Automotive Cybersecurity Regulations, Standards,
and Best-practices

The United Nations Economic Commission for Europe is under the jurisdiction of the United Nations Economic and Social Council. It was established to promote economic cooperation and integration among its 56 member states. Within the UNECE lies the Inland Transport Committee (ITC), the UN platform to help efficiently address the global and regional needs for inland transport. One of the subsidiary bodies of the ITC is the WP.29, which was established on June 6, 1952, as the Working Party on the Construction of Vehicles. It renamed in 2000 as the World Forum for Harmonization of Vehicle Regulations (WP.29).

The objective of the WP.29 is to initiate and pursue actions aimed at the worldwide harmonization or development of technical regulations for vehicles and to develop regulations that are intended to improve vehicle safety, protect the environment, promote energy efficiency, and increase anti-theft performance.

In response to the growing prevalence of connected vehicles, the ITC recognized the importance of WP.29 activities related to automated, autonomous and connected vehicles at a session in February 2018. They requested that the WP.29 consider establishing a dedicated subsidiary working party specifically focused on connected vehicles. In June 2018, following this request, WP.29 decided to convert the Working Party on Brakes and Running Gear (GRRF) into the new Working Party on Automated/Autonomous and Connected Vehicles (GRVA).

Additional background information can be found here.

As of June 25, 2020, two new UNECE regulations had been adopted. The first regulation focuses on uniform provisions on the approval of cybersecurity and cybersecurity management systems (CSMS) in vehicles. The second regulation is on vehicle software update processes and software update management systems (SUMS), commonly known as “Over-the-Air” (OTA) updates.

The CSMS regulation is the focus of subsequent FAQs.

WP.29 CSMS is intended to minimize vehicle cyber risk. It, therefore, provides a comprehensive approach to automotive cybersecurity, based on the following key principles:

1. An organizational framework and minimal cybersecurity requirements that impact all automotive players along the value chain.
2. The responsibility for cybersecurity certification is on the OEM.
3. Best practices must be incorporated into the design of vehicles.
4. OEMs must provide reasoned arguments as to the cybersecurity of their vehicles.
5. The cybersecurity of vehicles must be maintained continuously throughout all stages of the vehicle’s lifecycle including post-production

Additionally, the regulation offers a non-conclusive list of cyber threats and corresponding mitigations.

It is highly focused on processes and governance, however, it doesn’t include an explicit definition of how the regulatory requirements can be met nor does it mandate detailed technical measures.

This was done intentionally, to provide OEMs flexibility to decide how to ensure the cybersecurity of their vehicles. It is expected that, through the use of relevant standards (such as the ISO/SAE 21434) and by implementing appropriate measures, OEMs should be able to demonstrate how the principles of the regulation are met.

The regulation applies to vehicles within the M and N categories (vehicles with at least 4 wheels), the O category (if fitted with at least one electronic control unit) and vehicles in categories L6 and L7 that are equipped with autonomous driving functions beyond level 3.

It is expected that the regulations will be finalized and published in early 2021. It will apply to the 54 member states (which excludes the US and Canada).

Albania, Armenia, Australia, Austria, Azerbaijan, Belarus, Belgium, Bosnia and Herzegovina, Bulgaria, Croatia, Czechia, Denmark, Egypt, Estonia, European Union, Finland, France, Georgia, Germany, Greece, Hungary, Italy, Japan, Kazakhstan, Latvia, Lithuania, Luxembourg, Malaysia, Montenegro, Netherlands, New Zealand, Nigeria, North Macedonia, Norway, Pakistan, Poland, Portugal, Republic of Korea, Republic of Moldova, Romania, Russian Federation, San Marino, Serbia, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Thailand, Tunisia, Turkey, Ukraine, United Kingdom of Great Britain and Northern Ireland.

The regulation clearly indicates that the responsibility to prove that effective cybersecurity methods and processes were used, lies with the OEM; the OEM is responsible for ensuring cybersecurity processes are in place throughout the supply chain. 

