NHTSA Requests Public Comment Regarding Safety-Related Defects and Emerging Automotive Technologies
On Friday, April 1, 2016, the Federal Register published the National Highway Traffic Safety Administration's ("NHTSA") request for public comments on NHTSA's Enforcement Guidance Bulletin for "Safety-Related Defects and Emerging Automotive Technologies" ("Bulletin").
In its Bulletin, NHTSA acknowledges the undeniable fact that automotive technology is advancing at an unprecedented pace. While NHTSA's tempo may not be as fast, NHTSA again reminds the industry that its "broad enforcement authority" to investigate, penalize, and potentially mandate recalls involving these new and emerging technologies is no different than its authority with respect to conventional motor vehicle components. Similarly, manufacturers have the same reporting and notification responsibilities with respect to safety-related defects in these technologies. NHTSA emphasizes that it "will exercise its enforcement authority to the fullest extent" when a manufacturer fails to act with respect to a safety-related failure or defect in one these emerging technologies.
While the scope of NHTSA's authority is nothing new, Section III of the Bulletin, "Guidance and Recommended Best Practices: Safety-Related Defects, Unreasonable Risk, and Emerging Technologies," is perhaps of the most interest. In this section, NHTSA advises that to avoid violating the Safety Act, manufacturers are "strongly encouraged to take steps to proactively identify and resolve safety concerns before products are available for use on public roadways."
In the case of cybersecurity specifically, NHTSA again recommends the industry follow its recommendations as outlined in NHTSA's October 2014 publication, A Summary of Cybersecurity Best Practices. In its prior publication, NHTSA discussed and presented a review of cyber security "best practices" and lessons in the area of safety-critical electronic control systems. NHTSA previously developed a list of best practices by looking at sectors outside the automotive industry, including information technology and communications, industrial control systems and energy, and medical devices, to name a few.
While acknowledging that no industry has a silver bullet to protect against cyber security risks, NHTSA made certain observations from these industries in developing a "life-cycle" approach to addressing cybersecurity safety risks. As defined by NHTSA, a life-cycle approach would include "elements of assessment, design, implementation, and operations as well as an effective testing and certification program." As outlined in NHTSA's best practices, this would include, for example, development of a "simulator" in which the manufacturer or supplier would use "case scenarios and threat modeling on all systems, sub-systems, and devices, to test for safety risks, including cybersecurity vulnerabilities, at all steps in the manufacturing process, for the entire supply chain, to implement an effective risk mitigation plan."
In the Bulletin, NHTSA further encourages manufacturers to consider adopting this life cycle approach when developing automated vehicles, new automotive technologies, safety compliance programs, and other related business practices. In the case of cybersecurity vulnerabilities, NHTSA announces that it will consider various factors in determining whether a particular vulnerability constitutes a safety-related defect including: (1) the amount of time that has lapsed since the vulnerability was discovered; (2) the level of expertise needed to exploit the vulnerability; (3) whether the operation of the component or system is a matter of public knowledge or is confidential; (4) the "window of opportunity" to exploit the vulnerability; and (5) the complexity of the equipment needed to exploit the vulnerability. These factors will guide NHTSA in determining the overall probability of a malicious cybersecurity attack. While confirmed field events may increase the weight NHTSA places on the probability of an attack, NHTSA notes that an attack may be deemed probable even though no actual incidents have been documented or confirmed.
As the automotive industry continues to rapidly develop and implement new technologies in motor vehicles, NHTSA will continue to develop its own strategies and rules to respond to potential safety concerns posed by these technological advancements. In the meantime, NHTSA "recognizes that best practices vary depending on circumstances, and manufacturers remain free to choose the solution that best fits their needs and demands of automotive safety."
The deadline for submission of comments is May 2, 2016. Comments regarding the Bulletin may be submitted to Docket No. NHTSA-2016-0040 online or via, mail, fax, or hand-delivery.
Read the full text of the Bulletin.
Our firm has unique experience and insight regarding the issues addressed in this Bulletin. If you have questions or would like more information, please contact Bard Borkon or Tom Branigan.