by Nada Welker | Jul 8, 2022 | Automotive Cyber Security, Automotive Industry, Cyber Security Management, Future Trends, Know-How and inspiration, Market development & Trends, News from magility, strategy in change
At the 26th International Automotive Electronics Congress 2022 in Ludwigsburg, the top industry event for electronics experts and decision-makers in the automotive sector, the focus was on the path to the software-defined car. What does it take in the automotive industry to develop the software-defined car safely, efficiently and sustainably? What are the automotive industry’s current pain points in this multi-layered challenge? What role do regulations play? Do we need cross-border standards to get there? And what role do consumer experiences play? How are the individual players in the automotive industry meeting the current challenges, and why are open source approaches and cooperation particularly important now? Many questions, but also controversial discussions, characterized the traditional congress at the Forum am Schlosspark. Despite many answers, also many questions remained unanswered. The conclusion: There is still a lot to do!
The software-defined car
Up to now, software has been and still is to a large extent very closely linked to the hardware module or electronic control unit (ECU) in the vehicle, which takes over a very specific functionality there. In the “traditional car”, the software hardly evolved during the life of a vehicle and any necessary updates required a visit to the workshop. In the software-defined car, functions are defined by the software rather than the specific hardware modules, similar to applications we run on our smartphones or computers. This allows the functions to evolve and improve throughout the life of the vehicle and even add new functions and features as necessary within the hardware limits. With the software-defined vehicle, new features and services or apps are enabled in the vehicle as needed, either individually or for a limited time. This creates multiple opportunities for new business models, and software-as-a-service becomes tangible for car users. The value of a vehicle can even be increased during its life cycle by adding features at a later stage. Manufacturers’ focus on user experience is becoming a critical success factor. Data can be transmitted over-the-air (OTA), the vehicle can communicate with the infrastructure, collect and send data to the cloud, and receive data. Mobility services, automated driving and the further development of e-mobility are only made possible by software. So the car continues to evolve into a software-centric electronic device on wheels. This no longer has much to do with the original way an automobile worked. The automotive industry is still in the midst of transformation and must open itself up to an even greater extent to market participants from and cooperations with the software and communications industry.
The most important topics and statements of the speakers
After the opening by Alfred Vollmer, Editor-in-Chief of “Automobil-Elektronik” and initiator of the Automotive Electronics Congress, Ricky Hudi took over the moderation and handed over to the first speaker of the day, Porsche CEO Oliver Blume, who spoke about Porsche’s vision of the future and appealed to the emotions of the audience. In this regard, when it came to software-defined vehicle, the use of an open operating system that works with AI and enables the vehicle to connect to different ecosystems around the world was particularly important to him. He also clearly stood for the recognition of the human factor and emphasized the importance of bringing employees along in the transformation and placing them at the center of concepts for success. After all, he said, the transformation cannot be mastered without motivated employees who share the company’s vision and brand values and understand and internalize the necessary steps on the way to the software-defined vehicle.
The future strategy at Mercedes-Benz was the focus of the keynote speech by Magnus Österberg, Head of Software at the Stuttgart-based automaker. It became quite clear: Mercedes-Benz claims market leadership in the luxury segment. The new MB.OS operating system (to go into series production in 2024) and the software development center in Sindelfingen play a decisive role in achieving the ambitious goals. However, Österberg was also critical: “We are leaders in the field of electrical engineering, but there is still a long way to go before we become market leaders in the field of software.”
The world’s largest automotive supplier has managed the transformation from a pure hardware company to a software company, said Mathias Pillin (President Cross Domain Computing Solutions at Bosch). Today, however, the biggest challenge of a Tier 1 is to make it clear to the OEM that not only hardware, but also software has an independent value. It is the software, he said, that makes it possible to process data from a connected vehicle in the quantity and quality to provide individual services and functions.
Dipti Vachani, SVP Automotive and IoT at arm, sees an interplay between hardware and software: “Software-defined vehicles need specific computing power and hardware tailored to the workload of the car. To achieve this, software development today must be integrated into the vehicle development process at a very early stage and meet different demands for performance and compatibility. This compatibility across the entire vehicle is and remains a major challenge for manufacturers. For her, the interlocking further development of hardware and software is the top priority.
Panel discussion “Semiconductors: The Base of the Software-defined Car”.
