The National Motor Freight Traffic Association, Inc.® (NMFTA)® is pleased to announce the successful completion of a major industry effort: the reopening and revision of SAE J2497 to formally address cybersecurity risks in a decades‑old but still widely used vehicle protocol.
The NMFTA cybersecurity team found and disclosed vulnerabilities in this legacy vehicle communications. NMFTA engaged early, requested that the SAE Truck & Bus communication committee reopen the then-stabilized J2497 document and worked collaboratively through the SAE process to ensure the vulnerabilities were included and risks to fleets considered.
Why This Matters
SAE J2497 governs power‑line communications between tractors and trailers—technology that was originally designed for closed, physical environments. The NMFTA research showed that this databus is not closed. What was once assumed to be inaccessible is now wirelessly reachable, introducing realistic opportunities for unauthorized reads, writes, and malicious manipulation.
Until now, cybersecurity considerations for J2497 were largely out of scope. These vulnerabilities posed challenges not only for safety. A new tractor-trailer interface is on the horizon and it is critical that the backwards compatibility in this new interface does not adopt the same vulneratbilites.
Reopening the Standard: From Risk Identification to Action
Rather than waiting for an incident to force reactive change, NMFTA initiated discussions with SAE stakeholders to reopen the J2497 mandate and explicitly bring cybersecurity into scope. This was not a small lift: revisiting a legacy standard requires alignment on technical realities, scope boundaries, and operational impacts across a diverse ecosystem of OEMs, suppliers, and fleets.
Over multiple phases of review, discussion, and refinement, the effort achieved its core objectives:
- SAE J2497 was formally reopened to allow updates addressing modern cybersecurity concerns;
- Wireless attack surfaces were explicitly acknowledged as a design consideration;
- Appendix D.2 – Wireless Attack Mitigations was introduced to document practical defenses; and
- Clear guidance was added to reduce attack surface while preserving backward compatibility.
Importantly, the revised language takes a practical, non‑prescriptive approach—describing risk and recommended guardrails without mandating specific implementations. This allows manufacturers to innovate while still demonstrating due diligence against known vulnerabilities that have been cited in CVEs, CISA advisories, and safety recalls.
A Process That Valued Getting It Right
From initial technical discussions in 2024, through task force work and mandate review in early 2025, to document refinement and a successful ballot concluding in March 2026, this effort was marked by patience and follow‑through.
The work unfolded across four SAE T&B Committee meetings, extensive written collaboration, and multiple document iterations. Taking the time to align stakeholders and resolve questions up front helped ensure that the final outcome is not only defensible, but usable.
Thank You to the SAE T&B Committee
NMFTA extends sincere thanks to the SAE Truck & Bus Committee for their collaboration and professionalism throughout this process. The committee’s engagement over the past four meetings, willingness to dig into difficult topics, and commitment to consensus standards were essential to bringing this revision across the finish line.
This update is a strong example of how industry can proactively modernize legacy technology—without disruption, and without waiting for crisis to dictate change.
Looking Ahead
The NMFTA looks forward to continuing its close collaboration with SAE. We are especially pleased to announce that NMFTA will host the SAE T&B Committee meeting in August, providing an opportunity to build on this momentum and continue advancing cybersecurity leadership across commercial vehicle standards.
This success reinforces a simple truth: when the industry leads together—and takes the time to do it right—everyone benefits.
