Thanks for checking out our first blog in a series focused on UNECE WP.29 automotive regulations. WP.29 is a lot to digest so here we'll break it down for those with limited knowledge to shed light on what the regulations are, who they affect and why they are important. In our follow up posts we will dive into actionable recommendations on what OEMs can do to future proof the cybersecurity aspects of their Software Update Management Systems (SUMS).
Cyber Attacks: A Threat Against Privacy
One of the largest cybersecurity breaches in modern history occurred in December of 2020 when malware was hidden in a legitimate software update rolled out by Texas-based IT management software firm SolarWinds.
Masked as a part of the update, the malware resulted in a successful software supply chain attack, leading to extensive stolen data across multiple companies, including the US Government, rendering the data of 18,000 of their customers vulnerable to the malicious actors.
This devastating attack can happen to any company in any industry. Evaluation of vulnerabilities and the protection against threats of cyberattacks is imperative for companies as much as it is for the customers they serve.
Such a breach can result in stolen data, compromised software, or fraud to name a few. However in the automotive sector, the aftermath of cyberattacks can cost automakers not only their reputations, but an estimated $24 billion in losses by 2024 (according to Upstream Security), as well as potentially putting the lives of their customers in danger.
WP.29 Regulations and the Future of Connected Vehicles
As OEMs, both established and newer EV companies, continue to endeavor on an automotive digital transformation to bring together technological advancement with customer demand, they are at the intersection where hardware meets software -- and the keys to success relies on an ability to keep these software systems on wheels continuously updated and secure.
Understanding the dangers of what can happen to victims of automotive software attacks, both companies and drivers on the road, the UNECE (United Nations Economic Commission for Europe) has adopted regulations outlining requirements for automotive cybersecurity specifically around software supply chains and OTA (Over-the-Air) software update management systems.
What is WP.29?
The World Forum for Harmonization of Vehicle Regulations, or WP.29, is a regulatory forum within the UNECE (United Nations Economic Commission for Europe), responsible for technical regulations that promote safety within the automotive industry.
WP.29 has jurisdiction in 54 countries, though the ripple effects of the new regulations are anticipated to impact over 20 million vehicles worldwide in over 60 countries, not including commercial vehicles.
OEMs will be wholly responsible for adhering to the policies in order to obtain vehicle approval. This presents a major challenge for existing OEMs who often rely on software supply chain partners. With only 10-30 percent of vehicle software being developed in house, OEMs will be required to verify that all outsourced technology from external suppliers also comply with the new regulations. Failure to adhere to WP.29 standards could result in trade barriers and other post-production complications.
The adoption of the new WP.29 regulations took place in June 2020 with a compliance deadline of July 2024 for existing OEMs and 2022 for newer vehicle design series. The new cybersecurity and software update regulations require control processes to be implemented across four distinct areas:
- Cyber risk management protocols
- Vehicle design security to mitigate supply chain risks
- Detection and response protocols
- Whole vehicle life software updates
Therefore an evaluation of how the vehicle's software portfolio and strategy that addresses these four areas today will be vital for the OEM’s future success and ongoing WP.29 compliance.
Potential Areas of Attack
Cyber attacks come in many different forms. They can be passive, such as eavesdropping via telecommunications systems, or active, such as uploading malware that prevents emergency brakes from engaging. In the past, attack routes on vehicles were predominantly physical, yet advancements in modern connected vehicles have increased the surface attack area, creating new remote attack threats OEMs must be cognizant vigilant about.
In anticipation of such new potential attacks, the new WP.29 regulations include a list of seven key vulnerabilities and over 69 attack methods covering:
- Backend Servers
- Vehicle Communication Channels
- Vehicle Update Procedures
- Unintended Human Actions
- External Connectivity and Connections
- Vehicle Data/Code
- Areas Vulnerable Due to Insufficient Firewalls and Hardening
OEMs must have protocols and security procedures in place to address all the areas listed in Annex 5 of the regulations to receive vehicle approval.
How is Sibros Relevant?
As mentioned earlier, manufacturers will remain responsible for cybersecurity and whole life software updates after the vehicle is sold. Failure to maintain a secure software update system can lead to recalls, damage an automaker’s brand or lead to potential lawsuits and legal issues. OEMs have to implement a way to perform frequent and secure software updates to their entire fleet over the whole life of each vehicle.
Sibros’ Deep Connectivity Platform is a complete connected vehicle solution for full vehicle OTA software updates and data collection to remedy software bugs, avoid recall campaigns, optimize fleet health and improve vehicle functionality across its entire life cycle.
Designed from the ground up with safety and security in mind, the platform offers pre-built features and system considerations to help OEMs ensure WP.29 compliance for SUMS (Software Update Management Systems). The Sibros’ platform also utilizes Uptane, an open source cybersecurity framework for protecting OTA software updates, backed by the US Department of Homeland Security (Note: Sibros is a member and contributor to the Uptane Project).
Be sure to keep an eye out for the next blog in our series on WP.29 Regulation Structure, diving into the Cybersecurity and Cybersecurity Management Systems and Vehicle Type approvals to be compliant with the new regulations.