Impact of UNECE regulations for the Automotive Industry | SecurAcademy Webinar 9 April 2020

On April 9, 2020 we hosted our "Impact of UNECE Regulations for the Automotive Industry" webinar, where our Team Lead Security Certifications, Razvan Venter discussed the new UNECE Regulations and how they will impact the automotive industry. Due to the large amount of attendees, there were more questions than time allowed, so we have added a Q&A below. Should you still have any remaining questions, please contact info@secura.com

--- 

UNECE, the international regulatory body for vehicles, has been working in the past 2 years on drafting first versions of Cybersecurity and Software Updates regulations for vehicle manufacturers. These regulations are expected to be published in 2020 and enter into force in 2021. 

From the moment of entry into force, vehicle manufacturers will need to demonstrate compliance with these regulations in order to place their vehicles on the markets governed by UNECE (including EU, North America, part of Asia, etc.). The impact of these new regulations could be considerable, especially if manufacturers are not well prepared in advance concerning what to expect and what needs to be updated to ensure compliance, especially from a development process perspective. 

As the automotive industry relies heavily on Tier 1 and Tier 2 suppliers, also the relationships with these suppliers will need to be considered in order to ensure compliance. The remaining time is short and an efficient approach is key for a good outcome. 

This webinar will provide an overview of the most important requirements under the new regulations, while at the same time zooming in into the specific implications that vehicle manufacturers could expect and consider. Moreover, as Secura has hands-on experience with conducting audits under these upcoming regulations, a summary of possible issues which can be encountered will be provided.

INTENDED AUDIENCE

•  Policy and regulatory compliance responsible persons
•  Internal process owners (focused on Cybersecurity and Software Updates)
•  Cybersecurity and Software updates architecture developers
•  Supply chain responsible persons

AGENDA

1. Summary of UNECE Cybersecurity regulation scope and requirements
2. Summary of UNECE Software Updates regulation scope and requirements
3. Likely impact of the requirements on vehicle manufacturers
4. Lessons learned after conducting full audits
5. Timeline and next steps towards entry into force

Curious to our other webinars? Visit: https://www.secura.com/webinars

Q&A 

Thank you for all your questions during the webinar, we have received quite a few! Our presenter Razvan Venter answered all of them below. They are ordered by when they were asked during the webinar.

Should you still have any remaining questions, please contact info@secura.com

Is North America part of the UNECE Regulations too?
North America is currently not part of the 1958 agreement, therefore it will not be impacted in the first instance by these regulations. However, US OEMs that plan to sell vehicles on any of the countries under the regulation need to demonstrate compliance with the requirements of the regulations.

You do not mention ISO21434 standard, is it mandatory?
The intention of the regulations is not to mandate ISO 21434, therefore this standard was not explicitely mentioned in the presentation. However, creation of a CSMS in line with the requirements of ISO 21434 represents a very good start in achieving compliance with the requirements of the regulation.

What role does the ISO/SAE 21434 standard play in this upcoming UN ECE regulation framework?
The regulation does not mandate the use of ISO 21434. It is designed to be as flexible as possible in allowing OEMs to define their compliance. That being said, ISO 21434 represents a very valuable source for defining a standardized CSMS. Many of the requirements in the regulation can be made compliant easily by having a CSMS implementation based on ISOI 21434 

Is it possible for the authorities to remove a type approval during the life cycle of a vehicle which has been type approved at the beginning of its serial life ?
Authorities are allowed to remove a granted type approval in case it is determined that a sample vehicle is not compliant with the approved type-specific requirements.

How many years after End of production is mandatory to provide support in this regulation?
This topic is still under discussing within the UNECE groups in order to arrive to a concrete number of years. This will be included very likely in the final version of the regulation. At the same time, a CSMS certificate is valid for 3 years, therefore after 3 years an OEM needs to go thorough the CSMS assessment once again in order to maintain the certificate. 

SW updates regulation defines also wired updates with DiagTool + OBD Port?
There is no mandate that SW updates are performed via the OBD port of the vehicle, for example. The regulations are intended to be at this point flexible, allowing for multiple possible deployment scenarios.

