Automotive Regulations & Standards

Agenda

• Regulations
  • ISO/SAE 21434
  • UNECE WP.29
• Standards
  • ISO 31000

ISO/SAE 21434 & UNECE WP.29

• ISO/SAE 21434 Alignment: The standard is often used in conjunction with WP.29 to meet regulatory compliance, particularly for vehicle manufacturers aiming to sell in markets like the EU, Japan, and Korea.
• UNECE WP.29: The United Nations Economic Commission for Europe (UNECE) introduced WP.29 regulations, which complement ISO/SAE 21434, particularly focusing on cybersecurity and software updates for vehicles.
• International Impact: Manufacturers must meet the cybersecurity requirements of both ISO/SAE 21434 and WP.29 to ensure global compliance.

ISO/SAE 21434

• A comprehensive standard developed to address the unique cybersecurity challenges in the automotive sector.
• Defines a framework for managing cybersecurity risks throughout the lifecycle of vehicles, from concept and development to production, operation, and decommissioning.
• The standard, published in 2021, is part of a broader push to ensure that connected and autonomous vehicles are secure against evolving cyber threats.

ISO/SAE 21434 - Overview

ISO/SAE 21434: Road Vehicles – Cybersecurity Engineering

• Purpose: To establish requirements for cybersecurity risk management in the automotive industry, ensuring that all components, systems, and processes related to connected vehicles are secure.
• Scope: Addresses cybersecurity for electrical and electronic (E/E) systems within road vehicles, with a focus on the entire vehicle lifecycle, including development, production, and post-production phases.
• Industry Adoption: Major automakers and suppliers are aligning their cybersecurity practices with ISO/SAE 21434 to meet both regulatory and market demands.

URL Reference(s):

• ISO/SAE 21434:2021. ISO. (2021, August 31).
• ISO/SAE 21434: Road Vehicles - Cybersecurity Engineering. SAE International. (n.d.-b).

ISO/SAE 21434 – Key Concepts

• Risk Management Framework: The standard introduces a risk management approach, where manufacturers must identify, assess, and mitigate cybersecurity risks during all stages of a vehicle’s lifecycle.
• Security by Design: Emphasizes the integration of cybersecurity from the earliest stages of vehicle development, known as “security by design.”
• Continuous Monitoring and Updating: Cybersecurity does not end after production. The standard stresses the need for ongoing security monitoring, updates (e.g., over-the-air patches), and incident response capabilities.

ISO/SAE 21434 – Life Cycle Phases

Ensures embedding cybersecurity into the entire vehicle lifecycle:

Concept Phase

• Goal:

  Identify and assess cybersecurity risks and threats during the initial concept stage.

• Activities:

  • Threat analysis and risk assessment (TARA).
  • Identification of critical assets and systems.

Development Phase

• Goal: Define, implement, and validate cybersecurity measures as part of the system design and development.
• Activities:
  • Secure software and hardware development practices.
  • Verification of cybersecurity controls through testing.

Production Phase

• Goal:

  Ensure the cybersecurity measures designed during development are effectively implemented during manufacturing.

• Activities:

  • Secure supply chain management.
  • Integration of security checks and audits.

---

Ensures embedding cybersecurity into the entire vehicle lifecycle:

Operation Phase

• Goal:

  Monitor and manage cybersecurity risks during the vehicle’s operational lifecycle.

• Activities:

  • Regular security updates and patches (e.g., OTA updates).
  • Monitoring for cybersecurity incidents or vulnerabilities.

Post-Production / End-of-Life Phase

• Goal: Address cybersecurity risks after the vehicle has been decommissioned.
• Activities:
  • Secure decommissioning practices to prevent cyber threats post-vehicle use.
  • Ensuring data and vehicle systems are appropriately disposed of or protected.

URL Reference:

• ISO. (n.d.).

ISO/SAE 21434 – Risk Management

• Threat Analysis and Risk Assessment (TARA)

  :

  • Core to the standard is conducting TARA to evaluate potential cybersecurity risks.
  • It involves identifying potential vulnerabilities, assessing their impact, and defining risk mitigation strategies.

• Risk Treatment

  :

  • Once risks are identified, manufacturers must prioritize and implement measures to address the most critical vulnerabilities.
  • The standard recommends the use of cryptography, authentication, and intrusion detection systems to enhance vehicle security.

URL Reference(s):

• Effective risk management. ISO. (2021, December 7). https://www.iso.org/news/ref2773.html
• ISO/SAE 21434: Road Vehicles - Cybersecurity Engineering - Technical Standard. (n.d.). https://saemobilus.sae.org/content/iso/sae21434/

ISO/SAE 21434 – Security Measures

• Doesn’t just focus on vehicle-level security but also mandates cybersecurity practices at the organizational level:
• Cybersecurity Governance: Organizations must establish cybersecurity policies, governance structures, and roles within the company to ensure accountability.
• Supply Chain Security: Since many components are sourced from third-party suppliers, ISO/SAE 21434 requires strict cybersecurity standards and contracts for suppliers to ensure the whole supply chain is secure.
• Awareness and Training: Continuous education and training programs for staff are emphasized to ensure all team members are aware of and contribute to cybersecurity efforts.

ISO/SAE 21434 - Implementation

• Example 1: Implementing secure software development practices in electric and autonomous vehicles to prevent remote hacking of ECUs.
• Example 2: Conducting regular over-the-air (OTA) updates for connected vehicles to patch vulnerabilities identified in post-production.
• Example 3: Using TARA to evaluate risks for in-vehicle infotainment systems and designing defenses to mitigate them.

