Yesterday the DOT’s National Highway and Transportation Safety Administration (NHTSA) published an enforcement guidance document in the Federal Register (81 FR 65706-65709) concerning Safety-Related Defects and Automated Safety Technologies. This is in addition to the recently published Federal Automated Vehicles Policy document published earlier this week.
Legal and Policy Background
The new enforcement guidance document outlines the legal and policy background that provides the authority of NHTSA to regulate safety in current and emerging automated motor vehicle safety technologies. An important component of the NHTSA policy is the statement that:
“For software or other electronic systems, for example, when the engineering or root cause of the hazard is known, a defect exists regardless of whether there have been any actual performance failures.”
Addressing the need for recalls to address software related safety issues, the new guidance document provides the following discussion:
“Software installed in or on a motor vehicle—which is motor vehicle equipment—presents its own unique safety risks. Because software often interacts with a motor vehicle's critical systems (i.e., systems encompassing critical control functions such as braking, steering, or acceleration), the operation of those systems can be substantially altered by after-market software updates. Software located outside the motor vehicle could also be used to affect and control a motor vehicle's critical systems. Under either circumstance, if software (whether or not it purports to have a safety-related purpose) creates or introduces an unreasonable safety risk to motor vehicle systems, then that safety risk constitutes a defect compelling a recall.”
The only specific guidance provided in the document is found in the next to last paragraph:
“Motor vehicle and motor vehicle equipment manufacturers have a continuing obligation to proactively identify safety concerns and mitigate the risks of harm. If a manufacturer discovers or is otherwise made aware of any safety-related defects, noncompliances, or other safety risks after the vehicle and/or equipment (including automated safety technology) has been in safe operation, then it should promptly contact the appropriate NHTSA personnel to determine the necessary next steps. Where a manufacturer fails to adequately address a safety concern, NHTSA, when appropriate, will address that failure through its enforcement authority.”
Anyone that is looking for specific guidance from NHTSA on how manufacturers (both vehicle and equipment) are going to be expected to ensure that their vehicle control systems are protected from cyber-attack are going to be sorely disappointed in this document. In fact, the guidance does not specifically address security issues related to software or control systems.
Having said that, it is clear from the portions of the document quoted above that NHTSA is planning on taking a broad approach as to what constitutes a ‘safety defect’ when it comes to vehicle automation systems. It would be hard to argue that security defects that would allow an attacker to affect, or even access, control systems that affect the safe operation of the vehicle would not be addressed by this approach.
The real defect in this guidance is the failure to address how NHTSA could expect to receive vehicle automation defect information other than from the manufacturer. The failure to establish a system for independent security researchers to report security defects in the software, hardware or firmware of vehicle automation systems directly to NHTSA (or another government agency like ICS-CERT) is understandable only in that this guidance document is directed at vehicle and equipment manufacturers. Not mentioning that receiving such information, however, would be an important part of the analysis and enforcement process is unforgivable.
Hopefully, this guidance document will not be the last word from NHTSA on the issue of vehicle control system safety. The failure to specifically address automation system security in this guidance document or the earlier performance guidance document could mean that NHTSA is intending to specifically address that area in a separate document. Or, more likely in my opinion, NHTSA continues to skirt the security issue because of a lack of specific congressional authority to address the matter.