New UNECE Regulations Paving the Way for the Automotive Industry
The UNECE (United Nations Economic Commission for Europe) has been working in the past years on drafting two new international regulations, focused on Cybersecurity (R155) and Software Updates (R156).
The Need for Cybersecurity and Software Updates Regulations
There are currently 135 different UNECE regulations that vehicle manufacturers need to fulfil, however all of these are focused on topics such as safety, vehicle performance, or environmental impact. In the last few years though, the IoT paradigm changed a bit the view on the automotive ecosystem. Connected technologies like GPS, Wi-Fi, Bluetooth, V2V, keyless entry and other have been massively introduced in common vehicles, in order to enhance the driving experience and make it generally more enjoyable. Given this aspect, modern vehicles have become endpoints in our definition of IoT. Moreover, they have become not only connected to the users’ mobile device, but through smart applications, directly to broad cloud systems, and implicitly, to each other. As the focus of the OEMs has been mostly placed on safety and performance aspects (in line with existing regulations), security vulnerabilities introduced by the available connected functions have led to a series of demonstrated attacks in the last years.
Such attacks have raised considerably the awareness of the OEMs, users, but also UNECE on the need to ensure proper regulatory requirements for cybersecurity and software updates topics. This need resulted in an effort for drafting two new regulations, focused on the above mentioned topics. The drafting effort took into account the feedback and opinion of multiple OEM companies, national Approval Authorities, or specialized testing facilities.
UNECE Cybersecurity Regulation (R155) in Focus
The Cybersecurity regulation (R155) is split into two main parts – Cybersecurity Management System (CSMS) Requirements and Vehicle Type Requirements. The CSMS requirements focus on the processes to be drafted and followed by the OEM during the whole life cycle of the vehicle. That being said, this covers all vehicle phases, including concept, development, production, post-production, and finally decommissioning.
The list of processes required under the regulation includes the main ones which could be expected from a security point of view. This list includes processes such as: definition of roles and responsibilities, security risk management and determination of necessary controls, security testing, vulnerability analysis and incident response, post-production patch management, or supply chain interaction. All of these processes will need to be properly documented and made available to the Approval Authority during the conducted audit. Evidence of the applicability and awareness of relevant persons to the requirements of the process will also be audited and validated. From the point of view of the vehicle type requirements, the main focus will be the validation that the documented processes have been properly applied on each type for which an approval is sought.
Among these examples of processes, two of them have a specific importance, as they introduce further dependencies: risk management and supply chain interaction.
Risk Management considerations
Efficient risk management is key for the control of cybersecurity threats. Processes are acceptable as long as they are covering the minimum expectations, which include:
- Identification of security items and assets
- Determination of applicable threats
- Calculation of applicable likelihood and impact
- Calculation of the resulting risks and definition of security controls
- Analysis of residual risks
- Supply chain interaction considerations
Supply Chain Interaction Considerations
The automotive domain is arguably one of the domains in which supply chain dependencies are the most accentuated. This comes due to the fact that vehicle manufacturers are usually integrating together components which are supplied from third parties. These components include both hardware and software, and could refer for example to ICs, ECUs, infotainment systems, specific software, etc. On top of this, modern connected vehicles also rely on cloud service providers for aspects such as OTA software updates. Considering this, OEMs depend strictly on the interaction with their supply chain providers. This process takes typically into account multiple phases, including:
- Initial selection and validation of the supplier
- Existence of proper contractual agreements
- Gathering of security evidence from the suppliers
UNECE Software Updates Regulation in Focus
The Software Updates regulation (R156) will function in a similar fashion with the one focused on cybersecurity. The software updates regulation will combine Software Updates Management System (SUMS) requirements, with vehicle type specific requirements. The required processes under R156 include, at a high level:
- Configuration management for the various software updates
- Linking the software update to specific components on the vehicle, as well as to vehicle types
- Analyzing and concluding the impact of a new software update in terms of functionality, impacted components and impacted vehicle types
- Testing and validating a new software update
- Security of the software updates delivery process
- Informing the users about relevant aspects of the update
Conclusion and Way Forward
The two new UNECE regulations came into force in January 2021. That being said, different countries under the 1958 agreement are expected to make them mandatory at slightly different dates. This decision lies with every individual country under the 1958 agreement. Currently, the EU has decided to make the R155 regulation mandatory for new vehicle types starting from July 2022. Japan has decided that the regulations will be mandatory directly from 2021. Finally, South Korea has decided that the requirements of the regulations will become mandatory in phases, starting from 2021.
The regulations on cybersecurity and software updates will address areas which were previously not in scope of road vehicles international regulations. With the increase in vehicle connectivity, and the rise of associated vulnerabilities and threats, the new regulations are expected to have a positive impact on the whole ecosystem. Still, the requirements of the new regulations will ask the OEMs to have well-structured and documented processes related to cybersecurity and software updates topics. While some of these processes might be directly available and in place, others will require careful consideration in order to ensure a compliance state.