Moderated by Alfred Vollmer (Automotive Electronics), Jens Fabrowsky (Bosch), Calista Redmond (RISC-V International), Dipti Vachani (arm), Lars Reger (NXP) and Magnus Östberg (Mercedes-Benz), discussed the position of semiconductors in the automotive sector. Commenting on the reports and rumors that OEMs are now building their own chips, Lars Rieger of NXP said, “Let’s dispel the myths a bit. Tesla gets 99% of its chips from companies like us. All they have done is develop an AI accelerator.” And on semiconductor shortages, he commented, “98% of all automotive semiconductors will be above 20 nm in the next 15 years.” Arm’s Dipti Vachani emphasized that innovation has not slowed down due to Corona and that the industry is moving like never before. Magnus Östberg argued that the industry should become more professional in dealing with risks. All the panelists were equally clear that scaling must become the focus of attention.
User experience as a central feature of the software-defined vehicle
The vehicle as the ultimate mobile device: a major topic at the congress. According to Stephan Durach, SVP Connected Company Development at BMW, hardware is increasingly taking a back seat, while intuitive, natural interaction in the car is becoming more and more important. At BMW, this is implemented in the form of a virtual assistant or intelligent navigation. However, it would remain exciting to see what would happen with Apple’s Car Play system, for example, should conflicts of interest arise on the subject of user interface.
When it came to the topic of user experience, three speakers were very much in agreement: Dirk Walliser, SVP Corporate Research & Development at the ZF Group, got to the heart of the matter in his very interesting presentation. The software-defined vehicle is much more than just software. It is much more about the user experience. As far as the cost structure is concerned, however, it is still not clear who will bear the costs for additional software functions in the future: The OEM or the customer?
At Harman International, the focus is also on the consumer experience. For Christian Sobottka, President of the Automotive Division, customers rightly expect to find everything they use on their smartphones in their cars within a very short time. And Riclef Schmidt-Clausen, SVP Domain Intelligent Cockpit & Body at Cariad, noted that smartphone manufacturers clearly still lead the way in user experience. Reaching this level in the automotive industry is a major challenge, he said.
Collaboration as the key to success?
Christoph Hartung (ETAS) spoke about how this challenge could be solved quickly in his presentation, which also contained quite provocative statements: There is no more hierarchical industry than the automotive industry, and AUTOSAR (an initiative to create an open software architecture for ECUs) was founded in 2003 because the industry was “deep in the sh***” at that time. Currently, we are again in a similar situation with the further development of the user interface in the software-defined vehicle, says Hartung – but the willingness to cooperate is basically there in the industry. Karsten Michels, Head of Productline at Continental Automotive, put it similarly, but less provocatively: “Collaboration is the key, we’re all in the same boat.”
Calista Redmond, CEO of RISC-V International brought the topic of open source collaboration model to the stage with a lot of enthusiasm. RISC-V is a free and open ISA that aims to enable a new era of processor innovation through open standards collaboration.
Other presentations by top-notch speakers on exciting insights enriched the congress.
The setting and the atmosphere
For the 26th time already, the doors of the congress opened, which every year is the central meeting point for almost 600 industry experts, mainly from the automotive electrics/electronics sector. The “Great Reunion of the Industry”, as the congress is also fondly called, takes place at the Forum am Schlosspark in Ludwigsburg. For the first time, the event was held exclusively in English – whether this contributed to the quality of the congress is something we at magility critically question. Criticism was also voiced among the participants that with a proportion of German-speaking visitors of certainly at least 90%, a great deal was “lost in translation”. Visitors were able to visit the accompanying trade exhibition before the lecture rooms and find out about the latest developments from exhibitors in the industry live and make contacts. At the culinary networking event in the evening in the neighboring riding hall, the mood was relaxed; many finally saw each other in person for the first time after two years of pandemic.
We were struck this year by the slight increase in the number of female visitors, both on and off stage. With a share of about 3% of the total number of visitors, however, there is still plenty of room for improvement!

The number of female attendees was clearly reflected in the visit to the ladies’ toilets. Conclusion: At this congress the men have to queue 😉
magility Insights
We from magility met many business partners at the congress, had interesting conversations and were pleased to be able to network in person again. As always, the congress was smoothly organized. Thematically, it was more about “in the vehicle” and less about networking and infrastructure, which plays an equally important role in the software-defined vehicle for us at magility. The topic of fleet clearly came up short for us and the subject matter of the speakers has changed only minimally from the time before Corona. Cooperations are important, almost all participants agreed on that. This was also the case before Corona. However, few cooperations were presented this year, which may be an unintended side effect of the Corona pandemic with its contact restrictions.
