Understanding the UNECE WP.29 Automotive Cybersecurity Regulation (CSMS)

The rapid evolution of the automotive industry, marked by the integration of connected, autonomous, and electric vehicles, has brought us to an exciting time in mobility.

Yet, this technological leap brings forth complex cybersecurity challenges, accentuated by incidents of vehicle hacking and data breaches. Recognizing the urgency to fortify automotive cybersecurity, the United Nations Economic Commission for Europe (UNECE) introduced the WP.29 regulation, focusing on establishing a robust Cybersecurity Management System (CSMS) framework.

This initiative aims to safeguard the automotive ecosystem against cyber threats, ensuring the safety and privacy of users in an increasingly connected world.

The United Nations Economic Commission for Europe is under the jurisdiction of the United Nations Economic and Social Council. It was established to promote economic cooperation and integration among its 56 member states. Within the UNECE lies the Inland Transport Committee (ITC), the UN platform to help efficiently address the global and regional needs for inland transport.

One of the subsidiary bodies of the ITC is the WP.29, which was established on June 6, 1952, as the Working Party on the Construction of Vehicles. It was renamed in 2000 as the World Forum for Harmonization of Vehicle Regulations (WP.29).

The objective of WP.29 is to initiate and pursue actions aimed at the worldwide harmonization or development of technical regulations for vehicles and to develop regulations that are intended to improve vehicle safety, protect the environment, promote energy efficiency, and increase anti-theft performance.

In response to the growing prevalence of connected vehicles, the ITC recognized the importance of WP.29 activities related to automated, autonomous, and connected vehicles at a session in February 2018. They requested that the WP.29 consider establishing a dedicated subsidiary working party specifically focused on connected vehicles.

In June 2018, following this request, WP.29 decided to convert the Working Party on Brakes and Running Gear (GRRF) into the new Working Party on Automated/Autonomous and Connected Vehicles (GRVA).

Today, the WP.29 regulation, comprising the UNECE R155 (CSMS) and R156 (SUMS), signifies a pivotal step towards standardized automotive cybersecurity practices. R155 mandates the establishment of a Cybersecurity Management System (CSMS) for vehicle manufacturers, covering processes for managing cybersecurity within the organizational structure.

The regulation’s dual approach divides compliance into CSMS approval and vehicle type approval (VTA), addressing both organizational and technical aspects of cybersecurity. The CSMS approval focuses on the manufacturer’s cybersecurity governance, risk assessment processes, and the overall management of cybersecurity across the vehicle’s lifecycle.

For instance, it demands an organizational framework that includes roles like a Chief Information Security Officer (CISO) who oversees cybersecurity strategies and practices.

Vehicle type approval, zeroes in on the cybersecurity measures implemented in each vehicle type. This involves rigorous testing and evaluation of the vehicle’s cybersecurity features, including its resilience to cyber-attacks and the effectiveness of its incident response mechanisms.

A practical example is the assessment of a vehicle’s Electronic Control Units (ECUs) to ensure they are fortified against potential cyber threats, leveraging encryption and secure communication protocols.

To help OEMs and their suppliers understand and assess the risks associated with connected vehicles, Annex 5 of the regulation lists 69 different attack routes due to 7 different cyber threats and vulnerabilities.

To aid in managing said risks, the regulation also offers 23 cybersecurity mitigations with the potential to secure a vehicle, its components, and back-end servers against these threats. It is important to note that while the list of threats, vulnerabilities, and mitigations is extensive, the regulation is quick to point out that it is not exhaustive.

The regulation includes detailed descriptions and examples of threats and even offer a specific examples of potential attack methods. The threats listed are divided into the following 7 categories: back-end servers, vehicle communication channels, vehicle update procedures, unintended human actions, external connectivity and connections, vehicle data/code, and other vulnerabilities.

Until January 2024, WP.29 applied to vehicles within the M and N categories (vehicles with at least 4 wheels), the O category (if fitted with at least one electronic control unit), and vehicles in categories L6 and L7 that are equipped with autonomous driving functions beyond level 3.

However, in January 2024, the United Nations Economic Commission for Europe (UNECE) took a significant step forward by extending the scope of UNECE WP.29 Regulation No.155 to include motorcycles, scooters, and electric bicycles that exceed speeds of 25 km/h.

This extension initially applied to passenger cars, trucks, and buses in January 2021, marks a pivotal moment in the evolution of global vehicle safety and cybersecurity standards.

This move towards a more inclusive cybersecurity framework, which includes the implementation of a cybersecurity management system (CSMS), comes at a crucial juncture as the motorcycle industry embraces increasingly sophisticated technology, integrating features such as Adaptive Cruise Control and advanced connectivity.

These advancements, while enhancing safety and user experience, also introduce new cybersecurity challenges that necessitate robust regulatory measures.

