Educational resources on automotive cybersecurity regulations and standards
SAE International and ISO Standard for automotive cybersecurity engineering
The European Union agency for cybersecurity good practices for the security of connected cars
Automotive Information Sharing and Analysis Center cybersecurity best practices
Key Practices in Cyber Supply Chain Risk Management
US National Highway Traffic Safety Administration cybersecurity best practices for the safety of modern vehicles
The United Nations Economic Commission for Europe is under the jurisdiction of the United Nations Economic and Social Council. It was established to promote economic cooperation and integration among its 56 member states. Within the UNECE lies the Inland Transport Committee (ITC), the UN platform to help efficiently address the global and regional needs for inland transport. One of the subsidiary bodies of the ITC is the WP.29, which was established on June 6, 1952, as the Working Party on the Construction of Vehicles. It renamed in 2000 as the World Forum for Harmonization of Vehicle Regulations (WP.29).
The objective of the WP.29 is to initiate and pursue actions aimed at the worldwide harmonization or development of technical regulations for vehicles and to develop regulations that are intended to improve vehicle safety, protect the environment, promote energy efficiency, and increase anti-theft performance.
In response to the growing prevalence of connected vehicles, the ITC recognized the importance of WP.29 activities related to automated, autonomous and connected vehicles at a session in February 2018. They requested that the WP.29 consider establishing a dedicated subsidiary working party specifically focused on connected vehicles. In June 2018, following this request, WP.29 decided to convert the Working Party on Brakes and Running Gear (GRRF) into the new Working Party on Automated/Autonomous and Connected Vehicles (GRVA).
Additional background information can be found here.
As of June 25, 2020, two new UNECE regulations had been adopted. The first regulation focuses on uniform provisions on the approval of cybersecurity and cybersecurity management systems (CSMS) in vehicles. The second regulation is on vehicle software update processes and software update management systems (SUMS), commonly known as “Over-the-Air” (OTA) updates.
The CSMS regulation is the focus of subsequent FAQs.
WP.29 CSMS is intended to minimize vehicle cyber risk. It, therefore, provides a comprehensive approach to automotive cybersecurity, based on the following key principles:
Additionally, the regulation offers a non-conclusive list of cyber threats and corresponding mitigations.
It is highly focused on processes and governance, however, it doesn’t include an explicit definition of how the regulatory requirements can be met nor does it mandate detailed technical measures.
This was done intentionally, to provide OEMs flexibility to decide how to ensure the cybersecurity of their vehicles. It is expected that, through the use of relevant standards (such as the ISO/SAE 21434) and by implementing appropriate measures, OEMs should be able to demonstrate how the principles of the regulation are met.
The regulation applies to vehicles within the M and N categories (vehicles with at least 4 wheels), the O category (if fitted with at least one electronic control unit) and vehicles in categories L6 and L7 that are equipped with autonomous driving functions beyond level 3.
It is expected that the regulations will be finalized and published in early 2021. It will apply to the 54 member states (which excludes the US and Canada).
Albania, Armenia, Australia, Austria, Azerbaijan, Belarus, Belgium, Bosnia and Herzegovina, Bulgaria, Croatia, Czechia, Denmark, Egypt, Estonia, European Union, Finland, France, Georgia, Germany, Greece, Hungary, Italy, Japan, Kazakhstan, Latvia, Lithuania, Luxembourg, Malaysia, Montenegro, Netherlands, New Zealand, Nigeria, North Macedonia, Norway, Pakistan, Poland, Portugal, Republic of Korea, Republic of Moldova, Romania, Russian Federation, San Marino, Serbia, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Thailand, Tunisia, Turkey, Ukraine, United Kingdom of Great Britain and Northern Ireland.
The regulation clearly indicates that the responsibility to prove that effective cybersecurity methods and processes were used, lies with the OEM; the OEM is responsible for ensuring cybersecurity processes are in place throughout the supply chain.
OEMs that do not comply with the regulations (once adopted by member countries) will not get type approval. They will face trade barriers and other complications that will impact the bottom line. Vehicle manufacturers that do acquire the necessary certification will get type approval, be able to sell their vehicles in the countries that adopted the regulation and can brand their companies as secure so that they can build mutual trust with their customers.
Tier-1 and Tier-2 suppliers are not required to have their own compliance certificate, but those that do not provide evidence to the OEM that they implemented all the necessary cybersecurity measures (thus not allowing the OEM to be certified) will most likely be cut off by the OEM and lose business.
In that context, it’s important to remember that the regulation clearly demands cybersecurity measures throughout the lifecycle of the vehicle, which includes the development, production and post-production phases.
While the OEM can ensure cybersecurity measures are in place during the production phase, it must rely on its suppliers to provide cybersecurity measures during the development phase (of all the components, chips, parts, etc.) of the vehicle as well as the post-production phase e.g. for services such as OTA updates, smart services related to the connected car (remote unlock door or engine start), access control for software, and more.