OEMs that do not comply with the regulations (once adopted by member countries) will not get type approval. They will face trade barriers and other complications that will impact the bottom line. Vehicle manufacturers that do acquire the necessary certification will get type approval, be able to sell their vehicles in the countries that adopted the regulation and can brand their companies as secure so that they can build mutual trust with their customers. 

Tier-1 and Tier-2 suppliers are not required to have their own compliance certificate, but those that do not provide evidence to the OEM that they implemented all the necessary cybersecurity measures (thus not allowing the OEM to be certified) will most likely be cut off by the OEM and lose business.

In that context, it’s important to remember that the regulation clearly demands cybersecurity measures throughout the lifecycle of the vehicle, which includes the development, production and post-production phases.

While the OEM can ensure cybersecurity measures are in place during the production phase, it must rely on its suppliers to provide cybersecurity measures during the development phase (of all the components, chips, parts, etc.) of the vehicle as well as the post-production phase e.g. for services such as OTA updates, smart services related to the connected car (remote unlock door or engine start), access control for software, and more.

The UN regulation on cybersecurity does not affect type approvals granted prior to the regulation’s entry into force in a given country (i.e. not when it comes into force as a United Nations regulation). It also does not affect vehicles already on the road.

If a vehicle “facelift” includes the changing or replacement of a system(s) that could potentially affect the cybersecurity of the vehicle (e.g. infotainment, telematics), the vehicle manufacturer may be required to obtain a new whole vehicle type approval (WVTA) and /or an “extension” of the current WVTA held for the vehicle.

1. The OEM implements an effective and regulatory compliant CSMS.
2. The OEM submits an application for a Certificate of Compliance for CSMS to an Approval Authority or its Technical Service.
3. The CSMS is then assessed by the Approval Authority or Technical Service
4. The OEM signs a declaration of compliance.
5. The OEM is issued a CSMS certificate of compliance valid for 3 years (after which a renewal is needed).
6. The OEM develops vehicle architecture with CSMS involved.
7. The individual vehicle type is assessed by the Approval Authority or Technical Service.
8. Vehicle Type Certification is issued.

According to a UNECE press release of June 25, 2020, Japan has indicated that it plans to apply these regulations upon entry into force (estimated in late 2021 or beginning 2022).

The Republic of Korea has adopted a stepwise approach, introducing the provisions of the regulation on Cybersecurity in a national guideline in the first half of 2020, and proceeding with the implementation of the regulation in a second step.

In the European Union, the new regulation on cybersecurity will be mandatory for all new vehicle types from July 2022 and will become mandatory for all new vehicles produced from July 2024.

It can be found here.

The first six sections of the WP.29 regulation highlight the scope of the regulation (Section 1), defines the terms used in the regulation (Section 2), and elaborates on the application, markings, processes, and certifications related to formal regulatory approval (Sections 3-6). The regulation also includes details on how to approach vehicle modifications (Section 8), demands regarding production conformity and updates regarding continuity (Sections 9-11), and the method by which OEMs need to communicate their approval process with the UN Secretariat (Section 12).

The primary requirements of the regulation are largely discussed in Section 7, titled “Specifications” covering the Cyber Security Management System and Vehicle Type Approval:

1. Cyber Security Management Systems (CSMS) include cybersecurity requirements for an OEM’s organizational structure, processes, and governance. CSMS certification demands evidence from the OEM, including test reports and threat modeling, to prove that due diligence was performed in ensuring cybersecurity throughout the lifecycle of the vehicle.
2. Vehicle Type approval involves testing the vehicle and certifying that the design of vehicle architecture, the risk assessment procedures, and the implementation of cybersecurity controls were executed correctly. In this approval process, an authority tests an individual type of vehicle to check if the cybersecurity measures were actually implemented.

In accordance with its aim to be practical and non-theoretical, in Annex 5, the regulation clearly stipulates that for both CSMS and Vehicle Type approvals, the OEM must take cyber threats, vulnerabilities, and related mitigations into consideration when implementing risk assessments and threat analysis. Many (but not all) of these risks and correlating mitigations are listed in three parts (A, B, and C) in Annex 5.

