THE NEW UN RESOLUTION ON AUTOMOTIVE CYBERSECURITY FOR DUMMIES

WHAT IS THE NEW UN RESOLUTION?

Automotive cybersecurity is not a new topic but is getting more and more traction over the increase in connectivity and computerization of mobility as a whole. The new UN regulation lays out the baseline processes and systems to manage and deal with security concerns. It also formalizes the responsibilities, which is primarily of the OEM, and evidence to be submitted for compliance.

This regulatory requirement is not to be confused with ISO21434, which is the new joint standard between ISO/SAE regarding vehicle cybersecurity, the two are not mutually exclusive.

There are 2 new key aspects to this new UN Regulation:

        1. 1) SECURITY LIFECYCLE

The regulation applies to the entire vehicle lifecycle. From establishing a security management system, change management, to fleetwide monitoring of incidents. This means that the standard itself applies to the whole organization and subsequently its suppliers. There is a strong emphasis on not only being able to identify and manage security risks but also being able to specifically test and provide the evidence for it. In other words, it would be intertwined with the development and quality assurance processes as well. This would be an iterative process as a weak component may end up compromising the entire vehicle.

  1. 2) WIDE AND FAST ADOPTION

The regulation is to be adopted in the UE from 2022 and be mandated by 2024, there is also the intention of adoption by South Korea and Japan. Regardless of what other nations will decide and when the automotive industry is an export-driven global market. All major OEMs will have to comply sooner rather than later.

but why?

We’ve now reached a point where security is a safety concern, it was only a matter of time for regulation and legislators to step in and create a baseline that all vehicles must comply to. As security assurance is not the sum of its parts, a systematic approach is needed from the concept phase and up to post-deployment on the vehicle level.

WHAT DOES THIS ALL MEAN?

Annex 5 is perhaps the best representation of what is to be expected. Although it is incomplete and cannot be applied to every system, it is a comprehensive list of things to be taken into account when designing or changing any system. What this effectively means is that the OEM and every automotive supplier must conduct and produce evidence for an assessment and its conclusions for their scope of work. The OEM must compile all the information, conduct an assessment of its own, and undergo an evaluation by a body of authority.

The next generation of E/E architectures and its ECUs are in the planning phase right now and are expected to be deployed within 2-5 years. The rather short adoption time frame means that OEMs and suppliers need to prepare for compliance immediately. Since the regulation encompasses the entire vehicle from its inception, it would be nearly impossible to go back and fix violations as it may be inherent to the design.

WHAT DOES THIS HAVE TO DO WITH GUARDKNOX?

GuardKnox brings the automotive market the freedom to evolve. Mixed-criticality platforms, the company's signature, cannot exist without security as its foundation. With its roots in defense aviation, security by design has always been an integral part of all offerings.

GuardKnox has also partnered with industry leaders in order to bring customers a complete solution for off-vehicle requirements such as Palo Alto Networks© for a full end to end cybersecurity solution and DXC Technologies for cybersecure Fleet Management Systems (FMS), real-time monitoring, and in-depth analysis of security-related events. 

GuardKnox is pleased to announce that we as a company as well as all product development is compliant with the new UN regulation.

 

additional resources: 

1) The UN Proposal

2) United Nations Economic Commission for Europe PR

3) The Wall Street Journal's POV

4) Institute of Electrical and Electronics Engineers POV

5) The perspective from Japan Times