Request for Comment on Automotive Electronic Control Systems Safety and Security |
---|
|
Nathaniel Beuse
National Highway Traffic Safety Administration
October 7, 2014
[Federal Register Volume 79, Number 194 (Tuesday, October 7, 2014)] [Notices] [Pages 60574-60583] From the Federal Register Online via the Government Printing Office [www.gpo.gov] [FR Doc No: 2014-23805] ----------------------------------------------------------------------- DEPARTMENT OF TRANSPORTATION National Highway Traffic Safety Administration [Docket No. NHTSA-2014-0108] Request for Comment on Automotive Electronic Control Systems Safety and Security AGENCY: National Highway Traffic Safety Administration (NHTSA), Department of Transportation (DOT). ACTION: Request for comments. ----------------------------------------------------------------------- SUMMARY: This notice presents the National Highway Traffic Safety Administration's research program on vehicle electronics and our progress on examining the need for safety standards with regard to electronic systems in passenger motor vehicles. The agency undertook this examination pursuant to the requirements of the Moving Ahead for Progress in the 21st Century Act (MAP-21) Division C, Title I, Subtitle D, Section 31402, Subsection (a). In addition, and in accordance with MAP-21, we are seeking comment (through this document) on various components of our examination of the need for safety [[Page 60575]] standards in this area. As MAP-21 also requires this agency to report to Congress on our findings pursuant to this examination, we intend to submit a report to Congress based in part on our findings from this examination and public comments received in response to this document. DATES: You should submit your comments early enough to ensure that Docket Management receives them no later than December 8, 2014. ADDRESSES: Comments should refer to the docket number above and be submitted by one of the following methods: Federal Rulemaking Portal: http://www.regulations.gov. Follow the online instructions for submitting comments. Mail: Docket Management Facility, U.S. Department of Transportation, 1200 New Jersey Avenue SE., West Building Ground Floor, Room W12-140, Washington, DC 20590-0001. Hand Delivery: 1200 New Jersey Avenue SE., West Building Ground Floor, Room W12-140, Washington, DC, between 9 a.m. and 5 p.m. ET, Monday through Friday, except Federal Holidays. Instructions: For detailed instructions on submitting comments and additional information on the rulemaking process, see the Public Participation heading of the SUPPLEMENTARY INFORMATION section of this document. Note that all comments received will be posted without change to http://www.regulations.gov, including any personal information provided. Privacy Act: Anyone is able to search the electronic form of all comments received into any of our dockets by the name of the individual submitting the comment (or signing the comment, if submitted on behalf of an association, business, labor union, etc.). You may review DOT's complete Privacy Act Statement in the Federal Register published on April 11, 2000 (65 FR 19477-78). For access to the docket to read background documents or comments received, go to http://www.regulations.gov or the street address listed above. Follow the online instructions for accessing the dockets. FOR FURTHER INFORMATION CONTACT: For technical issues: Mr. David V. Freeman of NHTSA's Office of Vehicle Crash Avoidance & Electronic Controls Research at (202) 366-0168 or by email at david.v.freeman@dot.gov. For legal issues: Mr. Jesse Chang of NHTSA's Office of Chief Counsel at (202) 366-9874 or by email at jesse.chang@dot.gov. SUPPLEMENTARY INFORMATION: In this document, the agency is presenting its progress in conducting an examination of the need for safety standards and seeking comments on its findings thus far. The agency is directed to conduct this examination and report its findings to Congress by the Moving Ahead for Progress in the 21st Century Act (MAP- 21).\1\ --------------------------------------------------------------------------- \1\ Moving Ahead for Progress in the 21st Century Act, Public Law 112-141 (Jul. 6, 2012), Sec. 31402. --------------------------------------------------------------------------- I. MAP-21 and Examining the Need for Electronic System Safety Standards In section 31402 of MAP-21, Congress directs this agency to ``complete an examination of the need for safety standards with regard to electronic systems in passenger motor vehicles.'' \2\ In conducting this examination, the Act directed the agency to consider various topics: --------------------------------------------------------------------------- \2\ Id. --------------------------------------------------------------------------- (1) Electronic components; (2) the interaction of electronic components; (3) the security needs for those electronic components to prevent unauthorized access; and (4) the effect of surrounding environments on the electronic systems.\3\ --------------------------------------------------------------------------- \3\ Id. --------------------------------------------------------------------------- Finally, the Act also directed the agency to allow for public comment in conducting this examination.\4\ Upon completing the examination, the Act also directs the agency to submit a report to Congress on the highest priority areas for safety with regard to the electronic systems.\5\ --------------------------------------------------------------------------- \4\ Id. \5\ Id. --------------------------------------------------------------------------- This document presents the agency's progress thus far in conducting the examination required in section 31402. We illustrate how we are examining each of the areas described by Congress in section 31402 and are seeking public comment on that examination. We intend to incorporate the comments received pursuant to this document in our report to Congress identifying the need for safety standards. II. Background a. NHTSA's Safety Role The National Highway Traffic Safety Administration (NHTSA) is responsible for developing, setting, and enforcing regulations for motor vehicles and motor vehicle equipment. Many of the agency's regulations are Federal Motor Vehicle Safety Standards (FMVSSs) with which manufacturers must certify compliance when offering motor vehicles and motor vehicle equipment for sale in the United States. NHTSA also studies behaviors and attitudes in highway safety, focusing on drivers, passengers, pedestrians, and motorcyclists. We identify and measure behaviors involved in crashes or associated with injuries, and working with States and other partners develop and refine countermeasures to deter unsafe behaviors and promote safe alternatives. Further, the agency provides consumer information relevant to motor vehicle safety. For example, NHTSA's New Car Assessment Program (NCAP) provides comparative safety information for various vehicle models to aid consumers in their purchasing decisions (e.g., the 5-star crash test ratings). The purpose of the agency's programs is to reduce motor vehicle crashes and their attendant deaths, injuries, and property damage. b. Growth in Automotive Electronics and Their Safety Challenges The use of electronics in the design of modern automobiles is a rapid ongoing progression. The first common use of automotive electronics \6\ dates back to 1970s and by 2009 a typical automobile featured over 100 microprocessors, 50 electronic control units, five miles of wiring and 100 million lines of code.