Tuesday, July 21, 2015 | Ann Arbor, Mich.
Today's electronics, sensors, and computing power enable the deployment of safety technologies. Given the potential of these innovations, NHTSA is looking at all of our tools, as well as exploring new ones, that can be used to deploy these technologies in safe and effective ways, taking steps to address the new challenges they pose — particularly with respect to cybersecurity.
Jane, thank you for your introduction. The Volpe Center is an invaluable partner in so much that we do at NHTSA and DOT, and it’s great to share the stage with you today.
Thank you to TRB and AUVSI for the opportunity to speak with you today. When I joined NHTSA in January, I identified three priority areas for my two years on the job, and technology innovation was one of them. Working for Secretary Foxx at DOT, it couldn’t be any other way – the secretary is deeply committed to pursuing innovations that can transform every mode of transportation. Among the topics to discuss with you today is the secretary’s commitment to connected automation for our roadways.
Before that discussion, I want to make sure that you’re aware of an item at the top of the secretary’s agenda, and indeed President Obama’s. Politics and engineering don’t always mix, but we’re in a situation now where what happens in Washington – and what doesn’t happen – will have a direct effect on what happens in your labs, on your test tracks, and on your factory floors.
As many of you know, authorization for transportation programs, including many critical NHTSA programs, expires at the end of this month. That’s when the clock runs out on a temporary extension – one of more than 30 that Congress has passed since the last reauthorization bill expired. This series of temporary solutions has left our transportation system starved for investment.
Secretary Foxx has proposed a common-sense solution, the GROW AMERICA Act, which would make major new investments in transportation, including innovation that can transform our highways and make them safer. For all of us who care about building a transportation system that embraces innovation, one that creates jobs and opportunity, the next few weeks look to be crucial, and I hope you will all remain vigilant and involved in this important debate.
If there is support for making the right investments, we can open the door to a revolutionary era on our roads. Many of you are helping spur that revolution. A suite of related innovations – vehicle-to-vehicle and vehicle-to-infrastructure communications, and automation that relies on advanced sensors and sophisticated computer systems – are opening new opportunities to save lives. For nearly a century, vehicle safety has been about protecting vehicle occupants from the inevitable crashes they would endure. Today, we are moving toward a fundamentally different goal – preventing those crashes from ever occurring. From the start, motorists have had to accept the risk of death or injury as the cost of mobility. Now, we’re poised to massively reduce that risk.
NHTSA and the Department of Transportation are not spectators in this revolution. For a department whose top priority is safety, and for an agency whose primary mission is highway safety, that is not an option. Our responsibility is to ensure that these innovations achieve their life-saving potential. That means ensuring that innovation is aimed squarely at safety, and that innovations with safety potential make it onto the road rapidly and are widely distributed. NHTSA, the Intelligent Transportation Systems Joint Program Office under the secretary, the Federal Highway Administration and other elements of DOT are working together, under the secretary’s leadership, toward that goal.
In May, Secretary Foxx made an announcement that underlined our commitment to these innovations. Let’s spend a few minutes on that announcement, because it’s important for you to know just how strongly DOT and NHTSA are committed to these innovations and our role in helping them reach their potential
Speaking in Silicon Valley, Secretary Foxx announced three significant policy initiatives. First, he announced that NHTSA would accelerate its rulemaking process on V2V communications. Our goal to complete DOT’s work on a Notice of Proposed Rulemaking to require V2V equipment in new vehicles is now to have a proposal ready for interagency review by the end of the year. Second, he committed DOT to completing initial testing on potential sharing of the radio spectrum set aside for V2V and other safety-critical road communications within one year of receiving production-ready devices to test. And the secretary directed us at NHTSA to examine our regulatory framework and determine if there were any obstacles to safety innovations, and if so, how to tackle them.
Now, accelerating the calendar for the V2V proposal by a few months may not sound like a big deal. But it means long nights and days for our rulemaking team and technical experts. We believe the hard work is justified, because moving up our timetable is an unmistakable statement of our commitment to V2V.
That’s especially important because of the second issue the secretary addressed, testing for potential spectrum sharing and interference with V2V radio signals. As you know, many in Washington would like to use some of the radio spectrum now designated for critical safety communications. We need to ensure that sharing that spectrum can take place without blocking safety-critical signals, and the secretary’s announcement was aimed at answering that critical question as soon as possible. To be clear: the department is not opposed to the concept of sharing. We simply need to make sure – through verifiable testing – that sharing works. We can save lives with a clear signal, and we’re determined to do the hard technical work to make sure that signal gets through.