The main principles involved in CSMS approval demand:

1. Lifecycle Implementation: Vehicle manufacturers must methodically implement cybersecurity measures at each stage of the vehicle lifecycle: development, production, and post-production phases.
2. Risk Assessment and Management: Security must be adequately considered in all OEM processes including the identification of risk (including the specific risks highlighted in Annex 5), assessment and treatment of risk, the effectiveness of cybersecurity measures, and the treatment of data gathered about cyber-attacks.
3. Cyber Threat and Attack Process: OEMs must have in place a process for effective monitoring, detection, and response to cyberattacks, cyber threats, and security vulnerabilities.
4. Timeliness: The processes used to manage cybersecurity must allow for timely response and mitigation of cyber-threats and vulnerabilities.
5. Data and Telematics Usage: Risk assessment and management must be continuously carried out to ensure that the OEM has the capacity to analyze and detect cyber threats, vulnerabilities, and cyber-attacks from vehicle data and vehicle telematics logs.
6. Supply Chain Management: The OEM must manage all the risks associated with contracted Tier 1 and Tier 2 suppliers, service providers, and/or sub-organizations.

The main principles involved in Vehicle Type approval demand:

1. Application of CSMS: The OEM must prove that proper CSMS was applied to the specific vehicle type.
2. Tier 1 and 2 Supplier Management: It is the OEMs responsibility to identify and manage any risks related to its Tier 1, 2, or other suppliers.
3. TARA: An in-depth TARA (Threat Analysis and Risk Assessment) process must take place for every vehicle type, and include an assessment of the interactions the vehicle will have with external systems. Many of these threats are listed in the regulations Annex 5. Additionally, it is not enough for an OEM to assess the threat, rather it must also find appropriate and proportionate mitigations (which are also highlighted in Annex 5).
4. Threat Reporting: The OEM must provide periodic reports covering detected attacks and new threats.
5. Aftermarket Responsibility: The OEM must build measures to secure the vehicle with regards to aftermarket software, services, applications, or data.
6. Data and Telematics Usage: The OEM must have the ability to analyze the specific vehicle data related to attempted or successful cyber-attacks.

To help OEMs and their suppliers understand and assess the risks associated with connected vehicles, Annex 5 of the regulation lists 69 different attack routes due to 7 different cyber threats and vulnerabilities. To aid in the management of said risks, the regulation also offers 23 cybersecurity mitigations with the potential to secure a vehicle, its components, and back-end servers against these threats. It is important to note that while the list of threats, vulnerabilities, and mitigations is extensive, the regulation is quick to point out that it is not exhaustive.

The regulation includes detailed descriptions and examples of threats, and even goes as far as to offer specific examples of potential attack methods. The threats listed are divided into the following 7 categories: back-end servers, vehicle communication channels, vehicle update procedures, unintended human actions, external connectivity and connections, vehicle data/code, and other vulnerabilities.

Although WP.29 does not mention the ISO/SAE 21434 standard, it is understood that if an OEM and its supply chain can demonstrate compliance against this standard framework, then that compliance can be used to demonstrate compliance with the WP.29 regulation. 

You can find a mapping between the WP.29 CSMS requirements and the ISO/SAE 21434 standard here.

As an international automotive cybersecurity framework with explicit controls, ISO 21434 will likely be the framework most OEMs and Tier 1 suppliers align or certify to.

Cybellum enables OEMs and their suppliers to develop and maintain secure products, helping them navigate compliance with the UNECE WP.29 regulation and ISO/SAE 21434 standard. Our platform is the foundation for a CSMS covering everything from risk assessment and ongoing monitoring to documentation and readiness for auditing.

Cybellum is highly active in the area of standards, regulations and best practices, chairing the Israeli representation for the ISO/SAE 21434 standard committee, leading the taskforce responsible for the standard’ Use-case Annex and involved in other standardization efforts such as the upcoming ISO/WD PAS 5112 guidelines for auditing cybersecurity engineering, IAMTS study-group on cybersecurity and more.

Done reading? Schedule a free consultation with one of our experts.

This new standard is designed to help the automotive industry define a structured process to ensure cybersecurity is incorporated into the design of road vehicles, including systems, components software, and connections to any external device or network.

