The increasing threat of cyber-attacks against vehicles has led to the recent approval by the World Forum for the Harmonization of Vehicle regulations (WP.29) of the first automotive cyber security regulation in history.
In this chat, the joint chairpersons who led the development of the new regulation from the UK and Japan, Darren Handley and Dr Niikuni Tetsuya, will share their perspective on the process of drafting a vehicle cyber security regulation and how they see it impacting the industry.
Key topics and takeaways
- The story of WP.29 cybersecurity regulation from the individuals who led the process
- An updated view of Japan’s timeline
- Key implementation and enforcement challenges for national authorities
- How the interpretation document can assist the industry
Please see a summary of the Q & A session below and watch their discussion here:
Q & A With Dr Darren Handley and Dr Niikuni Tetsuya
UNR 155 & UNR 156 are regulations adopted by WP.29 for implementation by contracting parties to the UNECE 1958 agreement on vehicle regulations. Japan, as well as all EU nations and more, plan on implementing these regulations in their national legislation.
There is an auditing guideline in development (ISO/PAS 5112 – “Road vehicles — Guidelines for auditing cybersecurity engineering”) which may be used by approval authorities and/or technical services in building their own cybersecurity audit criteria.
Vehicle manufacturers are ultimately responsible for obtaining type approval and ensuring the cybersecurity of their vehicles. Tier suppliers can support the type approval efforts but they are not responsible for applying for and achieving type approval.
A vehicle’s critical elements are highly dependent on the vehicle type’s architecture. Typically, connected elements such as telematics and infotainment units constitute high cyber-risk from among common vehicle components.
ISO/SAE 21434 “Road vehicles cybersecurity engineering” is referred to multiple times in the interpretation document for UNR 155. It was developed over a similar time period and by some of the same people as UNR 155. Therefore, ISO/SAE 21434 can be seen as a useful reference implementation of some of the requirements of UNR 155 where some of the work products produced by a certified organization for ISO/SAE 21434 may be useful evidences during CSMS compliance or type approval audits. However, although sections of ISO/SAE 21434 is referred to multiple times throughout the interpretation document of UNR 155, it does not constitute the only possible implementation of an automotive CSMS.
UNR 155 does not abrogate the responsibility of the vehicle manufacturer to abide by the requirements of other system type approval requirements such as for braking systems. In order to achieve whole vehicle type approval, the vehicle manufacturer must demonstrate compliance with tens of systems. Additionally, UNR 155 requires the vehicle manufacturer to comply with regional privacy regulations such as GDPR in the European Union.
UNR 155 defines a “vehicle type” as, “…vehicles which do not differ in at least the following essential respects: (a) The manufacturer’s designation of the vehicle type; (b) Essential aspects of the electric/electronic architecture and external interfaces with respect to cyber security.”
UNR 155 requires that a vehicle manufacturer’s CSMS must “apply” to each phase of the lifecycle of the vehicle type – development, production and post-production. The regulation does not outline how many years support the vehicle type must be supported.
Once UNR 155 has gone into effect, all new vehicle type approvals must abide by the cybersecurity requirements layed out therein. Prior to July 2024, new type approvals with regards to cyber security may be permitted to demonstrate how cybersecurity was “adequately considered” during development, especially if the manufacturer’s CSMS did not apply to the entire development phase of the vehicle type. In order to demonstrate “adequate consideration” of cybersecurity, the manufacturer should develop convincing argumentation for how cybersecurity is addressed and although the CSMS was not fully applicable, cybersecurity is was still proportionatley and suitably considered and cared for. After July 2024, all first registrations, of new or existing vehicle types, will need to have obtained type approval for cyber security.
The interpretation document is not mandatory text, it is more of a guideline for the approval authorities and their technical services. For an official description of the authority of the interpretation document, please check the descriptions in Section 1 “Preamble” and Section 2 “Note regarding evidencing the requirements.”
Although nuances may exist in the enforcement of the CSMS requirements of UNR 155, organizations certified for ISO/SAE 21434 should have an easier time obtaining a CSMS certificate of compliance as opposed to an organizations that is not ISO/SAE 21434 certified. Moreover, there are references made to ISO/SAE 21434 in the draft interpretation document for UNR 155. However, it should be noted that ISO/SAE 21434 is wider in scope than UNR 155 and may consequently demand additional resources than would be required for a program focused solely on UNR 155 compliance.
Amendments to UN regulations are typically proposed by the contracting parties or the participating NGOs. For UNR 155, amendments would have to agreed at GRVA and then would come to WP29 for a final vote.
The regulation would need to be written according to the procedures of the 1998 agreement and be enforcement neutral (i.e. parts related to type approval would have to be eliminated for a GTR). The R155 and R156 have not yet been assessed to identify how this could be achieved.
Harmonization and prescription are different things. An assessment of the cyber security of a complex system (such as a road vehicle) does not lend itself to prescription unless one prescribes the design of that complex system. For a dynamically changing environment, regulating the design of a complex system can be counter-productive in terms of cyber-security, particularly if technologies are evolving at a faster pace than regulation.