The UN regulation on cybersecurity does not affect type approvals granted prior to the regulation’s entry into force in a given country (i.e. not when it comes into force as a United Nations regulation). It also does not affect vehicles already on the road.
If a vehicle “facelift” includes the changing or replacement of a system(s) that could potentially affect the cybersecurity of the vehicle (e.g. infotainment, telematics), the vehicle manufacturer may be required to obtain a new whole vehicle type approval (WVTA) and /or an “extension” of the current WVTA held for the vehicle.
According to a UNECE press release of June 25, 2020, Japan has indicated that it plans to apply these regulations upon entry into force (estimated in late 2021 or beginning 2022).
The Republic of Korea has adopted a stepwise approach, introducing the provisions of the regulation on Cybersecurity in a national guideline in the first half of 2020, and proceeding with the implementation of the regulation in a second step.
In the European Union, the new regulation on cybersecurity will be mandatory for all new vehicle types from July 2022 and will become mandatory for all new vehicles produced from July 2024.
It can be found here.
The first six sections of the WP.29 regulation highlight the scope of the regulation (Section 1), defines the terms used in the regulation (Section 2), and elaborates on the application, markings, processes, and certifications related to formal regulatory approval (Sections 3-6). The regulation also includes details on how to approach vehicle modifications (Section 8), demands regarding production conformity and updates regarding continuity (Sections 9-11), and the method by which OEMs need to communicate their approval process with the UN Secretariat (Section 12).
The primary requirements of the regulation are largely discussed in Section 7, titled “Specifications” covering the Cyber Security Management System and Vehicle Type Approval:
In accordance with its aim to be practical and non-theoretical, in Annex 5, the regulation clearly stipulates that for both CSMS and Vehicle Type approvals, the OEM must take cyber threats, vulnerabilities, and related mitigations into consideration when implementing risk assessments and threat analysis. Many (but not all) of these risks and correlating mitigations are listed in three parts (A, B, and C) in Annex 5.
The main principles involved in CSMS approval demand:
The main principles involved in Vehicle Type approval demand:
To help OEMs and their suppliers understand and assess the risks associated with connected vehicles, Annex 5 of the regulation lists 69 different attack routes due to 7 different cyber threats and vulnerabilities. To aid in the management of said risks, the regulation also offers 23 cybersecurity mitigations with the potential to secure a vehicle, its components, and back-end servers against these threats. It is important to note that while the list of threats, vulnerabilities, and mitigations is extensive, the regulation is quick to point out that it is not exhaustive.
The regulation includes detailed descriptions and examples of threats, and even goes as far as to offer specific examples of potential attack methods. The threats listed are divided into the following 7 categories: back-end servers, vehicle communication channels, vehicle update procedures, unintended human actions, external connectivity and connections, vehicle data/code, and other vulnerabilities.
Although WP.29 does not mention the ISO/SAE 21434 standard, it is understood that if an OEM and its supply chain can demonstrate compliance against this standard framework, then that compliance can be used to demonstrate compliance with the WP.29 regulation.
You can find a mapping between the WP.29 CSMS requirements and the ISO/SAE 21434 standard here.
As an international automotive cybersecurity framework with explicit controls, ISO 21434 will likely be the framework most OEMs and Tier 1 suppliers align or certify to.
Cybellum enables OEMs and their suppliers to develop and maintain secure products, helping them navigate compliance with the UNECE WP.29 regulation and ISO/SAE 21434 standard. Our platform is the foundation for a CSMS covering everything from risk assessment and ongoing monitoring to documentation and readiness for auditing.
Cybellum is highly active in the area of standards, regulations and best practices, chairing the Israeli representation for the ISO/SAE 21434 standard committee, leading the taskforce responsible for the standard’ Use-case Annex and involved in other standardization efforts such as the upcoming ISO/WD PAS 5112 guidelines for auditing cybersecurity engineering, IAMTS study-group on cybersecurity and more.
Done reading? Schedule a free consultation with one of our experts.
Learn how to create a standard compliant vulnerability management program and get detailed guidelines on how to set the right teams, processes and policies.
WP.29 R155 requires manufacturers to implement a certified CSMS for any connected vehicle. Learn how to meet new regulatory requirements, improve security, and optimize production speed.
Learn how the Cyber Security Management System (CSMS) requirements set in the UNECE WP.29 GRVA regulation map to the process requirements of the ISO/SAE 21434 standard
Are you on track to achieving WP.29 compliance on time? Learn how to stay on top of cybersecurity and regulatory challenges by automating your CSMS processes.
UN Regulation on uniform provisions concerning the approval of vehicles with regard to cyber security and of their cybersecurity management systems.
Draft/not published. Final publication is expected by the summer of 2020.
This new standard is designed to help the automotive industry define a structured process to ensure cybersecurity is incorporated into the design of road vehicles, including systems, components software, and connections to any external device or network.
The standard specifies the cybersecurity risk management requirements for the design, development, production, operation, maintenance, and decommissioning of road vehicle electrical and electronic (E/E) systems.