For us from magility, the presentation by Huawei was very impressive, in which it was explained what has already been implemented and achieved there in the last 3 years. Huawei introduced its first electric car Seres Huawei Smart Selection SF5 only last year and the speed with which Huawei is on the move in the further development of intelligent automotive solutions should shake up all other market players. In their presentations the German companies talked even more about what should be implemented.
The road to the software-defined vehicle is without a doubt one of the key challenges for the German automotive industry that needs to be tackled with verve and without delay. Here in the Stuttgart metropolitan region, we have the best prerequisites for helping to shape the mobility of the future on a solid basis if we approach the new market participants with an open mind, see cooperation as an opportunity, and rely at least in part on uniform software development. Not everyone has to cook their own soup. But together we have the chance to turn the soup into a star menu! Let’s do great things together! We at magility are happy to help!
by Julia Riemer | May 6, 2022 | Automotive Cyber Security, Automotive Industry, Cyber Security Management, Future Trends, Market development & Trends, New Mobility
Over the next few years, many countries will introduce the United Nations Economic Commission for Europe (UNECE) regulations R155 on cybersecurity and R156 on software updates. The new regulations address the growing risk posed by increasing connectivity and the digitized vehicle environment – a major challenge for vehicle manufacturers and their suppliers. This article focuses primarily on regulation UN-R 156 for software updates and the establishment of a Software Update Management System (SUMS).
UNECE Regulation 156 – SUMS
UN-R156 establishes the framework for the type approval of software updates for vehicles and for the establishment of a Software Update Management System (SUMS). A SUMS ensures that the requirements for the provision of software updates described in UNECE Regulation 156 are met. A SUMS defines the organizational processes and procedures necessary for this and is based on the same model as a Cyber Security Management System (CSMS). It is the central control unit for software updates. The goal here is to develop, to control and to continuously improve all types of activities and processes that are essential for updates. To obtain type approval certification as OEMs, all mandatory type approval parameters must be included. UNECE Regulation 156 lists these parameters such as safety, connectivity, information exchange, theft and environment in a checklist for OEMS. Compliance with these parameters is crucial for type approval. By implementing a SUMS, OEMs and suppliers can ensure that they comply with the regulation for the delivery of software updates.
Overview of the most important points
- According to paragraph 2.3 of UN-R156, the term “software update” describes a package used to update the software to a new version, including a change in configuration parameters.
- According to paragraph 2.5 of UN-R156, SUMS is a systematic approach that defines organizational processes and procedures to meet the requirements for the delivery of software updates in accordance with UN-R156.
- In this regard, UN-R156 specifically addresses OTA updates. According to paragraph 2.9. of UN-R156, an OTA update means any method of wireless data transmission instead of a cable or other local connection.
- According to paragraph 6 of UN-R156, an original equipment manufacturer must obtain a so-called certificate of conformity for its SUMS from an appropriate type approval authority. A certificate of compliance is usually valid for up to three years from the date of delivery. Original equipment manufacturers must apply for a new certificate of conformity or an extension of the existing certificate of conformity in good time before the period of validity expires. A valid certificate of conformity for the SUMS is the main basis for a valid type approval.
- UN-R155 and UN-R156 primarily establish type approval requirements for OEMs in their typical role as whole vehicle type approval holders. Thus, they expect an OEM to implement and maintain a proper CSMS and SUMS and apply it to its respective type-approved vehicle types. Proper cybersecurity and software updates, on the other hand, generally involve supplier parts. Therefore, most suppliers are also included in cybersecurity and software update considerations. Accordingly, OEMs and suppliers must work closely together to ensure the cybersecurity of vehicles and their components
In addition, and potentially more so than before, OEMs will be required to monitor their vehicles in the field, identify potential cybersecurity or software risks, and – if necessary – provide software updates to mitigate these risks in a timely manner, e.g., in the form of voluntary service actions, a recall, or similar measures.
Four key aspects for implementing the requirements of software update management systems
To implement the requirements of the Software Update Management System (SUMS), the following activities are essential:
- Goals and specifications in governance should be created or expanded to enable the planning and operation of a software update management system and to make it implementable and monitorable through audits.
