New UN regu­la­ti­ons for cyber­se­cu­ri­ty and soft­ware updates in the auto­mo­ti­ve industry

The UNECE World Forum for Har­mo­niza­ti­on of Vehic­le Regu­la­ti­ons (WP.29) is a working par­ty of the United Nati­ons Eco­no­mic Com­mis­si­on for Euro­pe (UNECE) and is tas­ked with crea­ting a har­mo­ni­zed regu­la­to­ry sys­tem for vehic­le engi­nee­ring for the pro­mo­ti­on of inter­na­tio­nal trade. The working par­ty has now issued new regu­la­ti­ons in order to address the gro­wing risks ari­sing from the trend towards con­nec­ted and digi­ti­zed vehic­les (PDF). Core ele­ments of the new regu­la­ti­ons include requi­ring the intro­duc­tion of a manage­ment sys­tem for cyber­se­cu­ri­ty in auto­mo­ti­ve (PDF) and crea­ting a legal frame­work for remo­te updates (over-the-air, or O.T.A. updates).

The time­ta­ble for intro­duc­tion of the new regu­la­ti­ons is short: they are sche­du­led to offi­ci­al­ly take effect in Japan as ear­ly as Janu­ary 2021. South Korea is plan­ning to imple­ment them gra­du­al­ly, begin­ning in the second half of the year. In the EU, the regu­la­ti­ons are to be intro­du­ced begin­ning in July 2022 and will beco­me bin­ding start­ing in July 2024 as part of the pro­cess for appr­oval of new vehic­les (homo­lo­ga­ti­on). Howe­ver, sin­ce the new regu­la­ti­ons go far bey­ond the exis­ting requi­re­ments with regard to cyber­se­cu­ri­ty in vehic­les, auto­mo­ti­ve manu­fac­tu­r­ers should was­te no time adap­ting to the­se new deve­lo­p­ments. This also appli­es to auto­mo­ti­ve sup­pli­ers, as it is to be expec­ted that auto­mo­ti­ve manu­fac­tu­r­ers will (be requi­red to) enforce the new requi­re­ments in their sup­p­ly chains as well.

Requi­re­ments with respect to cybersecurity

Under the super­vi­si­on of the com­pe­tent aut­ho­ri­ties, manu­fac­tu­r­ers of rele­vant vehic­les will be requi­red to ensu­re e.g. the following:

  • estab­lish­ment and avai­la­bi­li­ty of a cyber­se­cu­ri­ty manage­ment sys­tem for vehic­les in road traffic;
  • per­for­mance of a cyber­se­cu­ri­ty risk ana­ly­sis and iden­ti­fi­ca­ti­on of cri­ti­cal risks;
  • mecha­nisms for reduc­tion of iden­ti­fied cyber-risks;
  • docu­men­ta­ti­on of func­tio­ning risk manage­ment mechanisms;
  • mea­su­res to iden­ti­fy and pre­vent cyberattacks;
  • mea­su­res to sup­port IT foren­sics in case of cyberattacks;
  • con­ti­nuous moni­to­ring of spe­ci­fic types of cyber­se­cu­ri­ty incidents;
  • report­ing of cyber­se­cu­ri­ty inci­dents to the com­pe­tent appr­oval authority.

Requi­re­ments with respect to soft­ware updates

Clo­se­ly rela­ted to the regu­la­ti­ons for a cyber­se­cu­ri­ty manage­ment sys­tem is a UN Regu­la­ti­on rela­ting to soft­ware updates and a soft­ware manage­ment sys­tem (“UN Regu­la­ti­on on Soft­ware Updates and Soft­ware Updates Manage­ment Sys­tems”). The­se rules are desi­gned to ensu­re that manu­fac­tu­r­ers are in a posi­ti­on to clo­se iden­ti­fied secu­ri­ty gaps and address weak points effec­tively and remo­te­ly. In par­ti­cu­lar, this means that manu­fac­tu­r­ers will be sub­ject to the fol­lo­wing requirements:

  • estab­lish­ment and avai­la­bi­li­ty of a soft­ware update manage­ment sys­tem for vehic­les in road traffic;
  • pro­tec­tion of the mecha­nism for deli­ve­ring soft­ware updates, par­ti­cu­lar­ly ensu­ring inte­gri­ty and authenticity;
  • pro­tec­tion of the soft­ware iden­ti­fi­ca­ti­on num­ber and ensu­ring rea­da­bili­ty in the vehicle;
  • for OTA updates: a func­tion for res­to­ring sys­tems in case of fai­led updates, ensu­ring that updates can only take place if the vehic­le has enough power, ensu­ring safe exe­cu­ti­on, noti­fy­ing the user of each update and when updates are suc­cessful­ly instal­led, veri­fy­ing that the update can be exe­cu­ted pri­or to instal­la­ti­on and noti­fy­ing the user when the vehic­le has to be taken in for service.

The new UN regu­la­ti­ons make clear that the field of auto­mo­ti­ve cyber­se­cu­ri­ty will be incre­asing­ly regu­la­ted. The pur­po­se of the­se regu­la­ti­ons is to pre­vent the pro­gres­si­ve digi­tiza­ti­on of vehic­les from offe­ring ave­nues of attack, as we are curr­ent­ly see­ing with IoT devices and indus­tri­al sys­tems, whe­re atta­ckers have the upper hand, and to crea­te asym­me­try in favor of IT secu­ri­ty. Howe­ver, this requi­res auto­mo­ti­ve manu­fac­tu­r­ers and their sup­pli­ers to make an enorm­ous effort to com­ply with the requi­re­ments. They would the­r­e­fo­re be well-advised to quick­ly come to terms with the new requi­re­ments, crea­te pro­ces­ses for cyber­se­cu­ri­ty by design and begin who­le­sa­le imple­men­ta­ti­on of cyber-defense strategies.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.