The New UN Resolution On Automotive Cybersecurity For Dummies
July 30, 2020
What is the New UN Resolution?
Automotive cybersecurity is not a new topic but is getting more and more traction over the increase in connectivity and computerization of mobility as a whole. In January 2021 two New UN regulations on Cybersecurity and Software updates for passengers’ cars, vans, trucks, buses, trailers, and agricultural vehicles, entered into force.
The WP 29 new UN regulation lays out the baseline processes and systems to manage and deal with security concerns. It also formalizes the responsibilities and requirement for evidence to be submitted for compliance that fall primarily on the OEM. (Editor's note: The UN WP 29 has officially passed the UNECE R155 automotive cybersecurity regulation that will go into effect in July 2024. Click here to read more about UNECE R155.)
This regulatory requirement is not to be confused with ISO21434, which is the new joint standard between ISO/SAE regarding vehicle cybersecurity. The two are not mutually exclusive though they are similar in some ways.
There are 2 new key aspects to this new UN Regulation:
The regulation applies to the entire vehicle lifecycle. From establishing a security management system, change management, to fleetwide monitoring of incidents. This means that the standard itself applies to the whole organization and subsequently its suppliers. There is a strong emphasis on not only being able to identify and manage security risks but also being able to specifically test and provide the evidence for it. In other words, it would be intertwined with the development and quality assurance processes as well. This would be an iterative process as a weak component may end up compromising the entire vehicle.
Wide And Fast Adoption
The regulation is to be adopted in the UE from 2022 and be mandated by 2024, there is also the intention of adoption by South Korea and Japan. Regardless of what other nations will decide and when the automotive industry is an export-driven global market. All major OEMs will have to comply sooner rather than later.
We’ve now reached a point where security is a safety concern, it was only a matter of time for regulation and legislators to step in and create a baseline that all vehicles must comply with. As security assurance is not the sum of its parts, a systematic approach is needed from the concept phase and up to post-deployment on the vehicle level.
What Does This All Mean?
Annex 5 is perhaps the best representation of what is to be expected. Although it is incomplete and cannot be applied to every system, it is a comprehensive list of things to be taken into account when designing or changing any system. What this effectively means is that the OEM and every automotive supplier must conduct and produce evidence for an assessment and its conclusions for their scope of work. The OEM must compile all the information, conduct an assessment of its own, and undergo an evaluation by a body of authority.
The next generation of E/E architectures and its ECUs are in the planning phase right now and are expected to be deployed within 2-5 years. The rather short adoption time frame means that OEMs and suppliers need to prepare for compliance immediately. Since the regulation encompasses the entire vehicle from its inception, it would be nearly impossible to go back and fix violations as it may be inherent to the design.
What Does This Have to do with GuardKnox?
GuardKnox brings the automotive market the freedom to evolve. Mixed-criticality platforms, the company's signature, cannot exist without security as its foundation. With its roots in defense aviation, security by design has always been an integral part of all offerings.