\7\ Use of electronics is not new. It has enabled safer and more fuel-efficient vehicles for decades. Electric and hybrid vehicles could not have been developed and produced without the extensive use of electronics and proven safety technologies such as electronic stability control could not have been implemented. Over time, growth of electronics use has accelerated and this trend is expected to continue as the automotive industry develops and deploys even more advanced automated vehicle features. This trend results in increased complexities in the design, testing, and validation of automotive systems. Those complexities also raise general concerns in the areas of reliability, security, and safety assurance of growingly networked vehicles leveraging electronics. --------------------------------------------------------------------------- \6\ Not including electronics use for radio purposes. \7\ ``This car runs on code,'' R.N. Charette, 2009, http://spectrum.ieee.org/transportation/systems/this-car-runs-on-code. --------------------------------------------------------------------------- Electronics provide many safety, security, convenience, comfort, and efficiency functions for vehicle operators through interconnections and communications with other onboard electronics systems. Common communications networks and protocols allow for the exchange of information between sensors, actuators, and the electronic control units that execute software programs to accomplish specific functions. A vehicle will typically feature multiple networks. [[Page 60576]] Those networks may be isolated from one another for a variety of reasons such as safety and security; however, in other cases different networks could be interconnected to enable exchange of information across a broader range of systems. Sharing data across multiple networks can be safeguarded against adverse influence over safety- critical systems; however, effectiveness of such approaches is only anecdotally known today. Growing system complexity and abundance of design variants even within one manufacturer over model years and across classes of vehicles pose general concerns over whether existing processes can ensure their functional safety. Further, anomalies associated with electronic systems--including those related to software programming, intermittent electronics hardware malfunctions, and effects of electromagnetic disturbances--may not leave physical evidence, and hence are difficult to investigate without a record of data from the electronic systems. While there are challenges, progressively introduced safety technologies, such as Automatic Emergency Braking (AEB), have the potential to significantly reduce the many thousands of fatalities and injuries that occur each year as a result of motor vehicle crashes. Further, continued innovation into more advanced forms of vehicle automation could address other types of crashes where human driver error plays a role. In May 2013, NHTSA released a preliminary statement of policy \8\ concerning automated vehicles where the agency outlined its planned research into emerging technologies. Given the complexity of these new systems in terms of the additional electronics software and hardware needed, electronic control systems safety will continue to grow in importance as these systems become more commonplace in production vehicles. --------------------------------------------------------------------------- \8\ http://www.nhtsa.gov/staticfiles/rulemaking/pdf/Automated_Vehicles_Policy.pdf. --------------------------------------------------------------------------- Along these lines, the Transportation Research Board (TRB) Special Report 308 \9\ by the National Academies of Sciences (NAS) in 2012 identified five challenges for the safety of future electronic control systems: --------------------------------------------------------------------------- \9\ The Safety Promise and Challenge of Automotive Electronics, insights from unintended acceleration, National Research Council of the National Academies, ISBN 978-0-309-22304-1, 2012. --------------------------------------------------------------------------- An increased amount of complex software that cannot be exhaustively tested; The highly interactive nature of the electronic control system--more interactions exist among system components, and the outcome may be difficult to anticipate; The growing importance of human factors consideration in automotive electronic control system design; The potentially harmful interaction with the external environment including electromagnetic interference; and The novel and rapidly changing technology. Further, the study offered recommendations to NHTSA on the actions that the agency could take to meet the five challenges they identified. These include: becoming more familiar with and engaged in standard- setting and other efforts (involving industry) that are aimed at strengthening the means by which manufacturers ensure the safe performance of their automotive electronics systems; convening a standing technical advisory panel; undertaking a comprehensive review of the capabilities that the agency will need in monitoring for and investigating safety deficiencies in electronics- intensive vehicles; ensuring that Event Data Recorders (EDRs) become commonplace in new vehicles; conducting research on human factors issues informing manufacturers' system design decisions; initiating a strategic planning effort that gives explicit consideration to the safety challenges resulting from vehicle electronics that give rise to an agenda for meeting them; and making the formulation of a strategic plan a top goal in NHTSA's overall priority plan. In addition to the challenges regarding electronic components and their ability to function reliably in spite of their complex interactions, NHTSA believes there are also challenges with regard to the ability of these systems to remain free of unauthorized access or malicious attacks. While documented demonstrations 10 11 12 of vehicle hacking to date have required some form of long-term physical access to the vehicle and our review has not identified any reported field incidents resulting in a safety concern, we recognize that lack of occurrence does not imply impossibility. As further discussed in this document, NHTSA is interested in gathering and evaluating information from the public (as part of its examination pursuant to MAP-21) to determine what additional work is needed in this area. --------------------------------------------------------------------------- \10\ ``Experimental Security Analysis of a Modern Automobile,'' K. Koscher et. al., IEEE Symposium on Security and Privacy, Oakland, CA, 2010. \11\ ``Comprehensive Experimental Analyses of Automotive Attack Surfaces,'' S. Checkoway et.al., USENIX Security, 2011. \12\ ``Adventures in Automotive Networks and Control Units,'' C. Miller, C. Valasek, DEF CON 21, Las Vegas, NV, 2013. --------------------------------------------------------------------------- c. Industry's Existing Safety Assurance Processes Notwithstanding the increased difficulty in the safety assurance of growingly more complex systems, the automotive industry uses a number of safety and quality assurance practices in the design of safety critical systems, which are not unique to but also cover electronic systems. As documented in a number of publications and also summarized in the NAS Report, these approaches include the: Establishment of system safety requirements; assessment of design hazards and risks at component, function, system, manufacturing and process levels such as by the use of failure mode and effects analysis \13\ (FMEA) and fault tree analysis \14\ (FTA); --------------------------------------------------------------------------- \13\ IEC 60812 standard covers the process for conducting FMEA analysis. \14\ IEC 61025 standard covers the process for conducting FTA analysis. --------------------------------------------------------------------------- quality management systems such as ISO/TS 16949,\15\ advanced product quality planning (APQP), and Design for Six Sigma (DFSS); --------------------------------------------------------------------------- \15\ ISO/TS 16949:2002 covers particular requirements for the application of ISO 9001:2000 for automotive production and relevant service part organizations. --------------------------------------------------------------------------- design validation and verification testing such as electrical, environmental, lab, test track and limited field trials; variants of production part approval process (PPAP); and post deployment field data analysis. Further, many automotive original equipment manufacturers (OEM) were actively engaged in the development and revision of the ISO 26262 \16\ standard and some have already started to follow its principles. As further discussed in this document, NHTSA is interested in gathering and evaluating information from the public (as part of its examination pursuant to MAP-21) to determine whether there are emerging gaps in the functional safety assurance processes of motor vehicles. --------------------------------------------------------------------------- \16\ International Organization for Standardization (ISO) standard for Road vehicles--Functional safety. --------------------------------------------------------------------------- d. Existing