The third topic the secretary addressed is our regulatory framework. Unfortunately, much of the conversation about vehicle automation seems to focus on whether government regulations are likely to get in the way. NHTSA is not interested in erecting roadblocks to safety innovations – we want to encourage those innovations. In response to the secretary’s directive, a NHTSA team from across the agency is looking at how we can best speed these innovations; what changes might be necessary in our policies and regulations to make them more flexible and nimble; and whether there are any obstacles that we need help from Congress to clear. This team includes technology experts as well as attorneys, safety defect experts, behavioral safety experts and communications professionals. Just a few days ago, they briefed me on their progress, and I am very encouraged by their work so far.
It’s important to note the principle Secretary Foxx articulated here: If an innovation is demonstrated to improve safety, we want to help make it happen. The safety aspect here is essential. I would encourage all of you, in your discussions with NHTSA on how the agency can encourage innovation: put safety first, and bring the data.
Our work to promote safety innovation is important because with all of the challenges in developing and fielding these technologies, government should not be another obstacle. The job is hard enough. Designing, engineering, testing and validating these systems is a significant technical challenge. And as this conference’s program acknowledges, the issues aren’t just technical. They’re legal and ethical.
While those challenges are not simple or easy, they can be overcome with time, skill and a cooperative spirit. But we also must recognize that connected automation isn’t just about accounting for human nature when the human is in the driver’s seat.
For these innovations to reach their true potential, we’ve got to account for, well, us – people, with all our failings and foibles. We will need to help folks who can’t tell a lidar from a coffee maker understand how these innovations work, and how they will make us all safer, so that the public embraces them. We’ve got to develop human-machine interfaces that don’t require drivers to develop astronaut-like skills of interpretation for all the beeps, tones, buzzes and warnings that come their way
And there’s one more human challenge we face: the bad-actor threat. Whether for profit or out of sheer malicious intent, we know these systems will become targets for bad actors. They are a threat to safety, to privacy, and to public acceptance of connected automation. We must reassure vehicle owners that their data is secure, that their vehicle is secure, and that we are looking out for threats from hackers, thieves, and anyone else who might seek to tamper with safety-critical technology.
Cyber-security and privacy must be high-priority items for industry and for NHTSA. And two recent events highlight just how seriously we are, together, taking this challenge.
The first is NHTSA’s release, today, of our latest in a series of continuing public documents outlining our privacy and cybersecurity efforts and the major obstacles to success in these areas. Our paper outlines the wide range of NHTSA’s work in this area. It details how NHTSA has reorganized its vehicle safety research operation to meet the cybersecurity challenge; our work with the most effective security experts in the business to design, implement and test a security system for V2V transmissions; and our assessment of the various threat vectors that could endanger vehicle security and privacy, and how we’re working to defeat those threats.
This paper is in part a response to questions we’ve received from Congress and the media on these topics. Lots of people are aware that these challenges exist, but as those questions showed, few people were aware of what NHTSA is doing to protect safety-critical systems. When a TV news show hacks a car, that’s not news to NHTSA. The folks at our Vehicle Research and Test Center have figured out how to do some remarkable things with vehicle electronics, in order to prevent others from doing them. NHTSA not only is aware of these threats, but we’re working to defeat them. We want Americans to know we’re on this, because robust protections against malicious actors are absolutely critical in building public enthusiasm for connected automation. V2V and high-powered computers can’t save lives if American drivers don’t trust that they’re secure.
Another significant development is the announcement last week that major automakers will form an Information Sharing and Analysis Center to team up against cybersecurity threats. NHTSA has been urging the industry to form an ISAC for some time, and the agency sees this announcement as a milestone in cybersecurity efforts. ISACs serve as clearinghouses for information on the latest cyber threats, and can help coordinate security efforts, both before an incident occurs and in the midst of a crisis. The finance, aviation and utility industries all have established ISACs to help protect their critical infrastructure. Well, the infrastructure of connected automation is just as critical. Establishing an ISAC is an essential element in protecting that critical infrastructure, and it demonstrates the industry’s commitment to that task. Last week’s announcement is a great first step, and I urge the involved companies and organizations to press forward as quickly as they can to make their ISAC operational.
In closing, let me connect that joint industry effort to the broader world of vehicle safety, and offer two challenges to all of you.
Certainly, you have all heard about the Takata air bag problem. It is obviously a major focus for us at NHTSA, and within the industry. A couple months ago I met with representatives of the industry consortium that is searching for the elusive root cause of these air bag inflator ruptures. As these executives sat down in my office, I asked, “How often does the industry band together to confront a safety issue like this?” After a few shrugs, their answer was, “It’s never happened before. We’ve never done this.”