- Derived from these goals, the SUMS management processes have to be established. Besides implementation and auditing, it becomes crucial to identify processes for the distribution of information as well as reporting within the operating model. It is equally significant to ensure the correct execution of the SUMS and to enable continuous improvements. Another weighty aspect is also to ensure adequate traceability for vehicle type testing and approval. To ensure all this, risks in the execution of software updates as well as in the organization and infrastructure must be identified and included in risk management.
- Within the organization, this requires project-specific processes, responsibilities and roles. Moreover, it also concerns tools and technologies in control of the setup and the execution of the SUMS – especially in regards to the preparation of information for management, authorities or the technical service.
- Operationally, SUMS also includes consideration of vehicle configuration and performance requirements. In this context, the existing development and deployment processes should be reviewed to ensure, in particular, the documentation and traceability of the consideration of vehicle communication processes, the performance of systems and components, vehicle status, fault prevention, and fault control.

While these points were indispensable for the pure functionality of the vehicles before the regulations were implemented, the importance of good documentation and verifiability by the authorities or technical services must now be given the utmost attention. For this, good planning, implementation and documentation of communication with vehicle users as well as validation and verification of software updates are particularly important.
Why is the evaluation of automotive software updates so important?
Without the implementation, operation and maintenance of software update management systems, manufacturers cannot obtain type approval for software update-capable vehicles and sell them on European markets. Manufacturers and suppliers must therefore provide evidence that the requirements for the vehicle and components are implemented in accordance with the UN-Regulation.
An efficient and systematic assessment by an independent third party is necessary to determine a manufacturer’s level of compliance with UN-Regulation 156 and the ISO 24089 standard.
Magility can help your company implement these regulations. Based on our experience, we provide regulation-focused and value-based consulting to all of our clients. If you are interested in our consulting services, we look forward to hearing from you. Or follow us on LinkedIn to never miss any news.
by Nada Welker | Apr 15, 2021 | Automotive Cyber Security, Automotive Industry, Cyber Security Management, New Mobility
The standards in the automotive industry will be further expanded. In addition to the UN regulations on Automotive Cyber Security Management Systems and Software Updates, which we explained in our article on UNECE WP.29, there are now strict requirements for the use of Automated Lane Keeping Systems, so-called ALKS for passenger cars.
This Regulation No. 157, adopted by the UNECE’s World Forum for Harmonisation of Vehicle Regulations, is the first binding international regulation for so-called “Level 3 vehicle automation”. The World Forum for Harmonization of Vehicle Regulations (WP.29), operated by the UNECE, is the intergovernmental platform that defines the technical requirements to be followed by the automotive industry worldwide.
Safe introduction of automated vehicles
ALKS, once activated, take primary control of the vehicle and control the lateral and longitudinal movement of the vehicle. However, the driver is able to intervene and take back control of the vehicle at any time. The driver can also be requested to intervene by the ALKS system itself.
The new Regulation 157 is based on the UNECE framework and focuses on the safety of automated and autonomous vehicles. It takes a sophisticated systems approach that contributes to road safety by the use of advanced technologies, including the reduction of accidents. The aim of the regulation is to enable the safe introduction and operation of automated vehicles in different traffic environments. It is intended to contribute to a wider use of automated vehicles.
New requirements for the approval of Automated Lane Keeping Systems
The new regulation in its current form still limits the operating speed of ALKS to 60km/h. Under certain conditions, ALKS can be activated in road traffic, namely when cyclists and pedestrians are not allowed on these roads and oncoming traffic is separated by a physical barrier and thus cannot cross the lane.
[infobox headline=”The most important in brief”]
UN Regulation 157 includes administrative provisions for type approval, audit and reporting requirements, technical requirements and provisions for type approval and testing. The application for approval of a vehicle type with regard to the ALKS shall be submitted by the vehicle manufacturer or his authorised representative.
[/infobox]
UN-Regulation 157 and Human-Machine Interfaces
Regulation 157 also includes provisions relating to the Human-Machine Interface (“HMI”) in order to avoid misuse or misunderstanding by the driver. The regulation states, for example, that in the event of an overload message issued by the ALKS, all other displays of the vehicle offered to the driver for activities other than driving the vehicle are automatically suspended. This may be the case, for example, shortly before the end of a road section authorised for ALKS.
The process of handing over the driving task from the ALKS to the driver is also specified in the new regulation. For example, one requirement of this specifies that the vehicle must come to a stop if the driver does not respond to the ALKS handover request in accordance with the requirements. This means that the system must be able to check driver presence and assess driver availability. To this end, the regulations set out clear criteria that an ALKS must fulfil.