The standard specifies the cybersecurity risk management requirements for the design, development, production, operation, maintenance, and decommissioning of road vehicle electrical and electronic (E/E) systems.

The ISO/SAE 21434 Standard is a result of the efforts of a joint working group of more than 100 experts from 14 nations and 82 industry organizations across public, private, and government sectors, representing the SAE Vehicle Cybersecurity Systems Engineering Committee and the ISO Technical Committee 22, Sub-committee 32, Working Group 11.

Using four main working groups focusing on risk management; product development; production, operation, maintenance, and decommissioning and process overview, the ISO/SAE 21434 draft was born.

The standard was released as a draft on 12th February 2020, and its development and final release is expected at the beginning of 2021.

You can find it on the ISO or SAE websites.

SAE International and ISO had previously worked on automotive safety and security related standards on their own:

• ISO 26262 had set functional safety standards and this new cybersecurity standard echoes its structure by covering the complete vehicle engineering cycle (from design through development to validation and maintenance).
• SAE J3061 was developed by SAE in 2016 to set the foundation for cybersecurity standards. The new ISO/SAE 21434 standard can be viewed as a much more extensive and up-to-date evolution of that standard.

The first four clauses of the standard highlight the scope (Clause 1), references (Clause 2), definitions (Clause 3), and general considerations (Clause 4) of the standard.

The bulk of the standard requirements are covered in Clauses 5-14, where:

• Clauses 5 and 6 focus on the management of cybersecurity and include the implementation of organizational cybersecurity policies, rules, and processes for overall cybersecurity management and for project-dependent cybersecurity management (similar and relevant to the WP.29 CSMS regulation).
• Clause 7, titled “Continuous Cybersecurity Activities” defines activities that provide information for ongoing risk assessments and vulnerability management of vehicles.
• Clause 8 titled “Risk Assessment Methods” defines methods to determine the extent of the cybersecurity risk.
• Clauses 9-14 cover the requirements throughout the full lifecycle of a vehicle, with the “Concept Phase” (Clause 9) “Product Development Phases” (Clauses 10 and 11), and the “Post-Development Phases” (Clauses 12-14).
• In Clause 15, titled “Distributed Activities”, the standard details the requirements for supplier management, and defines the interactions, dependencies, and responsibilities between customers (OEMs) and suppliers (Tier 1 and 2s) for cybersecurity activities.

The standard also includes 10 Annexes (A-J) which, like the standard explains, “The annexures in this document are all informative and used to provide additional information to the main body of the document for several reasons, for example:

• When the information or table is very long;
• To set apart special types of information;
• To present information regarding a particular application of the document.

According to Clause 4 titled “General Considerations”, the standard is limited to cybersecurity relevant items and components inside or on the vehicle perimeter including aftermarket and service parts.

Systems outside the vehicle perimeter can be considered for cybersecurity purposes but are not in the scope of the standard. The following are examples of what can be considered for the vehicle level as a whole:

1. The vehicle E/E architecture
2. The cybersecurity cases of the cybersecurity relevant items and components

ISO/SAE 21434, in draft form as of May 2020, is a baseline for vehicle manufacturers and suppliers to ensure that cybersecurity risks are managed efficiently and effectively. The standard was specifically developed to ensure the safety and security of the ultimate road-user/driver, and as such, the determinant levels of risk and corresponding cybersecurity measures are set based on the final impact on the driver.

It provides a standardized cybersecurity framework, establishes cybersecurity as an integral element of engineering throughout the lifecycle of a vehicle from the conceptual phase all the way through decommissioning, ensures that cybersecurity is considered in post-production processes (software updates, service and maintenance, incident response, etc.), and calls for effective methods of lessons learned, training, and communication-related to automotive cybersecurity.

More specifically, the scope of the standard includes:

1. Specific requirements for cybersecurity risk management
2. A cybersecurity process framework
3. Common language to help manufacturers and organizations communicate their cybersecurity risk

ISO/SAE 21434 does not dictate specific cybersecurity technologies or solutions, mandates around remediation methods, or cybersecurity requirements for telecommunications systems, connected backend-servers, EV chargers, or autonomous vehicles.