CSMS certification necessitates a holistic view of cybersecurity, emphasizing a lifecycle approach. For instance, during the development phase, threat modeling and risk assessments are crucial to identify potential vulnerabilities. This could involve analyzing the vehicle’s communication channels, such as Bluetooth and Wi-Fi, to mitigate risks of unauthorized access.

The production phase demands stringent quality controls and testing to ensure that cybersecurity measures are effectively integrated into the vehicle. In the post-production phase, the focus shifts to maintaining the vehicle’s cybersecurity integrity through continuous monitoring, vulnerability management, and software updates, demonstrating a commitment to safeguarding the vehicle throughout its operational life.

The regulation delineates clear expectations for Tier 1 and Tier 2 suppliers, underscoring their pivotal role in the cybersecurity ecosystem. Suppliers are mandated to adhere to cybersecurity best practices in the design and development of their components, contributing to the overall security posture of the vehicle.

An illustrative example is a Tier 1 supplier of infotainment systems implementing secure boot mechanisms and software integrity checks to prevent unauthorized firmware modifications.

Cybellum enables OEMs and their suppliers to develop and maintain secure products, helping them navigate compliance with the UNECE WP.29 regulation and ISO/SAE 21434 standard.

The Product Security Platform includes a CSMS Cockpit, covering everything from risk assessment and ongoing monitoring to documentation and readiness for auditing.

Additionally, Cybellum is highly active in the area of standards, regulations, and best practices, chairing the local representation for the ISO/SAE 21434 standard committee, leading the task force responsible for the standard’s Use-case Annex, and being involved in other standardization efforts such as the upcoming ISO/WD PAS 5112 guidelines for auditing cybersecurity engineering, IAMTS study-group on cybersecurity and more.

The UNECE WP.29 automotive cybersecurity regulations represent a critical milestone in the quest to secure the automotive industry against the backdrop of rapid technological advancements.

Embracing these regulations is not merely a compliance exercise but a strategic imperative to foster trust, ensure safety, and drive innovation in the automotive sector. As the industry continues to evolve, the commitment to robust cybersecurity practices will be paramount in shaping the future of mobility.

What are the penalties for non-compliance with CSMS regulations?
Non-compliance can lead to the denial of type approval, posing significant trade barriers and impacting the manufacturer’s bottom line. OEMs and suppliers must ensure rigorous cybersecurity measures across the development, production, and post-production phases to achieve compliance.

What is the significance of CSMS compliance for automotive companies?
CSMS compliance is integral to ensuring vehicle security across its lifecycle, addressing risks associated with advanced connectivity and autonomous features. It is a testament to a company’s commitment to cybersecurity, fostering trust among consumers and stakeholders.

Does CSMS compliance require certification or validation from regulatory authorities?
Yes, the OEM must obtain a CSMS certificate of compliance. This certification process is crucial for achieving vehicle type approval and ensuring compliance with WP.29 regulations.

Is there ongoing guidance or support available for companies implementing CSMS compliance?
Organizations like Cybellum play a pivotal role in providing guidance and support for CSMS compliance, offering platforms and services tailored to the automotive industry’s unique cybersecurity needs. Their involvement ensures that companies can navigate the regulatory landscape efficiently and effectively.

What is the purpose of the WP.29 CSMS regulation?
The WP.29 CSMS regulation is intended to minimize vehicle cyber risk. It, therefore, provides a comprehensive approach to automotive cybersecurity, based on the following key principles:

• An organizational framework and minimal cybersecurity requirements that impact all automotive players along the value chain.
• The responsibility for cybersecurity certification lies with the OEM (Original Equipment Manufacturer).
• Best practices must be incorporated into the design of vehicles.
• OEMs must provide reasoned arguments as to the cybersecurity of their vehicles.
• The cybersecurity of vehicles must be maintained continuously throughout all stages of the vehicle’s lifecycle including post-production.

Additionally, the regulation offers a non-exhaustive list of cyber threats and corresponding mitigations. It is highly focused on processes and governance, however, it doesn’t include an explicit definition of how the regulatory requirements can be met nor does it mandate detailed technical measures.

This was done intentionally to provide OEMs flexibility to decide how to ensure the cybersecurity of their vehicles. It is expected that, through the use of relevant standards (such as the ISO/SAE 21434) and by implementing appropriate measures, OEMs should be able to demonstrate how the principles of the regulation are met.

Which Countries Are Part of the UNECE and Are Affected by This Regulation?
While the UNECE WP.29 regulation doesn’t hold direct legal force, its influence is significant due to its widespread adoption by member states. The UNECE has 56 member states, and many of them actively participate in the development of WP.29 regulations. Here’s a link you can explore for a complete list of UNECE member states: https://unece.org/

Countries that adopt the WP.29 regulation are essentially aligning themselves with a globally recognized benchmark for automotive cybersecurity. This harmonization simplifies compliance for manufacturers who operate in multiple markets and fosters international trade.