That has to change. The auto industry will always be a competitive business. But safety isn’t a competitive edge to tout in TV commercials – you never see a star rating on the side of an airliner when you board. Safety is a shared responsibility. The more we break down barriers to cooperation and information sharing when it comes to safety, the more lives we will save. The decision to form an ISAC has already demonstrated that the industry is capable of joining together when it comes to safety. Connected automation presents an enormous opportunity to approach safety in a different way. A more cooperative, proactive way. The people in this room – the community of people who are excited about the potential of connected vehicles and automation – can help establish that mindset.
The second challenge I’ll offer is also prompted by the Takata situation. Air bags are designed to save lives. And they do – 40,000 Americans have survived crashes that otherwise would have been fatal because an air bag protected them from harm. But these defective inflators are taking lives instead of saving them. For those of us dedicated to life-saving innovation, it’s a painful irony.
It’s also a warning. When it comes to safety-critical technologies, “good enough” just won’t cut it. From design to engineering to production and execution, quality and durability must be exceptionally high. We all know that drivers are the largest source of crash risk on our roads. But, when we design automated systems to reduce the risk of human error, we’re taking the steering wheel out of the hands of the vehicle operator, and putting it into the hands of all the engineers, designers and software coders who put those systems together. That is a serious responsibility. I urge you to embrace it, to respect it, and to hold yourselves and your companies to the highest possible safety standards.
The future is filled with tremendous potential to significantly enhance transportation safety through technology innovation. Working together, we will see that potential transformed into lives saved and injuries prevented on our roads.
In 2013, 32,719 people died on the Nation's roadways. Sadly, NHTSA estimates 94 percent of highway crashes are a result of human error. Today's electronics, sensors, and computing power enable the deployment of safety technologies, such as forward-collision warning, automatic-emergency braking, and vehicle-to-vehicle technologies, which can keep drivers from crashing in the first place. Given the potential of these innovations, NHTSA is looking at all of our tools, as well as exploring new ones, that can be used to deploy these technologies in safe and effective ways, taking steps to address the new challenges they pose — particularly with respect to cybersecurity.
Many people are familiar with the concept of cybersecurity. Over the last few decades, our lives have been revolutionized by the rapid connectivity made possible by computers, the Internet, satellites and other technologies. As these systems became integral to our daily lives, so too did the potential for attacks to those same systems. Cybersecurity rose out of necessity to protect these vital systems and the information contained within them. Applied to vehicles, cybersecurity takes on an even more important role: systems and components that govern safety must be protected from malicious attacks, unauthorized access, damage, or anything else that might interfere with safety functions.
For these reasons, vehicle cybersecurity was never an afterthought for NHTSA. In exploring the potential of connected vehicles and other advanced technologies, NHTSA remained aware that cybersecurity would be essential to the public acceptance of vehicle systems and to the safety technology they governed.
To ensure a robust cybersecurity environment for these dynamic new technologies, NHTSA modified its organizational structure, developed vital partnerships, adopted a layered research approach, considered legislative additions, and encouraged members of the industry to take independent steps to help improve the cybersecurity posture of vehicles in the United States. NHTSA's goal is be ahead of potential vehicle cybersecurity challenges, and seek ways to address or avoid them altogether.
What Is NHTSA Doing?
In 2012, NHTSA modified its research organization to focus on vehicle electronics, including cybersecurity. NHTSA established a new division, Electronic Systems Safety Research, to conduct research on the safety, security, and reliability of complex, interconnected, electronic vehicle systems. More recently, NHTSA expanded its research and testing capabilities in vehicle electronics at the Vehicle Research and Test Center in East Liberty, Ohio. Together, these entities execute research programs in three main areas:
- electronics reliability (including functional safety)
- automotive cybersecurity
- automated vehicles
They are responsible for evaluating, testing, and monitoring potential automotive cyber vulnerabilities, and for leading the agency's research of highly automated vehicles.
NHTSA also established an internal agency working group, the Electronics Council. This council is responsible for collaborating more broadly on issues related to vehicle electronics, including cybersecurity, across the entire NTHSA organization with particular focus on the Research, Rulemaking, Data, Enforcement, and Chief Counsel offices.