The ISO/SAE 21434 Standard is a result of the efforts of a joint working group of more than 100 experts from 14 nations and 82 industry organizations across public, private, and government sectors, representing the SAE Vehicle Cybersecurity Systems Engineering Committee and the ISO Technical Committee 22, Sub-committee 32, Working Group 11.
Using four main working groups focusing on risk management; product development; production, operation, maintenance, and decommissioning and process overview, the ISO/SAE 21434 draft was born.
The standard was released as a draft on 12th February 2020, and its development and final release is expected at the beginning of 2021.
SAE International and ISO had previously worked on automotive safety and security related standards on their own:
The first four clauses of the standard highlight the scope (Clause 1), references (Clause 2), definitions (Clause 3), and general considerations (Clause 4) of the standard.
The bulk of the standard requirements are covered in Clauses 5-14, where:
The standard also includes 10 Annexes (A-J) which, like the standard explains, “The annexures in this document are all informative and used to provide additional information to the main body of the document for several reasons, for example:
According to Clause 4 titled “General Considerations”, the standard is limited to cybersecurity relevant items and components inside or on the vehicle perimeter including aftermarket and service parts.
Systems outside the vehicle perimeter can be considered for cybersecurity purposes but are not in the scope of the standard. The following are examples of what can be considered for the vehicle level as a whole:
ISO/SAE 21434, in draft form as of May 2020, is a baseline for vehicle manufacturers and suppliers to ensure that cybersecurity risks are managed efficiently and effectively. The standard was specifically developed to ensure the safety and security of the ultimate road-user/driver, and as such, the determinant levels of risk and corresponding cybersecurity measures are set based on the final impact on the driver.
It provides a standardized cybersecurity framework, establishes cybersecurity as an integral element of engineering throughout the lifecycle of a vehicle from the conceptual phase all the way through decommissioning, ensures that cybersecurity is considered in post-production processes (software updates, service and maintenance, incident response, etc.), and calls for effective methods of lessons learned, training, and communication-related to automotive cybersecurity.
More specifically, the scope of the standard includes:
ISO/SAE 21434 does not dictate specific cybersecurity technologies or solutions, mandates around remediation methods, or cybersecurity requirements for telecommunications systems, connected backend-servers, EV chargers, or autonomous vehicles.
Instead, the standard heavily emphasizes risk identification methods and established processes to address the cyber-risks. Accordingly, if a compromised backend-server, charger, or autonomous vehicle leads to a direct risk to the road-user, it must be monitored, controlled, and mitigated.
This provides OEMs and their suppliers flexibility in implementing the technologies and solutions needed to adhere to the standard.
The standard requires OEMs and their suppliers to analyze new and emerging threats and risks throughout a vehicle’s lifecycle to determine the extent to which a road user/driver could be impacted by a threat scenario. This general process of threat analysis and risk assessment is called “TARA”.
The standard’s methods for effective risk assessment (TARA) include:
ISO-SAE explains that the methods/”modules” listed are not connected to a particular phase of the vehicle’s lifecycle and can be used in the order most appropriate for the OEM.
Clause 15 of the standard focuses on “distributed cybersecurity activities” and discusses the cybersecurity relationships between OEMs and Tier 1 and 2 suppliers.
An OEM is responsible for ensuring that their suppliers implement methods to ensure their products and components are cybersecure. There are three main strategies to develop a successful supplier-OEM relationship:
1) Evaluate: (Clause 15.4.1) “Demonstration and Evaluation of Supplier Capability”
2) Confirm: (Clause 15.4.2) “Request for Quotation”
3) Align: (Clause 15.4.3) “Alignment of Responsibilities”
Cybellum enables OEMs and their suppliers to develop and maintain secure products, helping them navigate compliance with the UNECE WP.29 regulation and ISO/SAE 21434 standard. Our platform is the foundation for a CSMS covering everything from risk assessment and ongoing monitoring to documentation and readiness for auditing.
Cybellum is highly active in the area of standards, regulations and best practices, chairing the Israeli representation for the ISO/SAE 21434 standard committee, leading the taskforce responsible for the standard’ Use-case Annex and involved in other standardization efforts such as the upcoming ISO/WD PAS 5112 guidelines for auditing cybersecurity engineering, IAMTS study-group on cybersecurity and more.
Done reading? Schedule a free consultation with one of our experts.
Learn how to create a standard compliant vulnerability management program and get detailed guidelines on how to set the right teams, processes and policies.
Learn how the Cyber Security Management System (CSMS) requirements set in the UNECE WP.29 GRVA regulation map to the process requirements of the ISO/SAE 21434 standard
A review of the latest ENISA (the European Union Agency for Cybersecurity) report on the importance of cybersecurity for connected cars.
US Department of Transportation - National Highway Traffic Safety Administration - Draft 2020 Update - Cybersecurity Best Practices for the Safety of Modern Vehicles
Automotive Information Sharing and Analysis Center cybersecurity best practices
Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (May 2022)
Key Practices in Cyber Supply Chain Risk Management: Observations from Industry (February 2021)