Safety Process Standards Research Overview Sectors of the automotive industry currently consider electronics safety and cybersecurity as part of their design and quality control processes. Three process [[Page 60577]] standards from the broader transportation industry are frequently mentioned as suitable and preferred methods also used in the design of road vehicles usually complementing existing safety assurance practices: ISO 26262, MIL-STD-882E, and DO-178C. ISO 26262 is the first automotive industry specific standard \17\ that addresses safety-related systems comprised of electrical, electronic, and software elements providing safety-related functions in the design of road vehicles. It is an adaptation to the International Electrotechnical Commission (IEC) 61508 \18\ standard to road vehicles. The first publication of ISO 26262 was in November 2011. This standard seeks to address various important challenges facing today's road vehicle technologies including: --------------------------------------------------------------------------- \17\ Van Eikema Hommes, Q., ``Review and Assessment of the ISO 26262 Draft Road Vehicle--Functional Safety,'' SAE Technical Paper 2012-01-0025, 2012, doi:10.4271/2012-01-0025. \18\ IEC 61508 is an international standard for functional safety of electrical/electronic/programmable electronic safety- related systems. This standard considers all of the environments that could result in an unsafe situation for the subject product, including shock, vibration, temperature, and electromagnetic fields and their induced voltages and currents. --------------------------------------------------------------------------- The safety of new electrical, electronic, and software functionality in vehicles; the trend of increasing system complexity, software content, and use of electromechanical components; and the risk from both systematic failure and random hardware failure. Typical concerns associated with the ISO 26262 standard may include that the Standard could be laborious to apply; hardware portions of the standard's coverage may be very similar to existing industry practices with limited incremental benefits; software portions of the standard may primarily recommend good systems engineering practices for software safety; and assessment of the automotive safety integrity levels (ASIL) may vary due to subjectivity in the process. Due to some of these limitations, existing practices and ISO 262626 are sometimes augmented with more mature system engineering approaches that are outlined in MIL-STD-882E and DO-178C, particularly on the software engineering side. MIL-STD-882E is the U.S. Department of Defense's systems engineering approach for eliminating hazards, where possible, and minimizing risks where those hazards cannot be eliminated. By taking a systems approach, this standard considers hazards in the entire lifecycle of systems, products, equipment, and infrastructure including design, development, test, production, use, and disposal stages. The principle of this standard is that system safety should follow the system engineering process, and is the responsibility of all functional disciplines, not just the system safety professionals. This standard has gone through a number of revisions in order to adapt to changes in technology and lessons learned through experience. In the aviation industry, DO-178C \19\ is an accepted guidance for software development. Conformance to this standard means the software satisfies airworthiness \20\ requirements with an acceptable level of confidence. As part of the airworthiness certification process, DO-178C provides guidelines to produce the software lifecycle data needed in order to support the certification process (e.g. plans for software development, verification, configuration management, and quality assurance). It also provides a comprehensive list of considerations in order to avoid errors and mistakes that could be introduced into software. DO-178C considers system software development as a subset of the overall system development process. It assumes that safety-critical requirements for software systems are defined in the higher-level system engineering activities and are given at the beginning of the software development process. Some automotive companies indicated that the principles outlined in this more mature standard complement the software standard described in ISO 26262 Part 6,\21\ which is still evolving. --------------------------------------------------------------------------- \19\ DO-178C: Software considerations in airborne systems and equipment certification. \20\ Airworthiness of an aircraft refers to meeting established standards for safe flight. \21\ ISO 26262-6:2011-Road vehicles; Functional safety; Part 6: Product development at the software level. --------------------------------------------------------------------------- As we discuss further in this document, NHTSA continues to investigate functional safety approaches for the automotive industry that may effectively address emerging concerns from the increased use of electronics and software in the design of automobiles. e. Available Data \22\ Sources Research Overview --------------------------------------------------------------------------- \22\ Data for purposes of examining the need for safety standards with regard to automotive electronic systems does not include personally identifiable information about the operators. --------------------------------------------------------------------------- For purposes of determining the capabilities of various datasets to categorize and rank vehicle electronics safety issues, we considered vehicle recall data, vehicle owner's questionnaire (VOQ) data, early warning reporting (EWR) data, and data from our field crash investigation databases such as National Automotive Sampling System (NASS), Fatality Analysis Reporting System (FARS), and Special Crash Investigation (SCI) database. Further, we considered event data recorder (EDR) capabilities. We briefly describe our findings on these various data sources in this section. While we believe that the sources of information available to NHTSA in this regard are useful in helping the agency begin to identify the highest priority areas with regard to electronic components (and their interactions), we also believe that they have certain limitations in ranking safety issues associated with vehicle electronics. This limitation is mostly driven from the lack of detailed information regarding specific electronic system failure types. Hence, in section V. we seek comment from the public as to what other sources of information and data are available. The vehicle recall database is a publicly available resource that documents safety defects or failures to meet minimum performance standards set by the Federal Motor Vehicle Safety Standards (FMVSS) in a motor vehicle or item of motor vehicle equipment. When manufacturers decide a safety defect or a noncompliance exists in a motor vehicle or item of motor vehicle equipment they manufactured, they are required to notify NHTSA and furnish a report with particular information about the defect or noncompliance, the products involved, and additional information including the manufacturer's plan to remedy for free the defect or noncompliance (See U.S.C. 30118 and 49 CFR 573.6). Defect and noncompliance notifications and information reports are reviewed by NHTSA analysts who enter them in the recall database. The database includes summaries of the defect description, consequences, and remedy for each recall. The number of vehicle recalls has increased significantly in the past 20 years, nearly tripling from 1993 (222) to 2013 (654). While the vehicle recall database contains a large amount of useful information, the database and underlying defect reports were not intended for detailed or precise statistical analyses of recalls by typology or root cause related to motor vehicle electronic systems. Any such analysis requires a manual review and classification process. However, this work can be limited by the amount of detail contained in the defect [[Page 60578]] information reports, which normally provide more general descriptions of the defect condition and potential safety consequences. Vehicle Owner Questionnaires (VOQs) are voluntarily submitted by consumers to NHTSA to report a complaint in a vehicle or related equipment item. Each complaint (which is stored in a database and made available to the