New cybersecurity and software update standards in the automotive industry

Daniel Wuhrmann

The regulations developed by the World Forum for Harmonization of Vehicle Regulations (WP.29), a working group of the United Nations Economic Commission for Europe (UNECE), have been implemented at the European level in a binding manner upon publication in the Official Journal on 9 March 2021. As a result, a comprehensive and binding system of regulations for cybersecurity and software updates in the automotive sector now exists at the European level for the first time. 

As vehicles have become increasingly connected and digitized in recent years, the potential risk of cyberattacks has also grown. The new regulations are designed to counter these mounting risks.

Core elements of the new regulations are the requirements to introduce a vehicle cybersecurity management system and create a legal framework for over-the-air (OTA) updates. Since these new regulations go far beyond the existing requirements for cybersecurity in vehicles, manufacturers and their suppliers should begin preparing for these changes immediately.

Cybersecurity requirements

Manufacturers will be required to establish a cybersecurity management system (CSMS). In accordance with Section 2.3 of UN Regulation No. 155, this refers to a systematic risk-based approach defining organizational processes, responsibilities and governance to treat risk associated with cyber threats to vehicles and protect them from cyberattacks. A CSMS is a prerequisite for vehicle type approval in accordance with Section 5 of UN Regulation No. 155.

Manufacturers of such vehicles should therefore ensure the following, e.g.:

  • establishment and availability of a CSMS;
  • performance of a cybersecurity risk analysis to identify critical risks over the entire supply chain;
  • a risk assessment;
  • implementation of suitable cybersecurity measures to identify and prevent cyberattacks;
  • continuous monitoring of cybersecurity incidents for each specific vehicle type.

Since manufacturers are required to evaluate their entire supply chain, these requirements also apply indirectly to suppliers, as suppliers are often entrusted with the production of individual components which will have to satisfy the cybersecurity requirements.

Requirements with respect to software updates

Closely related to the requirements for a CSMS is the new UN Regulation concerning a software update management system.  In accordance with Section 2.5 of UN Regulation No. 156, this refers to a systematic approach defining organizational processes and procedures to comply with the requirements for delivery of software updates according to this Regulation. This system is meant to ensure that manufacturers are in a position to effectively address identified security gaps and vulnerabilities remotely.

In particular, manufacturers will therefore have to satisfy the following requirements:

  • establishment and availability of a software update management system for vehicles in road traffic;
  • procedure to identify target vehicles and ensure compatibility with the target vehicle's configuration;
  • for OTA updates: a restore function for failed updates, updates only with an adequate power supply, ensuring safe execution (even while the vehicle is in motion), notifying the user of each update and when the update is successfully installed, verifying the feasibility of the update prior to installation and notifying the user when the vehicle has to be serviced.

Conclusion and additional steps for manufacturers

Manufacturers and suppliers will be facing unique challenges as a result of the new UN regulations, which have now become binding for the first time. These new binding regulations make it clear that cybersecurity will be a subject of increasing regulation in the automotive sector and that the legal framework is narrowing. The intention is to ensure that the increasing digitization of vehicles does not create an opening for cyberattacks. Accordingly, companies would be well-advised to examine the new requirements at an early stage, create processes for cybersecurity by design and begin the comprehensive implementation of defense strategies

[March 2021]