In order to pave the way for the mass production and delivery of networked vehicles, the UNECE has just published UN regulations on cyber security and for Cyber Security Management Systems (CSMS). UNECE WP.29 sets new standards in the automotive industry. The new regulations come into force at the beginning of the year 2021. They apply not only to passenger cars but also to vans, trucks, buses, light quadricycles if they are equipped with automated driving functions from level 3, and trailers if they are equipped with at least one electronic control unit.
Increasing networking in the automotive sector
For the smart mobility of the future, automation, networking and digitalization of vehicles are the basis. Due to the increasing networking and digitalization of vehicle systems, the automotive industry has been undergoing profound change for years. The software of vehicles today contains about four times more lines of code in the software than that of a fighter plane. The software code can currently be up to 100 million lines long and is expected to grow to 300 million lines of code by 2030. There are also about 150 electronic control units.
With increasing networking, the areas of attack and thus the cyber risks are constantly multiplying. Numerous hacker attacks, in which electronic systems and vehicle data were maliciously accessed, thus endangering vehicle safety and the privacy of vehicle owners, have been published in the international media. The automotive industry has already reacted to this in recent years and has intensively dealt with the cyber security of the new systems. Nevertheless, the two new UN regulations now pose considerable challenges for the automotive industry.
Clarity through binding regulations – WP.29
Now it is no longer just a voluntary commitment by the automotive industry to deal with these risks but a legal requirement with clear performance and testing requirements for vehicle manufacturers.
The new UN regulations, adopted yesterday by the World Forum for Harmonisation of Vehicle Regulations of the UNECE, are the first internationally binding standards in this area ever to prescribe how cyber risks are to be addressed across the entire automotive value chain.
They require the implementation of various measures in four disciplines to manage cyber risks in the vehicle system and in entire vehicle fleets:
- Holistic “end-to-end” risk management
- Minimization of risks along the entire value chain, starting in the design phase
- Detect and respond to security incidents across the entire fleet of vehicles
- Providing “over-the-air” software updates that optimally enable vehicle security throughout the entire life cycle by software updates, ideally in real time
Japan plans to implement these provisions immediately upon their entry into force.
The Republic of Korea is proceeding in two steps: In the first half of 2020, the provisions of the cyber security regulation will be incorporated into a national directive. This will be followed by the implementation in practice in the second stage.
From July 2022, the new regulation on cyber security will become binding for all new vehicle types in the European Union. From July 2024 it will then apply to all new vehicles.
It is to be expected that these UN regulations will be adopted worldwide under the 54 contracting parties to the 1958 UNECE Convention and beyond on a broad basis in the automotive industry.
The need to guarantee Automotive Cyber Security will lead to substantial investments in the coming years. According to the latest study results, these could double to around USD 10 billion between 2020 and 2030. Induced by the new UN requirements for cyber security and CSMS, technical innovations can be expected, especially from the IT sector. Start-ups and specialised niche companies could also play a significant role in this development, and new economic opportunities are also emerging for suppliers.
Automotive Cyber Security – General Conditions WP.29
The new UN regulations provide a secure basis for the following measures concerning cyber security in the automotive industry:
- Identification and handling of cyber security risks in the vehicle development process
- Securing the necessary cyber security tests, such as penetration tests
- Safeguarding of ongoing risk assessments
- Monitoring of cyber attacks in order to fend them off, ideally in real time
- Analysis of successful or attempted cyber attacks
- Assess whether cyber security measures remain effective in the face of new threats and vulnerabilities
The principles governing type-approval under the 1958 Agreement further are binding manufacturers to demonstrate that they meet the following requirements before approving vehicle types:
- the Cyber Security Management System is in place and its application to road vehicles is available
- Analysis of the risk assessment, identification of critical points
- Measures for risk minimization are identified
- Demonstrate through testing that the risk reduction measures are working as intended
- Measures are in place to detect and prevent cyber attacks
- Measures are in place to support data forensics
- Monitoring of activities specific to the vehicle type
- Reports on monitoring activities are sent to the competent homologation authority.
- The software update management system is in place and its application to road vehicles is available
- Protect the SU delivery mechanism and ensure integrity and authenticity
- Software identification numbers must be protected
- The software identification number can be read from the vehicle
For over-the-air software updates:
- Recovery function in case of failed update
- Update only if there is sufficient performance
- Ensure safe execution
- Inform users about each update and its completion
- Ensure that the vehicle is capable of performing the update
- Inform user when a mechanic is needed.
The UN regulation provides a framework for the automotive sector to create the necessary processes for this:
- Record the hardware and software versions relevant to a vehicle type
- Identification of the software relevant for type-approval
- Verification that the software on a component is what it should be
- Identification of dependencies, especially with regard to software updates
- Identify vehicle targets and verify their compatibility with an update
- Assess whether a software update affects type approval or legally defined parameters (including adding or removing a function)
- Assessing whether an update affects safety or safe driving
- Informing vehicle owners about updates
- Documentation of all above mentioned points
Whether all requirements are met is checked by national technical service providers such as DEKRA or homologation authorities.
Magility as system integrator for Cyber Security Management Systems
We at magility act as a system integrator for CSMS for medium-sized companies in the German and European market and are ideally positioned thanks to our partnerships with technology companies such as Argus Cyber Security, one of the internationally most renowned companies for automotive cyber security, and the independent certification service provider DEKRA.
This enables us to provide our customers comprehensive support in the implementation of a Cyber Security Management System. In recent years, we at magility have established ourselves in the market as experts for all questions and solutions concerning Automotive Cyber Security and CSMS and have implemented numerous projects with well-known companies in the automotive industry.
How do you currently see your company positioned regarding Cyber Security? Please contact us for a professional exchange, we will support you with an initial assessment of your risk situation. We will support your company in the implementation of a CSMS, taking into account the new regulations and requirements.