How can the customer or user verify the type approval or the latest software update in the vehicle?
There is a requirement that asks for the software versions to be readable in the vehicle. There could be multiple ways to make these versions readable, depending on the type implementation. Secura is happy to discuss further with your organization on this topic!

Does the current wording of the Cybersecurity Regulation permit third party to get secure direct access to in vehicle data? 
There is not specific requirement in the regulation that does not allow third parties to get access to in-vehicle data. That being said, the actual interface through which the access is made needs to have sufficient security controls implemented to avoid all applicable security risks.

Do you have any ideas about the additional resources required by the OEMs to make them compliant with this UNECE Cyber regulation ?
Resources required by the OEMs depend on several factors: the awareness to the requirements in the new regulations, the complexity of possible processes that need to be updated and finally the experience of the internal security teams which are in charge of defining correct processes and sufficient controls. Secura is happy to discuss further with you concerning the current situation in your organization, and determine the additional needs in meeting the requirements of the regulations!

How does this regulation and compliance impact on the vehicle insurance. Does it covered in the insurance for any fault from this security controls/measures.
The regulations are not directly linked with insurance topics. The regulations are mandatory in order for an OEM to place their vehicles on one of the countries in which the regulations are in force.

According to my information, NAR ist currently not affected by CS/SUMS, but China has been added. Do you have further information? 
The first countries in which the regulation will be enforced are the members of the 1958 agreement. These countries can be seen at this link https://en.wikipedia.org/wiki/World_Forum_for_Harmonization_of_Vehicle_Regulations#Participating_countries

How will the regulation be adopted at the national level regulations and how will they be enforced?
Each country in which the regulations will be adopted (starting with the countries that are members of the 1958 agreement) will define an Approval Authority. These Approval Authorities will be in charge of assessing the CSMS and Vehicle Type applications. Once an approval is granted in a country, it is in principle mutually accepted in the other countries that enforce the regulation.

According to my information, NAR ist currently not affected by CS/SUMS, but China has been added. Do you have further information? 
The first countries in which the regulation will be enforced are the members of the 1958 agreement. These countries can be seen at this link https://en.wikipedia.org/wiki/World_Forum_for_Harmonization_of_Vehicle_Regulations#Participating_countries

About de possible impact on manufacturers, based on your experience, which method(s) are usually used for keeping track of SW versions? 
There could be multiple ways to be compliant with the requirement of SW versions management. These are dependent from OEM to OEM and unfortunately we cannot provide concrete examples here, as they would disclose sensitive implementations. We are happy to discuss with your organizaiton further on this topic!

What would be the application date of these two regulations?
Currently the date of entry into force has not been decided. However the intention is to publish these regulations in 2021. From that moment, there could be differences between various countries on when the regulations enter into force, and transition periods could be introduced.

What happened with the cars on field by an SW Updated that affects to the homologation, that were typed approved before 2021 and between 2021-2024
The final version of the SW updates regulation will include clear delimitation on the vehicle types which are impacted by the regulation. This delimitation will clearly include the particular years starting from which a vehicle type will be in the scope of the regulations. Currently these details are being finalized withint the task force.

Is the draft text of the regulations or supporting documents available anywhere?
The drafts are currently only circulated in the drafting group within UNECE. 

Is it safe to say that how the regulations are until now defined they will not be avoiding software manipulation instead just providing a form of documentation?
One requirements category in the Software Updates regulation refers to the security of the software updates while transferred from the back-end to the vehicle. Therefore, protection against manipulation is in the scope of the regulations - both from a process (documentation) point of view, as well as for the vehicle type demonstration.

The regulation does not provide clear pass/fail criteria. What are your thoughts on the harmonized way of conducting assessment/test?
Currently within the UNECE task force, there is a separate group that aims on creating so called "Interpretation Document", aimed especially on providing such criteria and harmonized assessment guidance. RDW was part of this effort last year, together with Secura. We are happy to discuss further with you on this topic!

If you have any remaining questions, please contact us at info@secura.com

@ Secura 2020
Webdesign Studio HB / webdevelopment Medusa