Over the past decade, the auto sector has undergone a digital transformation. Today virtually all vehicles come with built in connectivity options. Like any industry with rising connectivity and digitization, cyber security risks and concerns around privacy multiply and the auto sector is no different.
Based on the computerization of modern vehicles and the newfound risks brought on by that change, back in 2016, WP.29, the World Forum for the Harmonization of Vehicle Regulations, began work on a regulation that would set minimum requirements for cyber security in type approved vehicles. That work culminated with the passing of United Nations Regulation 155 in June 2020. Now, the industry is adjusting its processes, personnel, and technology capabilities in order to meet the new requirements.
UNR 155 establishes a new landscape of organizational and technical requirements for automakers to fulfill in order to have their vehicle types approved. Cyber-risk management in the auto sector requires a well-defined strategy including a highly organized process landscape, the recruitment or engagement of experienced cybersecurity professionals as well as the purposeful and targeted application of technical tools. For many automakers, these activities and requirements present a major challenge, outside of their core competencies. Therefore, manufacturers are ramping up their cyber security capabilities in three core areas which, over time, will enable them to achieve compliance:
Essential #1 – Structure
As a first step in their response to UNR 155, automakers are conducting evaluations of their existing process landscape and risk management policies to identify potential gaps between what exists and the requirements of UNR 155. Such gap analysis work is the common first step in identifying inadequacies and prioritizing the work going forward. Across the industry, it is clear that each manufacturer has a unique makeup of policies, processes, and procedures related to cyber-risk management that place them at vastly different stages in their pursuit of UNR 155 compliance.
The results of this initial evaluation highlight the topics that need to be addressed from the start, those that need to be harmonized or aligned with industry standards/best practices and those that may already cover certain requirements. While for some manufacturers, their vehicle programs and organizations are quite advanced, others are still just familiarizing themselves with the regulation and its risk-oriented approach to cyber security management for vehicles.
Each manufacturer needs to structure their policies and processes differently according to their organizational makeup. There is no one size fits all when it comes to developing a CSMS.
Essential #2 – Know-how
Manufacturers must be able to act on the guidance of internal audit evaluations and the needs
of the cyber security program. This need increases the importance of competent personnel with the right background of knowledge and experience. Just as UNR 155 requires policy, process and procedural changes within the organization, the organization also needs to assimilate new competencies (e.g. through hirings, external engagements, internal trainings, etc.) in order to conduct the array of cyber security activities in a professional and consistent manner.
Given the challenges related to recruiting experienced cyber security professionals (analysts, engineers, project managers, etc.), the automotive industry, and vehicle manufacturers in particular, are utilizing a hybrid approach which draws on an array of cybersecurity-related human resources available in the market. The exact formula for each automaker differs significantly as internal considerations regarding platforms, components, budgets, policies, strategy, existing competencies etc. create unique operating environments for manufacturers.
Essential #3 – Technology
The best people and the most thoughtful policies and processes are only part of the equation. Given the dynamic nature of cyber security as an ever-changing, technical domain, manufacturers need more than just a well thought out process landscape and capable personnel. UNR 155 describes clear requirements around monitoring, detecting, and responding to cyber threats, vulnerabilities, and attacks. To cover such requirements, manufacturers need to consider a range of technology measures and technical tools that will ensure there are relevant data inputs, alerts regarding incidents in the field and tools to use in case a response is needed.
Are you interested in learning more about automotive cyber security and UNR 155? Click here to visit our Regulation Hub!