New Federal Cybersecurity Legislation and Regulations Proposed in Washington DC

Posted by

This week, new legislation and regulations have been proposed to address cybersecurity concerns in new automobiles and the nation’s Bulk Electric System.

On Tuesday, Senators Edward J. Markey (MA) and Richard Blumenthal (CT) introduced new legislation to address the hacking risks associated with “connected vehicles.”  The Security and Privacy in Your Car Act of 2015 would mandate that sensitive software systems be isolated and additional safeguards be added “to protect consumers from security and privacy threats to their motor vehicles”.  The legislation followed a 2014 report by Senator Markey identifying how vehicles may be vulnerable to hackers, and how driver information is collected and protected.

The new legislation was announced the same day Wired magazine reported that “wireless carjackers” were able to seize control of a Jeep through the internet connectivity, enabling hackers to “send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.”  In a demonstration of the hacking software for Wired, the Jeep’s transmission was disabled, and accelerator stopped working while the vehicle was driving over a long overpass with no shoulder on an interstate outside of St. Louis.

Also, yesterday the Federal Energy Regulatory Commission (FERC) proposed seven critical infrastructure protection reliability standards to “address the cyber security of the bulk electric system…which, if destroyed, degraded, or otherwise rendered unavailable as the result of a cybersecurity incident, would affect the reliable operation of the Bulk-Power System,” including facilities and control systems necessary for operating an interconnected electric energy transmission network, and electric energy from generation facilities needed to maintain transmission system reliability (defined in Federal Power Act § 215). The proposed regulations followed an April 2014 technical conference, where panelists opined that current standards lacked controls to protect data in motion, authenticate messages and commands, and protect systems using non-routable protocols.  Public comments are due to the FERC within 60 days.