public redacted of personal identifiers) identifies the vehicle type, incident specifics, and includes a free form narrative to describe details. Complaint content and trends are helpful for general screening purposes but follow-up is sometimes necessary to verify and clarify complaints and incident specifics. Approximately 50,000 VOQs were filed in 2013. Another source of data is the EWR system. Several data types are regularly reported to NHTSA by manufacturers. The data include non- dealer field reports (documents), listings of death/injury claims (records), and aggregated counts of certain claim types. The quarterly reporting interval, high level component coding of aggregate figures, and variability in manufacturer reporting are factors that are considered when analyzing certain EWR data sets to study safety critical embedded control systems. Field reports are the only EWR data sets available for evaluating specific defect conditions, including incidents in which the problem is intermittent or cannot be duplicated. Separately, regarding our national crash databases, the National Automotive Sampling System (NASS) \23\ is composed of two systems--the Crashworthiness Data System (CDS) and the General Estimates System (GES). These are based on cases selected from a sample of police crash reports. CDS data focus on passenger vehicle crashes, and are used to investigate crash circumstances, vehicle crash response and occupant injury and identify potential improvements in vehicle design. The GES database contains crash statistics on police-reported crashes involving all types of vehicles. The information comes from samples of police reports of the estimated six million crashes that occur annually. Each NASS database is weighted to characterize a nationally representative sample. Each crash must involve at least one motor vehicle traveling on a traffic way, which results in property damage, injury, or death, and it must be obtained from a police report. --------------------------------------------------------------------------- \23\ http://www.nhtsa.gov/NASS. --------------------------------------------------------------------------- The Fatality Analysis Reporting System (FARS) \24\ is a nationwide census database on crashes involving fatalities containing similar information to NASS-GES. These two crash databases consist of approximately 120 data elements that describe the crash, which are derived from review of police crash reports by trained data entry personnel; however, similar to the case with VOQs, there may be challenges in using these databases to perform detailed analyses for purposes of ranking emerging electronics concerns because data elements were not established with this specific purpose in mind. In combination with other datasets, analysis of GES and FARS can still provide confirming or augmenting evidence in identifying potential priority areas in electronics reliability. --------------------------------------------------------------------------- \24\ http://www.nhtsa.gov/FARS. --------------------------------------------------------------------------- The Crash Injury Research and Engineering Network (CIREN) database consists of over 1,000 discrete fields of data concerning severe motor vehicle crashes, including crash reconstruction and medical injury profiles extending back to 1996. CIREN cases feature detailed data on occupant injury, vehicle damage and restraint technology and crash environment, as well as technical or human factors that are related to injury causation in motor vehicle crashes. Each CIREN case is reviewed together by both medical and engineering professionals, along with the crash investigator, to determine injury causation and data accuracy. The Special Crash Investigations (SCI) \25\ database contains a range of data collected from basic data contained in routine police and insurance crash reports to comprehensive data from special reports by professional crash investigation teams. Hundreds of data elements relevant to the vehicle, occupants, injury mechanisms, roadway, and safety systems are collected for each of the over 100 crashes designated for study annually. SCI cases are intended to be an anecdotal data set useful for examining special crash circumstances or outcomes from an engineering perspective. The SCI program's flexibility allows for investigations of new emerging technologies related to automotive safety. --------------------------------------------------------------------------- \25\ http://www.nhtsa.gov/SCI. --------------------------------------------------------------------------- Finally, Event Data Recorders \26\ (EDRs) are devices that may be installed in a motor vehicle to record technical vehicle information for a few seconds leading up to the crash. For instance, EDRs may record vehicle speed, engine throttle position, brake use, driver safety belt status, and air bag warning lamp status. NHTSA has been using EDRs to support its crash investigation program for several years and EDR data is routinely incorporated into NHTSA's crash databases. This type of data could potentially play a role in finding when safety critical automotive electronics were not functioning properly. --------------------------------------------------------------------------- \26\ In 2006, NHTSA published a final rule creating a regulation (49 CFR Part 563, Event Data Recorders (Part 563)) that specifies the minimum data set that should be collected if a manufacturer decides to voluntarily install an EDR in their vehicle, along with requirements for the range and accuracy of EDR data, as well as requirements for storage and retrieval. Part 563 applies to vehicles manufactured on or after September 1, 2012. In December 2012, NHTSA proposed a standard that would mandate EDRs on all vehicles required to have frontal air bags. (77 FR 74144). No final rule publication date has been established. --------------------------------------------------------------------------- III. Our Examination of the Areas Identified in MAP-21 to Date NHTSA has been actively engaged in research (both internally and with outside parties) in automotive electronics reliability, cybersecurity, and emerging technologies in advanced vehicle automation for the past two years. The agency has established, per MAP-21,\27\ a Council on ``Vehicle Electronics, Vehicle Software, and Emerging Technologies'' to coordinate and share information on a broad array of topics related to advanced vehicle electronics and emerging technologies. The Council is governed by senior NHTSA management and the mission of the group is to broaden, leverage, and expand the agency's expertise in motor vehicle electronics to continue ensuring that technologies enhance vehicle safety and review and advise on the research program established over electronics reliability, cybersecurity and automation topics. --------------------------------------------------------------------------- \27\ Moving Ahead for Progress in the 21st Century Act, Public Law 112-141 (Jul. 6, 2012), Sec. 31401(a). --------------------------------------------------------------------------- With input from the Council, NHTSA has identified and funded initial research into the following areas: Hazard analyses of safety-critical electronic vehicle control systems, applying Hazard and Operability (HazOp) process referenced within the ISO 26262 standard as well as System Theoretic Process Analysis (STPA); Examination of process oriented functional safety and security standards for automotive electronics design and development; Automotive cybersecurity concerns, threats, and vulnerabilities, and potential countermeasures; Best practices in safeguarding against cybersecurity risks in related but in non-automotive industries; and [[Page 60579]] Human factors and other emerging concerns associated with highly automated vehicles. Because the agency was already investigating vehicle electronics as a new and emerging research area for vehicle safety prior to the passage of MAP-21, the agency has already completed some research and analyses that address some of the items listed by Congress in section 31402 of MAP-21. Research reports are available on the agency's Web site \28\ and we expect to publish more reports as projects are completed over the 2015-16 timeframe. It should be noted that the research described in this notice represents research already underway and future research that the agency anticipates undertaking as resources