These include regulations and criteria to be met:
- for the sensor system
- for the driving mode memory
- of data elements to be recorded
- for data availability in compliance with the respective applicable national and regional legal provisions
- for protection against manipulation
- for cyber security and software updates
In summary, the regulation defines safety requirements for:
- Emergency manoeuvres in the event of an imminent collision
- Transition demand, i.e. when the system requests the driver to take back control
- Minimal risk manoeuvres when the driver does not respond to a transition demand (in all situations the system must minimise the risks to the safety of the vehicle occupants and other road users)
- Mandatory introduction of driver presence detection systems for car manufacturers. These systems check both the presence of the driver (in the driver’s seat with the seat belt fastened) and the availability of the driver to take back control.
Obligation to equip the vehicle with a “black box”, the so-called Data Storage System for Automated Driving (DSSAD), which records when ALKS is activated.
Car manufacturers will therefore have to fulfill clear performance-related requirements from now on before their Automated Lane Keeping System-equipped vehicles can be sold in the countries that stipulate the regulation.
The detailed specifications, activation criteria for an Automated Lane Keeping System and all other requirements of “UN Regulation No. 157 – Automated Lane Keeping Systems (ALKS)” can be viewed on the UNECE website. An internationally agreed German translation is not yet available.
Recently, one of our start-up partners, Cognata Ltd. from Israel, which develops full product life cycle simulations for developers of ADAS and autonomous vehicles, collaborated with Five, a company that develops autonomous vehicle systems. Together, the two companies are working to provide a modular, cloud-based, end-to-end development and testing platform for automatic lane keeping systems ALKS that complies with the new UNECE Standard 157.
The market is accelerating and for car manufacturers it shows once again that the convergence of the industries is continuing.
by Nada Welker | Sep 11, 2020 | Cyber Security Management, Interviews
In the Smart Cities and Smart Buildings of the future, sensor technology, Big Data platforms, artificial intelligence (AI) and autonomous systems will play an increasingly important role. Buildings will more and more be networked with the infrastructure of the modern city through mobile applications in the Internet of Things (IoT). This creates many new entry points for cyber attacks.
Cyber security measures along the entire value-chain and the life cycle of products and processes are therefore also becoming a decisive factor for success in the construction industry.
Cyber Security Management Systems (CSMS), which will soon be required by law for the registration of vehicles, will also play an important role in the construction industry and the real estate sector in the future.

A: In the automotive industry, it is now recognised that vehicles have become more and more mobile computers that must be considered as part of the Internet of Things (IoT). Beyond its physical limitations like tyres or mudguards the vehicle is part of a so-called end-to-end system. This means that the vehicle must be protected over its entire life-cycle and at all points in the value chain. In addition to the product itself, this includes cloud services, back ends and mobile applications. In future, manufacturers will have to present a certificate of conformity for the management of cyber security for their organisation, their processes and products in order to still be allowed to register vehicles. Our managing director, Dr. Michael Müller, spoke about this topic in an interview a few weeks ago.
Buildings, too, are increasingly networked these days. This already starts with smart home applications such as doorbell systems with video switching, intelligent ovens or entire data buses that can be used to control light and temperature throughout the house. Some modern buildings in a smart city already have a connection to a smart grid and are already fully integrated and networked with the infrastructure through energy supply or mobility services such as charging points. If you draw parallels with the automotive industry, it is only a matter of time that the cyber security of buildings is regulated at the legal level as well, since in a networked infrastructure there are numerous entry points for cyber attacks.
Q: How can the construction industry prepare itself reasonably?
A: One approach would be to look at current best practices from the automotive industry and apply them to the construction industry. For example, control units or sensors that are to be installed in buildings could already be checked for cyber security during the sourcing process. Conversely, for suppliers this means that the processes in development, production and operation in future will have to be adapted to meet the customer’s cyber requirements and to further qualify themselves as a supplier.
The introduction of a so-called Cyber Security Management System (CSMS), which adds the aspect of cyber security to products, processes and organisation, is the best solution for this. In this way, all stakeholders involved in a construction project can ensure that their organisation, as well as their suppliers, are cyber-secure and, in the case of the introduction of a mandatory CSMS certification, that they can continue to implement their construction projects.
Q: We have learnt that the integration of a holistic CSMS is a critical success factor for the housing of the future. Smart Cities, which do not function without networking and thus without areas of attack, require a holistic cyber security strategy. What could such a strategy look like?
