March 23, 2021
Welcome to our second blog post in our series diving into the importance of the WP.29 regulations from the UNECE as the compliance deadline approaches for many vehicles. For a primer, check out our earlier post Breaking Down WP.29.
The two newest WP.29 regulations address two key proposals for cybersecurity and software update regulations. This should come as no surprise as we are witnessing a digital transformation in the automotive industry. Paired with technological advancements and customer demand for more connected features, automakers are rolling out more connected, autonomous, shared, and electrified models. With increased connectivity comes a bigger surface attack area more vulnerable to cyber attack threats.
To combat this, OEMs will be required to adhere to the new regulations in order to receive vehicle approval. Failure to comply could result in trade restrictions and approval delays. As the compliance deadline approaches in 2024, manufacturers must prepare and adapt their software strategy to the new regulations accordingly. Let’s look at the regulation structure of both.
WP.29 Cybersecurity Regulations
The first regulation requires manufacturers to implement and maintain a system that manages cybersecurity risks associated with vehicle design. As mobility shifts from its hardware-centric roots to being software-driven, vehicles with advanced connectivity capabilities can fall prey to cyber attacks.
Under the WP.29 Cybersecurity Regulation, OEMs must address security for backend servers, communication channels, software update procedures, unintended human actions, vehicle coding and data, and components susceptible to malicious attack. The regulation does not, however, specify how OEMs meet these standards, thereby allowing flexibility in technological design.
This regulation specifies that OEMs must address cybersecurity concerns in two specific areas: cybersecurity management systems and within the vehicle itself.
Cyber Security Management Systems
Manufacturers are expected to have a system in place to detect, analyze, and protect against cyber threats for the lifetime of the vehicle including development, production, and post-production. The OEM must demonstrate that all possible avenues of attack listed in Annex 5 of the regulation have been considered and processes are in place to prevent such attacks.
These security solutions must be able to perform risk assessment and management, including adapting to eliminate new vulnerabilities and threats that arise post-production. OEMs should develop an action plan to address these novel threats in a timely manner.
Finally, manufacturers must have a system in place to analyze data and telematics usage threats, as well as show proof that any supply chain partners or outsourced material adhere to WP.29 regulation standards.
Vehicle Type Approval
Vehicle Type of approval focuses on the vehicle itself as opposed to the processes involved in cybersecurity. It begins by verifying that the manufacturer has identified and protected all critical elements of the vehicle such as software or ADAS systems and hardware component equipment and parts. Any vehicle component that could prove susceptible to cybersecurity breaches must have appropriate precautionary measures in place.
Vehicles must also have the capacity to provide data related to attempted and successful cyber attacks. They should be equipped with in-depth TARA (threat analysis and risk assessment) processes and be able to relay that data to the monitoring system of the manufacturer. OEMs are required to ensure that supplier related risk is being managed for any Tier 1 or Tier 2 supplied components.
Since OEMs maintain aftermarket responsibility for the lifetime of the vehicle, they are expected to report any relevant cybersecurity attacks or monitored vulnerabilities at least once a year. They must also take appropriate action to mitigate future risks based on data analysis collected from fleet vehicles.
WP.29 Software Update Regulations
The software update regulation focuses on vulnerabilities specifically in regards to Over-the-Air software update capabilities and requires the implementation of a compliant SUMS (Software Update Management System). This system must protect the update delivery mechanism, assuring that updates are secure before, during, and after delivery. This includes protecting software ID numbers and ensuring that the ID numbers are readable from the vehicle.
The SUMS must be able to identify interdependencies between ECUs, recognize update compatibility with vehicle type, assess how updates will affect driver safety, verify components that require updates, inform vehicle owners of upcoming updates, and document the entire process from start to finish.
All SUMS must also include failsafes that address the following safety concerns.
The new WP.29 measures are the first automotive regulations of their kind. The advent of connected vehicles has led to a need for more strict security precautions to ensure vehicle and consumer safety. The cybersecurity regulation has not one, but two types of approval requirements: CSMS and vehicle type. Whereas the software update regulation focuses on the long-term ability to provide secure OTA updates. As technology continues to evolve it is safe to say these will not be the last regulations aimed to mitigate cybersecurity risks.
How Sibros Can Help
Sibros can help your organization navigate the complexities of the new WP.29 regulation proposals. Our Deep Connectivity Platform was purpose built to deliver safe and secure OTA software updates and data logging that is WP.29 ready. The Sibros team will guide you through a step-by-step demonstration on how a Software Update Management System can address each key WP.29 regulation in an evidence based manner. Contact us today to inquire about setting up a WP.29 readiness workshop, led by our automotive OTA industry experts.
Stay tuned for our next blog in this series where we’ll dive into further actionable steps surrounding WP.29 Considerations and OTA System Requirements.