New UN regulations for cybersecurity and software updates in the automotive industry

Daniel Wuhrmann

The UNECE World Forum for Harmonization of Vehicle Regulations (WP.29) is a working party of the United Nations Economic Commission for Europe (UNECE) and is tasked with creating a harmonized regulatory system for vehicle engineering for the promotion of international trade. The working party has now issued new regulations in order to address the growing risks arising from the trend towards connected and digitized vehicles (PDF). Core elements of the new regulations include requiring the introduction of a management system for cybersecurity in automotive (PDF) and creating a legal framework for remote updates (over-the-air, or O.T.A. updates).

The timetable for introduction of the new regulations is short: they are scheduled to officially take effect in Japan as early as January 2021. South Korea is planning to implement them gradually, beginning in the second half of the year. In the EU, the regulations are to be introduced beginning in July 2022 and will become binding starting in July 2024 as part of the process for approval of new vehicles (homologation). However, since the new regulations go far beyond the existing requirements with regard to cybersecurity in vehicles, automotive manufacturers should waste no time adapting to these new developments. This also applies to automotive suppliers, as it is to be expected that automotive manufacturers will (be required to) enforce the new requirements in their supply chains as well.

Requirements with respect to cybersecurity

Under the supervision of the competent authorities, manufacturers of relevant vehicles will be required to ensure e.g. the following:

  • establishment and availability of a cybersecurity management system for vehicles in road traffic;
  • performance of a cybersecurity risk analysis and identification of critical risks;
  • mechanisms for reduction of identified cyber-risks;
  • documentation of functioning risk management mechanisms;
  • measures to identify and prevent cyberattacks;
  • measures to support IT forensics in case of cyberattacks;
  • continuous monitoring of specific types of cybersecurity incidents;
  • reporting of cybersecurity incidents to the competent approval authority.

Requirements with respect to software updates

Closely related to the regulations for a cybersecurity management system is a UN Regulation relating to software updates and a software management system ("UN Regulation on Software Updates and Software Updates Management Systems"). These rules are designed to ensure that manufacturers are in a position to close identified security gaps and address weak points effectively and remotely. In particular, this means that manufacturers will be subject to the following requirements:

  • establishment and availability of a software update management system for vehicles in road traffic;
  • protection of the mechanism for delivering software updates, particularly ensuring integrity and authenticity;
  • protection of the software identification number and ensuring readability in the vehicle;
  • for OTA updates: a function for restoring systems in case of failed updates, ensuring that updates can only take place if the vehicle has enough power, ensuring safe execution, notifying the user of each update and when updates are successfully installed, verifying that the update can be executed prior to installation and notifying the user when the vehicle has to be taken in for service.

The new UN regulations make clear that the field of automotive cybersecurity will be increasingly regulated. The purpose of these regulations is to prevent the progressive digitization of vehicles from offering avenues of attack, as we are currently seeing with IoT devices and industrial systems, where attackers have the upper hand, and to create asymmetry in favor of IT security. However, this requires automotive manufacturers and their suppliers to make an enormous effort to comply with the requirements. They would therefore be well-advised to quickly come to terms with the new requirements, create processes for cybersecurity by design and begin wholesale implementation of cyber-defense strategies.

[August 2020]