A: First of all, you must familiarise yourself with the new networked ecosystem in which a modern Smart City is located today. This system consists of an ever-increasing number of networked sensors, which in theory can turn any product, object or device into a Smart Device. This means that each of these objects has its own individual life cycle and value chain. All these different cycles and chains are affected by cyber security, which is why the integration of a management system should be the central point of any cyber security strategy.
Take a new construction project as an example. First of all, we have different actors here to implement such a project. Usually these are investors, construction planners, the actual construction companies and later the operators. Each party must be clear about what needs to be done on the cyber side to ensure that all interfaces are secured.
Especially investors play an important role when selecting partners and must provide an overall picture including the objectives, e.g. that a smart office building is also cyber-secure. These requirements must be taken into account when selecting partners.
As a construction planner, you need to plan the building’s electrical and electronic systems in a sustainable manner, from the initial idea to the completion of the building. This means that a great deal of expertise in networking, sensor technology and communication systems is required to ensure that Cyber Security is considered and implemented at every step.
During the actual construction of the object, the focus is primarily on project management and the monitoring of the implementation and compliance of cyber activities. All E/E systems, sensors and actuators must be correctly installed and tested for functional safety and cyber security.
Ultimately, operating companies must ensure that the cyber security of the property is permanently guaranteed from the time of final acceptance until the end of the building’s life cycle – either by demolition or rededication. This can be done by a so-called Security Operation Centre (SOC). This SOC monitors the corresponding object 24/7 and reacts in the event of a cyber vulnerability in the shortest possible time to rectify faults or ward off potential attacks.
Q: What role does magility play in this process?
A: We at magility see ourselves as a system integrator of CSMS for the European market. By our partnerships with technology companies such as Argus Cyber Security and high-tech start-ups in the fields of cyber security, sensor technology, AI, etc., as well as the independent certification service provider DEKRA and our international network, we can provide cross-interface advice on strategy and action planning for construction projects. Furthermore we can accompany the CSMS implementation process and the implementation of cyber security measures. To this end, we are also already working with players from the construction industry, such as Drees & Sommer.
Q: Thank you very much for the detailed answers. Would you give us a personal estimation at the end of the interview? Where is the construction industry heading to?
A: The construction industry has been undergoing significant digital change for several years now, and this will continue in the future due to the ever-increasing digital networking of buildings and infrastructure. The automotive industry is currently a pioneer, as regulations with binding measures and deadlines for their implementation have already been announced. In future, however, a CSMS will also have to be implemented for the construction industry, as this is the only way to ensure that the infrastructure is protected and the dangers of cyber attacks for the whole society are minimised. Therefore we advise our customers from the construction industry to deal with the topic CSMS already now in order to be prepared for the future and to take the chance to play a pioneering role in this industry.
If you have any further questions on this topic, we at magility will be happy to help. Please contact our CMO Nada Lea Welker directly nada.welker@magility.com or contact us here.
by Nada Welker | Aug 7, 2020 | Automotive Cyber Security, Cyber Security Management
The paradigm shift in the automotive industry towards the networked and (partially) autonomous vehicle is in full swing. New technologies with significantly increasing networking possibilities are currently leading to new demands on the regulatory framework. In recent years, legislators and test institutes have already initiated the establishment of corresponding standards. Suppliers of software, sensors and system architectures for the automotive industry must be able to meet these standards already now in order to position themselves successfully in tenders by vehicle manufacturers. In the future, type approval of vehicles will only be possible if a certified Cyber Security Management System (CSMS) is in place.
Which regulations are currently at issue?
The emerging standards on Automotive Cyber Security are new in the automotive industry. The WP.29 working group on the harmonization of vehicle regulations of the UNECE (United Nations Economic Commission for Europe) has drawn up a set of rules that prescribes new requirements for the cyber security of vehicles. The focus of the WP.29 regulations is, firstly, on testing the reliability of autonomous systems and, secondly, on ensuring the cyber security of all components and data connections installed in the vehicle. According to this standard, all manufacturers of vehicles connected to the internet and their suppliers must have implemented a functioning Cyber Security Management System (CSMS). Without such a CSMS the application for the type approval of a vehicle is impossible. At the same time, the ISO (International Organization for Standardization) is developing the two standards ISO/AWI 24089 and ISO/AWI 21434. Both aim to establish a new standard in the automotive industry for all cyber security relevant topics. Hence all companies in the industry are now facing the challenge to prepare themselves and to install a corresponding CSMS as quickly as possible in order to be able to comply with the soon-to-be-released regulations from the outset. This CSMS must also include the administration of suppliers, service providers and other third parties.
