NHTSA Publishes Request for Comments on Cybersecurity Guidance

Today the DOT’s National Highway Transportation Safety Administration (NHTSA) has published a notice in the Federal Register (81 FR 18935-18939) requesting comments on proposed guidance for motor vehicle and equipment manufacturers in developing and implementing new and emerging automotive technologies, safety compliance programs, and other business practices in connection with such technologies.

Legal Authority

A substantial portion of the notice establishes the legal authority for NHTSA to regulate the safety of the electronic portions of automotive equipment. They specifically note that under provisions of 49 USC 30102:

“With respect to new and emerging technologies, NHTSA considers automated vehicle technologies, systems, and equipment to be motor vehicle equipment, whether they are offered to the public as part of a new motor vehicle (as original equipment) or as an after-market replacement(s) of or improvement(s) to original equipment. NHTSA also considers software (including, but not necessarily limited to, the programs, instructions, code, and data used to operate computers and related devices), and after-market software updates, to be motor vehicle equipment within the meaning of the Safety Act.”

The notice goes on to explain that in accordance with the requirements of 49 CFR Part 573: “Accordingly, a manufacturer of new and emerging vehicle technologies and equipment, whether it is the supplier of the equipment or the manufacturer of a motor vehicle on which the equipment is installed, has an obligation to notify NHTSA of any and all safety-related defects.”

NHTSA explains that it normally uses the performance record for a vehicle to determine if a safety defect exists, explaining that this is done primarily where the engineering or root cause of the defect is not known. The notice goes on to explain that: “Where, however, the engineering or root cause is known, the Agency need not proceed with analyzing the performance record.”

NHTSA goes on to explain that the Safety Act requires a forward looking risk analysis that is designed “not to protect individuals from the risks associated with defective vehicles only after serious injuries have already occurred; it is to prevent serious injuries stemming from established defects before they occur”. They go on to note:

“Moreover, a defect may be considered ‘per se’ safety-related if it causes the failure of a critical component; causes a vehicle fire; causes a loss of vehicle control; or suddenly moves the driver away from steering, accelerator, and brake controls—regardless of how many injuries or accidents are likely to occur in the future.”

Thus, NHTSA concludes that their enforcement authority concerning safety-related defects in motor vehicles and equipment extends and applies equally to new and emerging automotive technologies; including existing automation and crash avoidance technologies and future autonomous vehicle technology.

Software Guidance

NHTSA notes that software on the vehicle or off the vehicle in portable devices presents unique safety risks because such software can interact with a motor vehicle's critical safety systems (i.e., systems encompassing critical control functions such as braking, steering, or acceleration) and states that:

“If software has manifested a safety-related performance failure, or otherwise presents an unreasonable risk to safety, then the software failure or safety-risk constitutes a defect compelling a recall.”

As such the notice provides the following recommendations:

• Manufacturers should consider adopting a life-cycle approach to safety risks when developing automated vehicles, other innovative automotive technologies, and safety compliance programs and other business practices in connection with such technologies;

• Manufacturers should consider developing a simulator, using case scenarios and threat modeling on all systems, sub-systems, and devices, to test for safety risks, including cybersecurity vulnerabilities, at all steps in the manufacturing process for the entire supply chain, to implement an effective risk mitigation plan;

• Manufacturers of emerging technologies and the motor vehicles on which such technology is installed have a continuing obligation to proactively identify safety concerns and mitigate the risks of harm; and

• If a manufacturer discovers or is otherwise made aware of any defects, noncompliances, or other unreasonable risks to safety after the vehicle and/or technology has been in safe operation for some time, then it should strongly consider promptly contacting the appropriate NHTSA personnel to determine the necessary next steps.

Commentary

For those expecting any detailed cybersecurity process or procedures to be outlined in this document will be sorely disappointed. The ‘guidance’ provided is only the most basic and does not even attempt to address routine cybersecurity issues such as authentication and encryption, separation of networks, or authorized access to critical functions. That is the type of discussion I would expect to see in some future motor vehicle safety standard (MVSS) for cybersecurity.

What this guidance document is clearly intended to do is to establish the legal authority of the NHTSA to regulate cybersecurity as part of the Safety Act. It establishes NHTSA’s intent to address cybersecurity vulnerabilities even if few or no actual accidents involving those vulnerabilities have been reported.

Finally, it formally puts automotive manufacturers on notice that they are responsible for the cybersecurity of all on vehicle components and off-vehicle applications designed to affect electronic vehicle components. This is especially important because the major auto manufacturers are no longer manufacturing more than a very small percentage of the component parts (including electronic systems) that go into the vehicle.

The one major part of this overarching guidance that is missing is any mention of the role of independent security researchers. Most computer system related manufacturers have long ago learned that a large portion of the cyber vulnerabilities in their systems have been identified by researchers outside of their organizations.

Coordination between those researchers and the vendors is an important consideration. It would have been appropriate in this document to announce the formation of an office within NHTSA that would provide that coordination or an announcement that NHTSA and the DHS ICS-CERT had signed a memorandum of understanding that ICS-CERT would perform that role in conjunction with the folks at NHTSA.