Communications Technology Services (ICTS) Supply Chain, which grants the Secretary of Commerce the authority to review and impose mitigation measures on or prohibit any ICTS transaction. This includes any acquisition, importation, transfer, installation, dealing in, or use of any ICTS by any person or concerning any property subject to US jurisdiction when the transaction involves any property in which a foreign country or national has any interest.

Should I respond?

Cyber security standards and regulations are becoming more commonplace within the Transportation sector, and given the geopolitical landscape, the White House announcements and Commerce ANPRM shouldn't surprise most.

It's encouraging that the US government is actively working to understand the global nature of the automotive supply chain and the overall vehicle attack surface through the questions in the ANPRM. This is the chance for the industry to help educate and guide decision making to elevate the overall security posture of the automotive sector while also working toward a stable and diversified supply chain.

At a minimum, automotive OEMs and suppliers should review for awareness and evaluate the potential impacts of a rule on their supply chain and products.

However, it's important to note that this is an ANPRM, not an actual rule. If an actual rule ever materializes, it is likely a long way away, and the Department of Commerce should first issue an NPRM with another comment period. For example, on 20 November 2023, the National Highway Traffic Safety Administration (NHTSA) withdrew its V2V NPRM published on 12 January 2017, so there is no guarantee this will become a rule.

How do I respond?

Connected vehicles today present the risk of remote shutdown either as a part of 'security' capabilities, such as remote immobilization or as emergent behaviors that arise exploiting other intended functions, such as remote shell access (for diagnostics and logging). Many onboard technologies in use in vehicles today lack security controls that are commonplace in technologies that we are exposed to in our daily lives. For example, they often can lack authentication of important command and control messages and typically have less than optimal and less scrutinized cryptographic implementations for data encryption, authentication, and authorization.

Given the lack of understanding about the attack surface, this has been relatively unexplored and exploited until now. We've seen countless data breaches in other industries; vehicle-related cyber attacks are much less common to date and have typically been focused on an individual level instead of across a fleet.

However, security incidents related to the connected features of vehicles are increasing, as seen through released threat reports and security research. Those incidents often result from vulnerabilities within connected features or the supplier's back end rather than the automotive manufacturer or vehicle itself.

As those active in the automotive industry are already aware, most OEMs and suppliers are working toward compliance with standards such as ISO 21434 for vehicle cyber security engineering and ISO 24089 for vehicle software update engineering. Those outside the US are primarily subject to UN R155 for uniform provisions concerning the approval of vehicles regarding cyber security and R156 for vehicle software updates.

These same OEMs and suppliers are active within standards organizations such as SAE that are currently developing additional standards and best practices for vehicle systems and the networks and devices in which they communicate, such as Electric Vehicle Supply Equipment (EVSE) infrastructure.

If a rule moves forward to prohibit CV ICTS from 15 CFR 7.4 entities, particularly China, the US government should consider these standards and regulations as criteria to ensure cyber security assurance when considering exceptions and temporary authorizations. Regulatory approaches outside the US, such as UN R155, aim to encourage the adoption of Secure by Design/Cyber security Engineering, requiring OEMs to demonstrate they have considered and managed the risks to an acceptable level before passing Type Approval.

Importantly, this approach is not a prescriptive list of security controls to apply to a vehicle, which would quickly go out of date and not reflect the resultant threat landscape. Instead, these regulations require manufacturers to take a systems security engineering approach to justify their cyber security solutions and the accepted risk level. They typically start at the product concept and requirements stage, and, for vehicles, this can happen at a component level, feature/function level, or platform level. This leads to integrating security requirements, including considerations around test cases, and applying security controls to bring the cyber risk down to acceptable levels.

That directly opposes the common alternative, which is a long list of security controls that must be applied. Regulatory bodies should encourage maturity by setting the bar to demonstrate higher assurance over time.

Automotive OEMs and suppliers are also keenly aware that there are many companies headquartered in China or have a presence in China that supply ICTS to automakers that sell vehicles within the US Prohibiting Chinese-made components and software would likely further disrupt an industry that has already dealt with significant recent supply chain challenges as a result of the COVID pandemic.

That said, the industry should be looking at the features and functionality that are being introduced into vehicles, performing robust threat models, and encouraging the adoption of security controls that are likely to reduce residual risk. Many of the connected features/functions are sold to the consumer as 'convenience' but lack the notification around the potential risks they might possess if a capable threat actor targets the backend/cloud infrastructure.

NCC Group is a global cyber and software resilience business operating across multiple sectors, geographies, and technologies. NCC Group has a decade of experience in supporting the global automotive industry, including some of the largest OEMs in the world, in all the services outlined above. We bring together cyber security professionals with deep knowledge of the transport sector, including consultants who have previous experience as cyber security engineers at OEMs and Tier 1s.

Our Automotive Practice comprises services to increase our clients' Cyber Security maturity. We identify the current maturity level and security posture and assess processes, products, people, and the supply chain, enabling our clients to mitigate risk, manage operational continuity, and respond by providing rapid access to cyber incident response.

With circa 2,400 colleagues, we have a significant market presence in the UK, Europe, and North America, as well as a growing footprint in Asia Pacific with offices in Australia, Japan, and Singapore.