What are the technological backgrounds?
Autonomous and smart technologies make vehicles much more vulnerable to cyber attacks. The high number of different data connections as well as the digital and networked components provide gateways for hackers, which in the worst case can be used to influence the vehicle system without authorization. The scenarios that can result are well known. The gateways can be divided into three areas:
- Telematics: via WLAN, mobile radio, GNSS data connections such as GPS and the servers connected in the background
- V2X Communication: Vehicle-to-Infrastructure (traffic management systems), Vehicle-to-Device (smart phones), Vehicle-to-Home (smart home devices), Vehicle-to-Vehicle (communication between vehicles)
- Infotainment: WLAN, music and video streaming, data connections from apps for e.g. weather, restaurant recommendations, games etc.
The listed data connections are potentially vulnerable to hacker attacks. In order to exclude the dangers in advance or at least to mitigate them as far as possible, the establishment and operation of a comprehensive Cyber Security Management System (CSMS) is indispensable and will in future also be required by lawmakers and testing institutes. The UNECE announced to make the operation of a certified CSMS and its application to the vehicle type mandatory from around mid 2022 for all new types of vehicles the time of type approval. From July 2024 it will then apply to all new vehicles. This means that companies will have about 2 years to take the necessary measures and integrate a corresponding CSMS into their business.
Important: Introduction of a Cyber Security Management System
In order to successfully manage the complexity of all risks in the area of cyber security for vehicles, every company must have a CSMS in the future. A company’s cyber security approach must be implemented holistically over the entire product life cycle. This includes both the organizational and technical areas of a company or product. This includes the product development process, production and all service, maintenance and repair work after the commissioning of a component or software. The entire automotive ecosystem must be carefully coordinated in order to comply with the upcoming cyber security requirements. It is therefore important to create the right framework conditions in both the organizational and process structure of the company and to initiate appropriate measures. Certifications according to WP.29 or according to the above-mentioned ISO standards will form the regulatory basis for the future cooperation between vehicle manufacturers and service providers in the automotive industry.
How is a CSMS structured?
The purpose of a CSMS is to preventively identify and eliminate critical weaknesses in the product. Cyber security must be ensured and maintained throughout the entire product life cycle. This includes developing the design of the products under cyber security specifications. The number of hacker intrusion points must be kept as low as possible from the very beginning. This is the only way to reduce the areas of attack and thus the risk of falling victim to a cyber attack. Every company must therefore orient itself to the best practices for effective cyber security. These best practices primarily concern principles to be followed in product development, production, the organization of the company and the assignment of responsibilities.
Possible guide to relevant best practices
The principles in the approach are:
Security by Design, Privacy by Design and the introduction of a risk and threat management. This means the regular execution of analyses of possible threat situations throughout the entire development.
The principles for the organization are as follows:
Inclusion of all suppliers and service providers in the aspects of cyber security. An awareness of cyber security in the company’s own corporate culture across all interfaces must be created through training and consulting. Guidelines for the efficient handling of cyber-relevant security incidents are to be developed and established in the company.
Principles in the technological implementation:
Constant monitoring security gaps and unauthorized access as well as the greatest possible protection of one’s own networks through encryption and strict access controls (human factor). By using Big-Data and AI methods, irregularities in the data flow can be detected early.
The time to act? Right now!
We at magility accompany our customers from the automotive sector future-oriented and therefore have developed a CSMS years ago, which is continuously adapted to the newly emerging regulations. We act as a system integrator for CSMS for medium-sized companies in the German and European market and are optimally positioned thanks to our partnerships with technology companies such as Argus Cyber Security, internationally one of the most renowned companies for automotive cyber security, and the independent certification service provider DEKRA. This enables us to provide our customers with comprehensive support in the implementation of a Cyber Security Management System. In recent years, we have established ourselves as experts for all questions and solutions relating to automotive cyber security on the market and have implemented numerous projects with well-known companies from the automotive industry.
How do you see your company currently positioned with regard to cyber security? Please contact us for a professional exchange, we will support you with an initial assessment of your risk situation. We will support your company in the implementation of a CSMS, which takes into account the newly emerging regulations from the beginning.