permit. This section shows our initial progress on the areas that Congress directed the agency to consider in the examination required under section 31402. We further request comments on our research thus far and request specific comments on the issues identified in the following sections. --------------------------------------------------------------------------- \28\ Office of Vehicle Crash Avoidance & Electronic Control Research technical publications are posted on the NHTSA Web site at http://www.nhtsa.gov/Research/Crash+Avoidance/Office+of+Crash+Avoidance+Research+Technical+Publications. --------------------------------------------------------------------------- a. Electronics Components and the Interaction of Electronic Components To examine the potential safety concerns associated with electronic components and interactions of electronic components, we initiated research in developing potential approaches to analyzing the automotive electronic control system architecture and their interconnections. In conjunction, we reviewed data sources available to NHTSA to assess datasets that would be useful to analyze for purposes of this initiative (as documented in section II.e.). Further, we initiated systematic hazard analyses on select safety-critical automotive control systems to better understand the vehicle level safety risks. In the following paragraphs, we provide further details on these research topics that enable us to begin examining the first two areas stated in MAP-21 systematically. NHTSA is also conducting research to develop an electronics-related failure-typology.\29\ As part of this research, we are evaluating the various sources of data described in section II. e. (defect data, crash databases, etc.) to determine if suitable data exists at this time to effectively utilize a detailed failure typology that would describe and categorize the hazards and causes of automotive electronic control system failures. Through such analysis, the agency would like to understand how trends in the underlying data for the chosen dataset change over time as a function of increased use of electronics. We expect to publish our failure-typology research in 2015 and continue our research on appropriate datasets into 2016. --------------------------------------------------------------------------- \29\ Establishing a failure typology refers to developing categories and data elements that can help the agency (and others) organize the types of failures relating to electronic control systems in vehicles. Establishing the typology is an important step in helping to create a structure to help analyze potential safety problems relating to electronics in vehicles. --------------------------------------------------------------------------- Another approach we are taking is to study the automotive electronic system architecture. Functional safety assurance of modern automobiles requires a thorough understanding of electronic control systems' design under a variety of scenarios. These circumstances include systems' behavior under nominal conditions and also during failure conditions. Equally important are state-of-the-art capabilities in detecting failures (diagnostic/prognostic) and fault-tolerant and/or fail-safe strategies that can prevent errors from resulting in safety hazards. To this end, NHTSA funded initial research to perform hazard analyses in select safety-critical automotive control system areas, such as Accelerator Control Systems (ACS)/Electronic Throttle Control (ETC), Rechargeable Energy Storage Systems (RESS), and steering and braking control systems within the context of automatic lane centering function. These studies apply the Hazard and Operability (HazOp) process referenced within the ISO 26262 standard as well as System Theoretic Process Analysis (STPA) approach to identify the system level hazards associated with potential failures in the subject control systems. The purpose of these studies is to better understand the critical automotive system functions, failures, and risks and identify safety goals and requirements. Further, another purpose is to compare and contrast results obtained from existing hazard analyses techniques. We are currently prioritizing our hazard analysis research to cover electronic throttle control, steering control, braking control and motive power areas. We expect to publish a series of research reports on hazard analyses starting in 2015. A typical automotive electronic control system primarily relies on the following to perform its intended purposes: Sensors (measurements); Interpretation of sensed signals (e.g. conversion, configuration, classification); Estimations of parameters (when direct sensing may not be available, e.g., vehicle speed); Actuators (to carry out the intended motive); Communication networks (that facilitate electronic exchange of information between sensors, controllers and actuators); Design and programming of the control algorithm (conditions and respective actions) including: a. Design and software coding that implement: i. The intended functions; and ii. system monitoring and malfunction detection logic; and b. supervisory logic that arbitrates between multiple, potentially conflicting, subsystem commands; and Availability of motive power. Interactions between electronic components (and distributed embedded systems) are facilitated primarily by communication networks and shared use of sensors, software logic and actuators. Prioritization of competing requests from the various control subsystems and the driver for safety-critical functions is a potential area of anticipated future research due to continued proliferation of safety and convenience functions. Comments Requested (1) NHTSA currently has research underway that is evaluating the hazards associated with electronic control systems that could impact a vehicle's steering, throttle, braking and motive power first because they can impact the fundamental control functions that a driver performs (such as providing lateral (via steering) and longitudinal (throttle, braking) control for the vehicle). This means, we would research safety hazards associated with other automotive electronic control systems (e.g. safety restraint systems control, power door lock control, lighting control) later. We seek comment on this approach from a need for standards research priority stand-point. (a) Should the agency pursue alternative approaches to categorize and prioritize potential electronic control system hazards and impacts to support new standards? (b) For hazard analysis research, the agency is currently pursuing HazOp and STPA. What other hazard analysis methods should the agency also consider and why? (c) What other automotive electronics should we consider in our research that could affect the electronics in the safety critical systems we identified (steering, throttle, brakes, etc.)? [[Page 60580]] (2) NHTSA currently has research underway that is evaluating system performance requirements for critical safety systems. We seek comment on automotive electronic component and system performance requirements for control systems that impact throttle, braking, steering, and motive power management: (a) What performance-based tests, methods, and processes are now available for safety assurance of these types of automotive electronic control systems? (b) What series of performance-based tests should the agency consider to ensure safe functionality of these types of automotive electronic control systems under all real-world conditions (e.g. nominal, expected, non-nominal, and failure conditions)? (c) Performance tests would ideally be applicable regardless of any specific design choices. We surmise that electronic components may have a wider variety of manufacturer specific tuning and implementation variations. What types of challenges does this create for designing performance tests for electronic components? What methods are available for addressing those challenges? (3) NHTSA currently has research underway that is evaluating diagnostics and prognostics for critical safety systems. We seek comment on vehicle health monitoring, diagnostics, and prognostics capabilities and fault-tolerant design alternatives for automotive safety applications. (a) What methods are effective in identifying potential anomalous behavior associated with electronic components, systems, and communications reliably and quickly? (b) What strategies do current vehicles have for activating a ``fail-safe'' mode when critical problems are detected? What types of problems are classified as ``critical'' and how does the vehicle detect these problems? (c) What state-of-the-art detection and fail-safe response methods should the agency be aware of and further assess? (4) NHTSA currently has research underway that is evaluating various process standards and their applicability to critical safety systems. We seek comment on testing, validation, certification, and regulation alternatives for vehicle electronics to these process standards: (a) What are the pros and cons of utilizing a process-- certification method (e.g., ISO 26262) where the manufacturer is asked to identify, categorize, and consider potential remedies for electronics safety problems? (i) What approaches should be considered for manufacturers to demonstrate conformity with voluntary industry process standards such as ISO 26262? (ii) How does one evaluate conformity to a process standard that uses an engineer's best judgment to identify, categorize, and consider potential remedies to electronics safety problems? (iii) What verification steps may be appropriate to ensure that potential standards are met? b. Security Needs To Prevent Unauthorized Access to Electronic Components Cybersecurity, within the context of road vehicles, is the protection of vehicular electronic systems, communication networks, control algorithms, software, users, and underlying data from malicious attacks, damage, unauthorized access, or manipulation. NHTSA has been actively researching existing cybersecurity standards and best practices in automotive and other industries. In reviewing the practices of other industries in dealing with cybersecurity issues, NHTSA has identified two general process-oriented approaches to addressing cybersecurity concerns. The first is design and quality control processes that focus on cybersecurity issues throughout the lifecycle of a product. The second is dealing with cybersecurity issues through establishing robust information sharing forums such as an Information Sharing and Analysis Center (ISAC). This section discusses the agency's findings regarding each of these strategies. In regards to security design and quality assurance processes, the automotive manufacturers, suppliers, and other stakeholders are collaborating through SAE International to examine the emerging vehicle cybersecurity concerns and considering actions that could include the development of voluntary standards, guidelines, or best practices documents. While there may be no readily-available automotive cybersecurity standards at this time, NHTSA's research identified general cybersecurity safeguarding approaches that can potentially be examined and adapted for use in the automotive industry. For example, the cybersecurity framework \30\ developed and published by the National Institute of Standards and Technology (NIST) treats cybersecurity as a process integrated into the system, component, and device lifecycle. The guidelines referenced in this framework could allow the automotive industry to develop a security program for modern-day automobiles analogous to information security programs in place for information technology (IT) systems in general. Similarly, system security engineering could potentially be incorporated into the design process in a way similar to system safety engineering as specified in ISO 26262 and ``E-safety vehicle intrusion protected applications (EVITA).'' \31\ --------------------------------------------------------------------------- \30\ ``Framework for Improving Critical Infrastructure Cybersecurity,'' Version 1.0, NIST, 2014. Accessible at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf. \31\ EVITA is a project co-funded by the European Union that aims to design, verify, and prototype architecture for automotive on-board networks where security-relevant components are protected against tampering and sensitive data are protected against compromise (http://www.evita-project.org/). --------------------------------------------------------------------------- In regards to information sharing mechanisms, NHTSA studied \32\ the ISAC model for safeguarding against cybersecurity risks and threats in other industries such as financial services, information technology, and communications. Our initial analyses indicate that an automotive sector specific information sharing forum, such as an ISAC, is beneficial to pursue. It could advance the cybersecurity awareness and countermeasure development effectiveness among public and private stakeholders. ISACs have a unique capability to provide comprehensive inter- and intra-sector coverage to share critical information pertaining to sector analysis, alert and intelligence sharing, and incident management and response. Our research across other industries indicates that prevention of cyber-threats would be impractical if not impossible. This fact and the successful use of ISACs in other industry sectors suggest that it might also be effective for the auto industry to have mechanisms in place to expeditiously exchange information related to cyber-threats, vulnerabilities, and countermeasures among industry stakeholders. Such a mechanism would enhance the ability of the automotive sector to prepare for, respond to, and recover from cyber threats, vulnerabilities and incidents. Related to the sector- wide cybersecurity information sharing topic, the Alliance of Automotive Manufacturers (Alliance) and the Association of Global Automakers (Global Automakers) [[Page 60581]] wrote \33\ to NHTSA in July 2014 to inform about the new cybersecurity initiative they are undertaking with the goal of establishing a voluntary automobile industry sector information sharing and analysis center or other comparable program. In response,\34\ NHTSA encouraged Alliance and Global Automakers (as well as automotive original equipment manufacturers) to proceed expeditiously with the outlined process and expressed Agency's hope that their plan would target a date in 2015 for an automotive industry ISAC to become operational. --------------------------------------------------------------------------- \32\ The study report ``An assessment of the information sharing and analysis center (ISAC) model'' can be accessed at the ``Automotive Cybersecurity Topics and Publications'' docket: NHTSA- 2014-0071. \33\ Correspondence related to this initiative can be viewed in the ``Automotive Cybersecurity Topics and Publications'' docket: NHTSA-2014-0071. \34\ Id. --------------------------------------------------------------------------- Security process standards and information sharing forums fit in a larger, more comprehensive automotive cybersecurity assurance approach. In general terms, there are four major pieces to the agency's research approach: 1. Preventive methods and techniques: This group of techniques would seek to harden the design of automotive electronic systems and networks such that it would be difficult for malicious attacks to take place in newer generation systems. Deployment and use of structured security process standards could help identify vulnerabilities such that necessary design improvements can be identified and implemented. These vulnerabilities include possible entry points through accessible physical interfaces such as the OBD-II port, USB ports, CD/DVD players; short range wireless interfaces, such as Bluetooth, Wi-Fi, or Dedicated Short Range Communications (DSRC); and long-range wireless interfaces such as cellular or satellite-based connectivity to the vehicle. Examples of design improvements include potential use of: a. Encryption and/or authentication on communication networks; b. different communication approaches or protocols; segmentation/ isolation of safety-critical system control networks; c. strong authentication controls for remote access to vehicles; d. gateway controls between interfaced vehicle networks; etc. Other approaches in the field of prevention research include methods such as those investigated in the Defense Advanced Research Projects Agency's (DARPA) high-assurance cyber military systems (HACMS) \35\ program. The primary intents of this category of activities are (1) to significantly reduce the probability of cyber risks; and (2) to limit the impact of a potential cybersecurity breach (e.g. one vehicle as opposed to an entire fleet). NHTSA initiated applied research into vulnerability assessment and preventive type measures in 2014 and expects to publish reports starting in 2016. --------------------------------------------------------------------------- \35\ http://www.darpa.mil/Our_Work/I2O/Programs/High-Assurance_Cyber_Military_Systems_(HACMS).aspx. --------------------------------------------------------------------------- 2. Real-time intrusion detection methods: Total security through preventive measures may not be realistically achievable. Thus, as a complement to the preventative measures, detecting intrusions into the system through communications networks would provide additional protection. A cybersecurity breach would take place on or through a communication network. From an intrusion detection perspective, vehicular network communications are considered fairly predictable and well-suited for real-time monitoring to detect anomalous activity with respect to nominal expected message flows. We are initiating research into this type of technologies in the automotive sector. 