Autonomous driving, connected cars, electric vehicles, and shared mobility—have dominated the agenda of automotive industry leaders in recent years. These innovations, built on the digitization of in-car systems, the extension of car IT systems into the back end, and the propagation of software, turn modern cars into information clearinghouses while also making them tempting targets for cyberattacks.
a
Currently, adressing cyber security issues in modern cars is a matter of good practices but does not represent a formal regulatory requirement to claim for vehicle type approval… But that was before the new UNECE WP.29 regulation R155 for CSMS (Cyber Security Management System) has been adopted by UNECE’s World Forum for Harmonization of Vehicle Regulations.
a
These will present cyber security as nonnegotiable for securing market access and type approval across more than 60 countries which are parts of UNECE WP.29 members.
What are the new regulatory requirements?
In the context of UNECE WP.29 regulations, two new documents have been accepted recently covering key future topics: Cyber Security (R155) and SW Update (R156). This article is focused on the first of these only, but the approach for the development of SW Update related documents are quite similar, with the development of the regulatory requirements (WP.29/R156) made in parallel of the establishment of the technical standard (ISO/CD 24089) which will be ultimately applied by organizations to demonstrate compliance with the State-of-the-Art.
a
New requirements for cyber security can be segmented in two main categoried as follow:
a
- Establishment of a Cyber Security Management Systems (CSMS) covering organizations policies and processes for handling cyber risks related to the entire lifecycle of vehicles, equipments and services
- Activities and documentations related to the secure development of automotive items, as well as post-development activities such as production, operation, maintenance and decomissioning.
a
Those targets will have to be demonstrated by OEMs, Tier-1s and the rest of the supply chain in a near future for being authorized to push new vehicles on markets.
“
In the European Union, the new regulation on cyber security (UNECE WP.29/R155) will be mandatory for all new vehicle types from July 2022 and will become mandatory for all new vehicles produced from July 2024
“
How to cope with whose new regulatory requirements ?
This topic is representing a big challenge for the automotive market which is not strongly aware about cyber security aspects. Indeed, by nature automotive organizations are mostly developing robust safety culture but the strong evolution of connected vehicle make those approaches insufficient for adressing the full landscape of new risks around smart, and even potentially automated cars.
a
Functional safety is key topic for the entire supply chain for years now, but well-known standards such as ISO26262 are adressing safety risks only, and based on methods and technics considered as system-intrinsic (e.g. systematic failures, random HW failures etc.). Those activities remain obviously mandatory for adressing a certain set of risks but what about other ones coming from the outside world ?
a
This is exactly where cyber security becomes critical, due to its system-extrinsic nature. Risk sources are numerous nowadays and potential impacts of them could also be extended further than “just” safety. Typical risk assessment approach for automotive-related disciplines are evaluating potential damage based on three key pillars which are the safety impact/severity, the likelihood/exposure and the controllability of an event. Those pillars are keys for quantifying and prioritizing risks to be adressed by organization frameworks.
a
In the context of cyber security, the approach is a bit different. Indeed, potential impacts of cyber attacks could be different and should be strongly aligned with the risk appetite of organizations. The typical approach for impact rating is to evaluate it on four dimensions: Safety, Financial, Operational and Privacy (SFOP). The enforcement of new regulations such as the General Data Protection Regulation (GDPR) force organization to think about other risk categories as well.
a
Likelihood, or probability of adverse events is nearly impossible to directly quantify for cyber security risks therefore other criteria related to the attack feasibility are used usually for evaluting the risks (e.g. equipment needed, attacker skill, window of opportunity…)
Those fundamental assessment-related differences, in addition to the dynamic nature of threat landscape, are representing the key reasons why specific approaches are required for handling cyber risks in a different way.
a
For implementing those approaches and new processes, a new standard called ISO/SAE 21434 has been published (last release: FDIS: March2021) for defining the framwork to put in place by organizations for handling cyber security, in alignement with other relevant references such as ISO26262
ISO/SAE 21434 as the key reference to be followed for compliance with regulations
As briefly mentionned above, the WP.29/R155 and the ISO/SAE 21434 have been developed in parallel to make sure that regulatory requirements could be met by applying existing standard. This document is representing the results of the industry-consensus about key cyber security practices to be applied for reaching a secure posture across the automotive market.
a
June 2022 is very close now, therefore organisations need to get to work as early as possible, and integrate this new cyber security discipline and those new references in their policies and processes to be ready for demonstrating compliance to authorities and not being blocked by future homologation schemes. First requirements in 2022 will be focused on CSMS demonstration there you should focus your effort on the establishement of your organizational policies and processes as a framework. Next target will be the demonstration of the real application of your framework in the development of your items. In other words, you will have to demonstrate records of work products / deliverables as of June 2024.
a
OEM’s won’t be the only stakeholders impacted by such new requirements. Indeed a part of them will require from OEM’s to demonstrate the capabilities of their suppliers to consider cyber security, as well as the security of their own item. We will therefore see an integration of new cyber security requirements throughout the entire supply chain
And last but not least, cyber security compliance will be legally enforced but, beyond that, you will have to integrate those activities in your organization for reducing the risk of being hacked and pushed out of market due to critical cyber incident which could have a critical impact on your business.
How CertX can support your roadmap for compliance
As a recognized certification body across the automotive industry, CertX can support your organization in several ways, depending on your maturity and position across supply chains. Below a brief summary of the services which are provided by our Cyber Security Team:
- Educationnal support for engineers and managers
- Awareness training: tailored sessions / workshops on cyber security related activities and technics for getting a strong understanding of the State-of-the-Art
- Certifiable training: ISO/SAE 21434 Automotive Cyber Security Red Belt (A-CSRB)
- Gap Analysis and pre-assessment for identifying weak spots
- Evaluation of your current compliance with ISO/SAE 21434 requirements on either organizational level (CSMS) or product level (product-specific documentation), in the persepctive of conformity with UNECE WP.29/R155
- Certifications of cyber security related target
- Those activities are pending on the official publication of the ISO/SAE 21434 planned for Q2-Q3 2021
If you have any questions about the new regulatory situations around cyber security for the automotive industry, or any other open points about how the application of relevant standards and certification could be used for compliance demonstration, please do not hesitate to contact our cyber security specialist: Kilian Marty