Instead, the standard heavily emphasizes risk identification methods and established processes to address the cyber-risks. Accordingly, if a compromised backend-server, charger, or autonomous vehicle leads to a direct risk to the road-user, it must be monitored, controlled, and mitigated.

This provides OEMs and their suppliers flexibility in implementing the technologies and solutions needed to adhere to the standard.

The standard requires OEMs and their suppliers to analyze new and emerging threats and risks throughout a vehicle’s lifecycle to determine the extent to which a road user/driver could be impacted by a threat scenario. This general process of threat analysis and risk assessment is called “TARA”.

The standard’s methods for effective risk assessment (TARA) include:

• Asset Identification – Know what could be harmed.
• Threat Scenario Identification – Know how the assets could be harmed.
• Threat Impact Analysis and Rating – Estimate the damage the threat could cause.
• Attack Path Analysis – which actions (in isolation or linked) could lead to a threat.
• Attack Feasibility Analysis and Rating – what’s the likelihood of the damage/harm occurring.
• Risk Determination – how high is the risk caused by the threat.
• Risk Treatment Decision: how would you treat the specific risk.

ISO-SAE explains that the methods/”modules” listed are not connected to a particular phase of the vehicle’s lifecycle and can be used in the order most appropriate for the OEM.

Clause 15 of the standard focuses on “distributed cybersecurity activities” and discusses the cybersecurity relationships between OEMs and Tier 1 and 2 suppliers.

An OEM is responsible for ensuring that their suppliers implement methods to ensure their products and components are cybersecure. There are three main strategies to develop a successful supplier-OEM relationship:

1) Evaluate: (Clause 15.4.1) “Demonstration and Evaluation of Supplier Capability”

• As part of the supplier assessment and evaluation by the OEM, the supplier should supply a “Cybersecurity Record of Capability” which includes
• • Evidence of their capabilities regarding cybersecurity
  • Evidence of continuous cybersecurity activities
  • A summary of previous cybersecurity assessments
  • Organizational audit results
  • Evidence of an information security management system
  • Evidence of the organization’s management systems

2) Confirm: (Clause 15.4.2) “Request for Quotation”

• When an OEM purchases supplies and components from Tier-1 or Tier-2 suppliers, they should include in their quote:
• • A formal request that the supplier will comply with the standard
  • A list of the expectations of the cybersecurity responsibilities to be undertaken by the supplier
  • Details of the the cybersecurity goals or the set of relevant cybersecurity requirements for the supplier

3) Align: (Clause 15.4.3) “Alignment of Responsibilities”

• The OEM and supplier must agree on the division and alignment of responsibility, through a process called CIAD “cybersecurity interface agreement for development”. The CIAD division of responsibility includes agreements on:
• • OEM and suppliers’ points of contact regarding cybersecurity
  • A joint tailoring of the cybersecurity activities
  • The identification of the cybersecurity activities that are to be performed by the OEM and by the supplier
• The OEM and the suppliers should build the CIAD division of cybersecurity responsibilities using the RASIC model. Mentioned in Annex C of the standard and stands for:
• • R (responsible): The organization that is responsible for getting the activity done
  • A (approval): The organization that has the authority to approve or deny the activity once it is complete
  • S (support): The organization that will help the organization responsible for the activity;
  • I (inform): The organization that is informed of the progress of the activity and any decisions being made; and
  • C (consult): The organization that offers advice or guidance but does not actively work on the activity.

Cybellum enables OEMs and their suppliers to develop and maintain secure products, helping them navigate compliance with the UNECE WP.29 regulation and ISO/SAE 21434 standard. Our platform is the foundation for a CSMS covering everything from risk assessment and ongoing monitoring to documentation and readiness for auditing.

Cybellum is highly active in the area of standards, regulations and best practices, chairing the Israeli representation for the ISO/SAE 21434 standard committee, leading the taskforce responsible for the standard’ Use-case Annex and involved in other standardization efforts such as the upcoming ISO/WD PAS 5112 guidelines for auditing cybersecurity engineering, IAMTS study-group on cybersecurity and more.

Done reading? Schedule a free consultation with one of our experts.