3. Real-time response methods: Once a potential intrusion is detected, the strategies to mitigate its potential harmful impacts would also need to be designed in a practical manner. Depending on the potential risks and level of intrusion detection confidence, the vehicle architecture could be designed to take a variety of actions such as: temporarily or permanently shut down the communication network(s) (at the potential cost of disabling various safety functions); inform the driver; record and transmit data before-and- after trigger point for further analysis and counter-measure development, etc. The purpose of this category of cybersecurity defense is to mitigate the potential harmful consequences of detected anomalous activity on the vehicle experiencing the potential breach. We expect to develop further research into this category of methods in 2016. 4. Treatment methods: While the previous paragraph discussed response methods (deal with ensuring fail-safe operation of the vehicle where an intrusion is detected), treatment methods deal with distributing information related to the subject risk to other potential vulnerable entities even before the compromise may be experienced by them. Treatment methods involve timely information extraction from impacted parties, their analysis, development of countermeasures and timely dissemination to all relevant stakeholders (such as through an ISAC). This approach allows for design of stronger preventive methods in future generations of electronics. As outlined earlier, automotive industry (through Alliance and Global Automakers) is actively exploring information sharing alternatives related to automotive cybersecurity and NHTSA is closely monitoring activities related to this initiative. Comments Requested (1) We seek comment on any technical areas of automotive cybersecurity that the agency could focus on in its further research. (a) Specifically, are there particularly vulnerable or strong design architectures that the agency should further examine? (b) What additional types of techniques (either in real world occurrences or as a part of research) have persons used to gain unauthorized access to vehicle systems? What types of systems were such persons able to gain access to? (c) What is the public's view on the differences in cybersecurity risks associated with an intrusion that requires use of in-cab physical interfaces (e.g. OBD-II port) versus close-proximity wireless interfaces (e.g. Bluetooth) versus long-range wireless means (e.g. cellular/satellite links)? (2) We seek comment on security process standards. (a) What security process standard alternatives are available? How do these standards differ and are there standards that are more suitable for application to the automotive industry versus others? (b) Could security assurance be handled within a modified framework of existing safety process standards (such as FMEAs, FTAs, ISO 26262) or does ``design for security'' require its own process? (3) We seek comments on security performance standards. In contrast to the process standards (that establish methods for considering cybersecurity risks during product design), we use the term ``performance standard'' to mean standards that evaluate the cybersecurity performance (or resilience) of a system after production of the final product. (a) What types of metrics are available to test a vehicle's ability to withstand a cyber-attack? (b) Are there any common design characteristics that help ensure a minimum level of security from unauthorized access to a vehicle's electronic control systems? (c) What performance-based tests, methods, and processes are available for security assurance of automotive electronic control systems? [[Page 60582]] (d) Are there hardware, software, watchdog algorithm, etc. requirements or criteria that would help differentiate algorithm designs that are more secure against cyber-attack? c. Effects of the Surrounding Environment on Electronic Component Performance In addition to malicious interference that may be artificially introduced (as covered under cybersecurity in section III.b.), the surrounding natural environment could affect the electronic components and systems in three primary ways: 1. By creating conditions that could cause electronic components to fail prematurely; 2. By creating conditions that could result in electronic control systems to act in unintended ways; and 3. By creating conditions for electronic sensors or systems to perceive the environment differently than reality. Effects of the environment potentially causing electronic components to fail prematurely, such as through moisture, heat and corrosion, are typically handled by fail-safe strategies. Monitoring algorithms can detect sensors and components that fail and operate outside of the intended range and inform control algorithms to operate in fail-safe mode. Manufacturers take placement and environmental exposure into account in the design of electromechanical components. Examples of the environment potentially causing electronic control systems to act in unintended ways are electromagnetic interference (EMI) and potential build-up of low-resistance paths on a circuit- board, such as a tin whisker.\36\ OEMs very commonly perform electromagnetic compatibility (EMC) testing on their platforms in accordance with SAE International \37\ and ISO \38\ standards. NHTSA has investigated EMI effects on an electronic control system in a recent investigation. In 2010, NHTSA and National Aeronautics and Space Administration (NASA) conducted EMC testing as part of the inquiry into whether Unintended Acceleration (UA) was related to the electronic throttle control system in Toyota vehicles. In this study, EMC testing at exposure levels well above existing certification standards did not produce open throttle.\39\ --------------------------------------------------------------------------- \36\ A crystalline, hair-like structure of tin that can form on a tin-finished surface. (taken from NAS Report). \37\ SAE J551, SAE J1113. \38\ ISO 7637, ISO 10605, ISO 11451, ISO 11452. \39\ ``Technical Support to the National Highway Traffic Safety Administration (NHTSA) on the Reported Toyota Motor Corporation (TMC) Unintended Acceleration (UA) Investigation'', 2011, NASA. Section 6.8 of this report discusses the EMC testing and the full report can be accessed at http://www.nhtsa.gov/staticfiles/nvs/pdf/NASA-UA_report.pdf. --------------------------------------------------------------------------- Among the risks with EMI is for the electronic control unit's memory settings to be altered unintentionally. This could change the way the system behaves especially if the EMI's influence is not detected. Manufacturers utilize various methods to prevent unintended EMI influence, such as by retaining safety critical system parameters in more than one memory location (such that a random alteration could be detected and system shut down with warning). Formation of conductive tin whiskers on a circuit board could potentially result in low resistance paths and unintended system behavior, particularly if they cause a short between circuits resulting in unintended activation of an actuator. Most such issues result in electrical faults and safe shut- down of corresponding functions. Manufacturers use various techniques to mitigate the concern including changes to the manufacturing process, addition of elements like copper and nickel, and the use of surface coatings. Further, circuit board design takes into account the possibility of circuit-board shorts in trace placement. Another possibility is for the environment to impact the advanced sensors (such as radar, lidar, cameras, GPS, etc.) on a contemporary vehicle in a way that could result in unintended engagement or non- operational status of system functions. To mitigate this risk, manufacturers utilize various forms of sensor fusion technologies to reduce reliance on any single sensor signal for safety-critical functions. Related to 5.9 GHz DSRC, NHTSA is initiating research into analyzing potential communication interference impacts of devices that operate on and in neighboring spectrums of the DSRC band.