U.S. National Highway Traffic Safety Administration Releases Update to Automotive Cyber Security Best Practices


As vehicles become more connected with high-tech computer systems and software, there’s increasing concern about cyber security. Many governments are beginning to issue automotive cyber security best practices and regulations. In June 2020, the United Nations Economic Commission for Europe (UNECE) adopted a pair of automotive cyber security regulations into the World Forum for Harmonization of Vehicle Regulations, or WP.29. The regulations, which aim to enhance cyber security and software updates in vehicles, went into effect this January.

Under the Regulations, Automakers Must:

  • Manage vehicle cyber security risks
  • Secure vehicles by design to reduce risks throughout the value chain
  • Detect and respond to security concerns within vehicle fleets
  • Offer safe and secure software updates and guarantee vehicle security isn’t at risk, as well as introduce legal requirements for “over-the-air” software updates

The WP.29 regulations will start to take effect in South Korea and Japan this year. In Europe, the regulation doesn’t impact vehicle type approvals granted before the regulation came into effect, or those already on the streets. After July 2022, new vehicle types or car lines, released with existing electronic systems must receive cyber security system type approval as part of the whole vehicle type approval process. After July 2024, vehicle makers will need to get cybersecurity system type approval for customers to be able to register their vehicles in any country that applies the revised regulation. )More details on the rollout of the regulation are available here.)

U.S. National Highway Traffic Safety Administration (NHTSA)

There currently are no specific regulations in the U.S. around automotive cyber security. However, the U.S. National Highway Traffic Safety Administration (NHTSA) recently updated its Cybersecurity Best Practices for the Safety of Modern Vehicles, which it initially released in 2016. 

“This document from the National Highway Traffic Safety Administration (NHTSA) updates the Agency’s non-binding and voluntary guidance to the automotive industry for improving motor vehicle cyber security. NHTSA encourages vehicle and equipment manufacturers to review this guidance to determine whether and, if so, how to apply this guidance to their unique systems,” NHTSA said in the document.

While the guidance is not mandatory, it reveals growing concern around cybersecurity within the U.S. automotive industry. The guidance on automotive cyber security best practices includes:

  • References to the ISO/SAE 21434 cybersecurity framework, which includes security management, project-dependent cyber security management, associated risk assessment techniques, continuous cyber security activities, and cyber security within both the concept development and post- road vehicle development phases.
  • References to Auto-ISAC seven best practices guides, which cover a range of cybersecurity topics including training, product development, and incident response. 
  • Detailed technical guidelines applicable to Internet of Things devices. Many of these guidelines are based on fourteen exploited vulnerabilities, which the guidelines document.

The NHTSA guidelines are in draft form and open to comments. (For information on how to comment, see Federal Register Notice.)

“Vehicle cybersecurity has high stakes,” stated NHTSA Deputy Administrator James Owens in a press release. “The safety and security of everyone on our roads depend on it. We have learned a great deal in the past four years, and I encourage feedback on the 2020 edition.”

Regulations and guidance around vehicular cyber security are still evolving. However, manufacturers will eventually need to comply with cyber security regulations. It’s vital to prioritize cyber security in their vehicles for customers to find them trustworthy. Those who don’t may find themselves struggling to catch up. 

Securing Autonomous Vehicles

As the automotive industry continues to work on intelligent and autonomous vehicles, there is a need to better comprehend the safety and security of this connected technology. Automotive Cyber Security: Protecting the Vehicular Network is a five course program that aims to foster the discussion on automotive cyber security solutions and requirements for not only intelligent vehicles, but also the infrastructure of intelligent transportation systems.

Contact an IEEE Content Specialist today to learn more about getting access to these courses for your organization.

Interested in the course for yourself? Visit the IEEE Learning Network.


(15 January 2021). Automotive Cybersecurity: Major Changes Underway.

(24 June 2020). UN Regulations on Cybersecurity and Software Updates to pave the way for mass roll out of ‎connected vehicles. United Nations Economic Commission for Europe

(8 January 2021). NHTSA Seeks Comment on Cybersecurity Best Practices for the Safety of Modern Vehicles.

Wilson, Jacob. (12 October 2020). Are you ready for ISO SAE 21434 Cybersecurity of Road Vehicles? Synopsys. 

UNECE WP.29 Approved. What Now? Argus Cyber Security.

, , , ,


  1. Automakers Rev Up for Growing Cyber Security Risks   - IEEE Innovation at Work - April 16, 2021

    […] Europe, the United Nations vehicle cybersecurity regulations (WP.29) came into force earlier this year. It will take effect for all vehicles sold in Europe starting […]

  2. New Cyber Security Standard Will Propel Cultural Shift in Automotive Industry - IEEE Innovation at Work - August 13, 2021

    […] outlines hardware-protected security requirements for applications in ground vehicles), and the ISO/SAE 21434 standard, which is designed to safeguard vehicles from security risks across their lifetime. According to […]

Leave a Reply