NHTSA’s Research Approach
To help develop a comprehensive approach to address cybersecurity challenges in automobiles, NHTSA consulted other government agencies, vehicle manufacturers, suppliers, and the public. The approach covers various safety-critical applications deployed on current vehicles, as well as those envisioned for future vehicles that may feature more advanced forms of automation and connectivity. The Agency's multilayered approach to cybersecurity has the following goals:
- Expand the knowledge base to establish comprehensive research plans for automotive cybersecurity and develop enabling tools for applied research in this area;
- Facilitate the implementation of effective, industry-based best practices and voluntary standards for cybersecurity and cybersecurity information-sharing forums;
- Foster the development of new system solutions for automotive cybersecurity;
- Research the feasibility of developing minimum performance requirements for automotive cybersecurity; and
- Gather foundational research data and facts to inform potential future Federal policy and regulatory activities.
In October 2014, NHTSA published four cybersecurity reports that describe the agency’s initial work to support the goals outlined in its Automotive Cybersecurity Research Program.
- Assessment of the Information Sharing and Analysis Center Model
This report presented findings from an assessment of the ISAC model, and how ISACs are effectively implemented in other sectors. The report also explains how a new sector ISAC could be formed by leveraging existing ISAC models. This report was sent directly to the Association of Global Automakers and Alliance of Automobile Manufacturers to aid with their automotive ISAC activities.
- A Summary of Cybersecurity Best Practices
This report documented results from the analysis and review of best practices and observations across a variety of industries in the field of cybersecurity involving electronic control systems. It provides benchmarks for the agency and the industry.
- Characterization of Potential Security Threats in Modern Automobiles: A Composite Modeling Approach
This report described a composite modeling approach for potential cybersecurity threats in modern vehicles. Threat models, threat descriptions, and examples of various types of conceivable threats to automotive systems are included, along with a matrix containing a condensed version of the various potential attacks.
- National Institute of Standards and Technology (NIST) Cybersecurity Risk Management Framework Applied to Modern Vehicles
This report reviewed the NIST guidelines and foundational publications from an automotive cybersecurity risk management standpoint. The NIST approach is often used as a baseline to develop a more targeted risk management approach for use in specific industries and sectors.
As mentioned, NHTSA’s research program takes a layered approach to cybersecurity for automobiles. What this means is that we assume all entry points into the vehicle, such as Wi-Fi, infotainment, the OBD-II port, and other points of potential access to vehicle electronics, could be potentially vulnerable. This way, NHTSA focuses on solutions to harden the vehicle’s electrical architecture against potential attacks and to ensure vehicle systems take appropriate safe steps even when an attack may be successful. A layered approach to vehicle cybersecurity reduces the probability of attack and mitigates the potential ramifications of a successful intrusion.
At the vehicle level this approach includes the following four main areas:
- Protective/preventive measures and techniques: These measures, such as isolation of safety-critical control systems networks or encryption, implement hardware and software solutions that lower the likelihood of a successful hack and diminish the potential impact of a successful hack.
- Real-time intrusion (hacking) detection measures: These measures continually monitor signatures of potential intrusions in the electronic system architecture.
- Real-time response methods: These measures mitigate the potential adverse effects of a successful hack, preserving the driver's ability to control the vehicle.
- Assessment of solutions: This involves methods such as information sharing and analysis of a hack by affected parties, development of a fix, and dissemination of the fix to all relevant stakeholders (such as through an ISAC). This layer ensures that once a potential vulnerability or a hacking technique is identified, information about the issue and potential solutions are quickly shared with other stakeholders.
NHTSA also has examined whether legislative provisions might further improve the cybersecurity posture of vehicles. The U.S. Department of Transportation (USDOT)'s GROW AMERICA legislative proposal includes liability for hackers, clarifying authority for the agency to issue process rules or guidelines for the safe development of new systems, and imminent hazard authority that would enable swift action to protect the public from cybersecurity vulnerabilities and other safety threats. We believe the legislative proposals contained in GROW AMERICA will allow the agency to stay ahead of cybersecurity challenges.
Who Is NHTSA Working With?
NHTSA maintains significant interactions with vehicle manufacturers, other government agencies, automotive suppliers, and the security research community regarding potential cyber threats and vulnerabilities. Some interactions involve the security community conducting research on behalf of the agency while other interactions are information exchanges.
Engagement With the Automotive Industry
On July 14, 2014, NHTSA challenged the automotive industry to form an Information Sharing and Analysis Center (ISAC) to help the industry proactively and uniformly address cybersecurity threats. ISACs were created as a result of Presidential Decision Directive 63, which sought ways for public and private sector partners to share information about physical and cyber threats to critical infrastructure. Today, ISACs are used in over a dozen critical infrastructure areas, such as surface transportation, finance, and energy. NHTSA believes an automotive industry ISAC is a critical piece of vehicle cybersecurity infrastructure, as manufacturers and suppliers are in the best position to identify weaknesses in their own products. As vehicle cybersecurity and the role of an automotive ISAC mature, identification of those weaknesses can be made during the engineering phases, so they can be corrected earlier in the process. The auto industry announced the formation of an ISAC in July of 2015.