\40\ NHTSA expects to complete this study in 2015. --------------------------------------------------------------------------- \40\ DSRC band: 5.850-5.925 GHz. --------------------------------------------------------------------------- Comments Requested (1) NHTSA has reviewed the state-of-the art with respect to environmental conditions and vehicle electronics. What other ways can the environment impact electronic system performance other than the ways that we have considered, above? (2) NHTSA has done some testing on interference issues. We seek comment in the area of EMI/EMC. (a) What could the agency do to further assess the electromagnetic interference (EMI) susceptibility impacts of growing use of electronics on automotive system safety and assess the adequacy of existing voluntary standards? (b) Are there known EMI susceptibility differences in vehicles designed and sold in the U.S. versus in regions where EMC may be explicitly regulated? (3) We seek comment in the area of the environment's potential impact on advanced automotive sensors. (a) Are any particular sensing technologies more susceptible or less susceptible to such effects (including EMC and other environmental effects such as moisture, corrosion, etc.)? IV. Additional Comments Requested In addition to the comments requested in regards to the specific topics discussed above, we are also seeking comment on other general issues relating to electronic component safety and cybersecurity. (1) One issue that we seek comment is the potential for voluntary safety process standards to help address challenges introduced by expanding use of electronics in automotive applications. In section II.d. above, we discuss the various design and quality control processes that the industry already uses to assess the safety and cybersecurity of their electronic components (e.g., ISO 26262). (a) We seek public comment on the degree to which this type of safety process standard can provide an adequate level of protection from electronic component failures or potential cybersecurity breaches. (i) What voluntary industry standards are best able to address safety assurance of electronics control system design for motor vehicles? (ii) Specifically, what elements of the voluntary industry standards are best able to address electronics control systems and cybersecurity issues in motor vehicles? (iii) What other standards than those described in this document are relevant for the agency to consider? (b) What types of concerns with regard to electronic components safety and cybersecurity would not be addressed by voluntary safety process standards? (i) What other standards are available that could address this type of safety concern? (ii) What software development, validation and safety assurance methods and processes are suitable for safety critical automotive control systems? (c) Are existing process standards such as ISO 26262, IEC 60812, IEC 61025, etc, suitable to address electronic [[Page 60583]] control system design challenges for more advanced forms of vehicle automation? (2) Another issue that we seek comment on is in regards to the available information and data sources for identifying and understanding the issues related to electronic component reliability and cybersecurity. We recognize that much of the data available to the agency captures retrospective data. Thus, the traditional sources of information available to the agency have various limitations in this rapidly-developing area of automotive technology. Information that shows historic data on electronic component issues may not necessarily give an accurate prediction of what future electronic component reliability and cybersecurity issues can be. We seek comment on the data sources that are identified for potential consideration in the categorization of priority focus areas for electronics reliability. (a) We are especially interested in identifying any potential data sources that could assist the agency in identifying potential emerging electronic component failures in vehicles in a timely manner. (b) Has the agency considered all the relevant data on this subject? What additional sources of information could the agency consider? (3) We seek comment on what other information sources or strategies are available that can enhance the ability to detect potential electronics system related concerns in a timely fashion. What methods are available to improve traceability of potential electronic control system malfunctions? V. Public Participation How do I prepare and submit comments? Your comments must be written and in English. To ensure that your comments are filed correctly in the docket, please include the docket number of this document in your comments. Your comments must not be more than 15 pages long (49 CFR 553.21). NHTSA established this limit to encourage you to write your primary comments in a concise fashion. However, you may attach necessary additional documents to your comments. There is no limit on the length of the attachments. Please submit one copy (two copies if submitting by mail or hand delivery) of your comments, including the attachments, to the docket following the instructions given above under ADDRESSES. Please note, if you are submitting comments electronically as a PDF (Adobe) file, we ask that the documents submitted be scanned using an Optical Character Recognition (OCR) process, thus allowing the agency to search and copy certain portions of your submissions. How do I submit confidential business information? If you wish to submit any information under a claim of confidentiality, you should submit three copies of your complete submission, including the information you claim to be confidential business information, to the Office of the Chief Counsel, NHTSA, at the address given above under FOR FURTHER INFORMATION CONTACT. In addition, you may submit a copy (two copies if submitting by mail or hand delivery), from which you have deleted the claimed confidential business information, to the docket by one of the methods given above under ADDRESSES. When you send a comment containing information claimed to be confidential business information, you should include a cover letter setting forth the information specified in NHTSA's confidential business information regulation (49 CFR Part 512). Will the agency consider late comments? NHTSA will consider all comments received before the close of business on the comment closing date indicated above under DATES. To the extent possible, the agency will also consider comments received after that date. How can I read the comments submitted by other people? You may read the comments received at the address given above under Comments. The hours of the docket are indicated above in the same location. You may also see the comments on the Internet, identified by the docket number at the heading of this notice, at http://www.regulations.gov. Please note that, even after the comment closing date, NHTSA will continue to file relevant information in the docket as it becomes available. Further, some people may submit late comments. Accordingly, the agency recommends that you periodically check the docket for new material. Anyone is able to search the electronic form of all comments received into any of our dockets by the name of the individual submitting the comment (or signing the comment, if submitted on behalf of an association, business, labor union, etc.). You may review DOT's complete Privacy Act Statement in the Federal Register published on April 11, 2000 (65 FR 19477-78) or you may visit http://www.dot.gov/privacy.html. Authority: Sec. 31402, Pub. L. 112-141. Issued in Washington, DC under authority delegated in 49 CFR part 1.95. Nathaniel Beuse, Associate Administrator for Vehicle Safety Research. [FR Doc. 2014-23805 Filed 10-6-14; 8:45 am] BILLING CODE 4910-59-P