Recently, the UK government released "The key principles of vehicle cyber security for connected and automated vehicles." This guidance document provides key cyber security principles for use by the automotive industry and its suppliers. This follows the US Government's guidelines that were issued last fall.
I was encouraged to see the UK push for personal accountability in cyber security issues at the board level. Without that accountability, it is too easy for security to be bypassed for other priorities, including budgetary shortfalls and scheduling delays. The UK guidance is more expansive than the NTSA guidance, which stated, "For example, companies could implement these actions by appointing a high-level corporate officer exclusively and directly responsible for product cybersecurity." Personal board accountability would do more to change the corporate culture than the appointment of a cyber security executive, although ideally both are done.
Another encouraging statement was, "Users are able to delete sensitive data held on systems and connected systems." The NHTSA guidance talked about protecting private data, but didn't give users control over that data. Anyone concerned about privacy will find the UK guidance as an improvement over NHTSA.
Although the UK guidance has many positive attributes, it has some drawbacks as well. For instance, I don't believe the guidance goes far enough when it comes to software updates following the discovery of a vulnerability. The guidance merely states that "organisations plan for how to maintain security over the lifetime of their systems." Thus, this does not account for the changes that occur over the lifetime of the systems. I believe that Over the Air (OTA) updates should be a requirement for automobiles. It is impossible for a manufacturer to create a car that is free of vulnerabilities throughout the 10-20-years of its life. Without OTA, automakers are relying on car owners to bring their cars into a repair show every time a new vulnerability is discovered. This will leave many cars exposed to known attacks, whereas the OTA updates would allow the fix to be pushed through to the at-risk vehicles immediately. Car makers would save a lot of money in recalls by offering OTA, so it is likely they will move to that technology on their own. Either way, I would have preferred the UK specify its use and not leave this area of guidance so ambiguous.