UNECE Recommendation on Software Update Processes
Status: Published as a part of WP29 document
Date: April 2020
Region: Europe
Document: Link
Background
The UNECE Recommendation on Software Update Processes is an initiative of the UNECE set on providing a secure and standardized manner for OTA updates to take place, while still keeping involved parties certified for that exact process. Due to heavy governmental involvement, it is currently undergoing certain modifications based on issues that have arisen from stakeholders (e.g., industry alliances, original device manufacturers, standardization bodies, government agencies). The requirements and text were approved and published in June 2020 on the UNECE / WP.29 website.
Summary
As stated by the official documents, the security aspects of software updates are part of the “Recommendation on Cyber Security of the UNECE Task Force on Cyber Security and Over-the-air issues of the Working Party on Automated/Autonomous and Connected Vehicles (GRVA) under the Word Form for Harmonization of Vehicle Regulations.”
The GRVA UNECE security proposal document focuses on the secure application of software updates for connected vehicles and has the following three main objectives:
- Software Management: First, and perhaps most important of all, is to force all car manufacturers to develop a Software Update Management System (SUMS). This will set the groundwork for further cybersecurity implementations in the near future and create a steady foundation for the GRVA to allow for further inspection of software updates. An important element of the proposal is that it can grant additional visibility of said software updates from the end users themselves—not just the service enablers or OEMs.
- Guidance for Agencies: Second, provide precise guidance for related state-of-the-art technologies and modern security challenges for all involved agencies at the national level (i.e., expand beyond the enterprise space). It will also outline what type of testing procedures,
documentation, and verification processes will be required from OEMs and software developers. - Impose Certification and Oversight: Third, build on the two previous goals and impose another level of certification for OEMs, focusing specifically on the proper management of the aforementioned SUMS, which will be tracked by software identification numbers (entitled
RxSWIN). It will force OEMs to adopt a “SUMS Certificate of Compliance.” This certificate will be valid for up to 3 years and can be obtained only after approval from a national or regional authority, effectively passing the oversight power directly to related agencies. - Cybersecurity Scope: The document outlines a plethora of cyberattacks, some of them quite technical and sophisticated in nature. Among others, it provides guidance regarding the following threat vectors:
- Communication and connectivity-based attacks, which include messages sent with malicious intent (from or toward the vehicle systems), Denial of Service (DoS) attacks, eavesdropping on communication channels, hijacking communication channels, replay attacks, message spoofing, problems arising from erroneous network design and architecture that amplifies known and addressed vulnerabilities, insecure (or even complete absence) of cryptographic measures, and other connection-based attacks or exploits. Mitigation techniques focus on protection of confidential data, storage of cryptographic keys, back-end systems, DDoS prevention, and establishing secure communication channels.
- Malware-based threats or errors, which include security issues introduced by unintended actions of legitimate end users, malware found in infected removable drives and media introduced to the system by end users (usually USB and OBD ports), insecure access to online services through vehicle systems, unintended transfer of data, etc. Mitigation techniques focus on access control systems, cloud computing risks, malware detection, and prevention.
- System processes include privilege management to detect unauthorized access, manipulation of insecure telematics systems, manipulation of software 103from third-party developers (hosted, introduced, or downloaded by the user, or through value-added services from OEMs or service enablers), data security and back-end server issues that can allow attackers to siphon data from vehicles, or even services in back-end servers that can disrupt the safe operation of vehicle systems both in critical and non-critical (i.e., infotainment) components, and physical manipulation of vehicle systems by attackers in close proximity. Mitigation techniques focus on recovery systems, prevention of unauthorized access, maintenance procedures, software update security/integrity/authentication, and introduction of proper security controls for remote access to vehicles.
Note
While this is an important and well-needed proposal to address the mounting security challenges in connected vehicles, it might also be quite difficult to maintain over time. It is expected that the second objective (i.e., providing guidance for related agencies) will be quite instrumental in the efficiency (or lack thereof) and overall success.
This is because the suggested plan will require government agencies, Non-Governmental Organizations (NGOs), and involved industry bodies, which also contribute to the proposal like the European Association of Automotive Suppliers (CLEPA), International Organization for Standardization (ISO)), International Motor Vehicle Inspection Committee (CITA), International Automotive Federation (FIA), International Telecommunication Union (ITU), and many others to constantly assess and, most importantly, agree on new security measures and alterations to the proposed document. Cybersecurity threats are constantly evolving, targeting new systems, creating new threat vectors, and assimilating new technologies much faster than regulatory committees can break down and digest new state-of-the-art technologies, much less pass new legislation in such a manner. This remains, however, a key document for the automotive market.