Below are a few examples of NHTSA’s partnerships on cybersecurity issues.
- NHTSA holds detailed meetings with technical leads at OEMs and Tier 1 suppliers regarding their cybersecurity initiatives, processes, risk assessment and product/process plans to design security into their products.
- NHTSA meets with suppliers in the aviation, space, and defense industries to learn about their approaches to secure design for safety-critical embedded control systems, as well as evolutions that transpired in those industries over time.
- NHTSA is a regular participant in various widely attended security conferences and events, such as DefCon; Blackhat; Embedded Security in Cars (ESCAR); the Defense Advanced Research Projects Agency (DARPA)'s High Assurance Cyber Military Systems (HACMS) and National Science Foundation (NSF)'s Principal Investigators conferences; and the CyberAuto Challenge. NHTSA holds discussions with white-hat hackers who have demonstrated experience in this domain. In addition, NHTSA co-organizes the biannual Enhanced Safety of Vehicles conference and the annual SAE Government-Industry meetings, which address cybersecurity among other topics.
- NHTSA serves as a liaison to SAE International's Vehicle Electrical Security System committee and participates in their meetings.
- NHTSA works closely with other Federal organizations with interests in automotive cybersecurity. For instance, we have been interacting with DARPA and their HACMS program leaders and are pursuing a research project to develop a secure reference parser for Vehicle-to-Vehicle (V2V) communication interfaces based on DARPA's extensive research and experience in this area. We also collaborate with the U.S. Department of Homeland Security (DHS), NIST, and the U.S. Army Tank Automotive Research, Development, and Engineering Center (T ARDEC) in different capacities to leverage synergies, avoid redundant emphasis, and share knowledge and expertise.
V2V & V2I Communications and Security Infrastructure
For the past several years, USDOT, NHTSA, vehicle manufactures, automotive suppliers, security experts, and other government agencies have been developing Dedicated Short Range Communications (DSRC) radio technology and the associated architecture and protocols to support trusted vehicle-to-vehicle and vehicle-to-infrastructure communications. We are finalizing the architecture and have research plans to conduct full-scale vulnerability testing and to address any security issues that emerge from that testing. In addition, as NHTSA pursues its regulatory efforts, the agency will propose and seek comments on various aspects of the architecture including the protocols that will ensure interoperability and security.
NHTSA and its partners are developing a Public Key Infrastructure (PKI) based system, termed the “Security Credential Management System” (SCMS), for ensuring trusted and secure V2V and V2I communications. PKI security architectures and methodologies are already used extensively in the auto industry. The SCMS would employ highly innovative methods, encryption, and certificate management techniques to address the challenging task of ensuring trusted communications between entities that previously have not encountered each other—but also wish to remain anonymous (as is the case when vehicles/drivers encounter each other on the road). This is further detailed in NHTSA's publication, Vehicle to Vehicle Communications: Readiness of V2V Technology for Application.
In addition, USDOT and NHTSA will adhere to the fullest extent possible to industry consensus standards applicable to V2V and V2I DSRC-based communications. These include the Institute of Electrical and Electronics Engineers (IEEE) P 1609 and 802.11 P standards that cover communication protocols, as well as SAE International standards that address communications performance, applications, and data coding requirements.
USDOT also intends to work with DARPA to identify potentially unique cyber vulnerabilities associated with establishing a standardized wireless link with motor vehicles, and develop countermeasures and solutions for such vulnerabilities.
No single approach is sufficient because in the cybersecurity realm, those involved must keep moving, adapting, and improving. To that end, NHTSA will continue to explore numerous approaches, including internal research, independent testing, analysis conducted by the agency, and communication. NHTSA cannot do this alone, but neither can vehicle manufacturers or suppliers. Our efforts will need to be collective, collaborative, and complete.
As Secretary Foxx said on May 13, 2015, "The Department wants to speed the Nation toward an era when vehicle safety is not just about surviving crashes; it is about avoiding them. Connected, automated vehicles that can sense the environment around them and communicate with other vehicles and with infrastructure have the potential to revolutionize road safety and save thousands of lives." To do this, cybersecurity must be an integral part of vehicle engineering, manufacturing, and enforcement. NHTSA already is laying the groundwork needed for the road ahead, and looks forward to working with Congress, manufacturers, suppliers, and the American public in our exciting transportation future.