URL Reference:

• Home. ISO SAE 21434:2021 - Information/Cyber Security | TUV USA. (n.d.). https://www.tuv-nord.com/us/en/iso/sae-214342021-road-vehicles-cybersecurity-engineering/

ISO/SAE 21434 - Compliance

• Cybersecurity Management Systems (CSMS): Automakers must implement a CSMS to comply with ISO/SAE 21434, focusing on security governance, incident response, and continuous monitoring.
• Risk Management Tools: Software tools that help automate TARA, vulnerability scanning, and risk assessment.
• Security Testing: Regular penetration testing, vulnerability assessments, and “fuzz testing” to evaluate cybersecurity controls.

ISO/SAE 21434 - Conclusion

• ISO/SAE 21434 is a foundational standard for ensuring the cybersecurity of modern vehicles.
• By incorporating cybersecurity into every phase of the vehicle lifecycle, it provides a robust framework for managing risks associated with connected and autonomous vehicles.
• As automobility cybersecurity continues to evolve, this standard will play a crucial role in guiding the automotive industry’s approach to secure vehicle design, production, and operation.

URL Reference(s):

• ISO/SAE 21434 for Automotive Cybersecurity. Synopsys. (n.d.). https://www.synopsys.com/designware-ip/technical-bulletin/iso-sae-21434-automotive-cybersecurity.html

Questions / Case Study

• How does ISO/SAE 21434 help automakers address and manage cybersecurity risks?
• How does ISO/SAE 21434 ensure cybersecurity is maintained throughout a vehicle's entire lifecycle?
• What is the role of TARA in identifying and mitigating cybersecurity vulnerabilities in vehicles?
• What organizational and supplier-related challenges arise when implementing this standard?

Case Study Activity:

• Scenario: A cybersecurity breach affects an autonomous vehicle's navigation.
• Task: Develop an incident response plan using ISO/SAE 21434 guidelines.

UNECE WP.29

• A regulatory framework established by the United Nations Economic Commission for Europe (UNECE) to address a broad spectrum of vehicle regulations, including safety, environmental standards, and cybersecurity.
• In response to the growing complexity of connected and autonomous vehicles, WP.29 now includes regulations on cybersecurity and software updates.
• These regulations are critical for ensuring the security and integrity of road vehicles as they become increasingly reliant on electronic systems and connectivity.

UNECE WP.29 - Overview

• World Forum for Harmonization of Vehicle Regulations (WP.29).
• Established: WP.29 was established in 1952 and operates under the UNECE.
• Purpose: To develop international regulations for vehicles that are accepted and applied by multiple countries. The focus is on safety, environmental protection, energy efficiency, and most recently, cybersecurity and software updates for connected and autonomous vehicles.
• Scope: WP.29 applies to all types of road vehicles, including passenger cars, trucks, buses, and motorcycles, and addresses both cybersecurity and Over-The-Air (OTA) software updates.

URL Reference:

• Vehicle regulations | UNECE. (n.d.-b). https://unece.org/transport/vehicle-regulations

UNECE WP.29 – Key Concepts Cybersecurity Management System (CSMS)

• Definition: A structured framework that ensures vehicles are designed, manufactured, and maintained in compliance with cybersecurity requirements throughout their lifecycle.
• Core Principles:
  • Threat Analysis and Risk Assessment (TARA): Manufacturers must conduct thorough threat assessments and risk evaluations as part of the cybersecurity process.
  • Incident Response and Monitoring: Continuous monitoring of cybersecurity events and proactive measures to prevent incidents.
  • Post-Production Support: A clear procedure for managing cybersecurity risks after vehicles have been sold, ensuring long-term vehicle security through updates and monitoring.

URL Reference:

• Proposal for a new UN Regulation on uniform ... - UNECE. (n.d.-b). https://unece.org/fileadmin/DAM/trans/doc/2020/wp29grva/GRVA-06-02r1e.pdf

---

Software Update Management System (SUMS)

• Definition: A framework that ensures the secure management of software updates for road vehicles, with a focus on preventing updates from introducing security vulnerabilities.
• Core Elements:
  • Integrity and Authentication: Ensuring all software updates are authentic and have not been tampered with.
  • OTA Updates: Regulations specify secure methods for applying OTA updates without compromising vehicle security.

UNECE WP.29 - Regulation

• UN Regulation No. 155: Cybersecurity and Cybersecurity Management Systems (CSMS)
• Purpose: To ensure that all vehicle manufacturers implement a Cybersecurity Management System (CSMS) that provides for the cybersecurity of vehicles throughout their lifecycle, from design and production to post-production.
• Requirements:
  • Manufacturers must identify, assess, and mitigate cybersecurity risks at every stage of a vehicle’s lifecycle.
  • Cybersecurity controls must be implemented in the design and production phases.
  • Continuous monitoring of cybersecurity risks and vulnerabilities.
  • Manufacturers must have procedures in place for incident detection, response, and recovery.

URL Reference:

• R155e (2).PDF. (n.d.-a). [https://unece.org/sites/default/files/2023-02/R155e%20(2).pdf](https://unece.org/sites/default/files/2023-02/R155e (2).pdf)

---

• UN Regulation No. 156: Software Update Management System (SUMS)
• Purpose: To regulate how software updates are managed in connected vehicles, ensuring that updates (including over-the-air, OTA) do not introduce new cybersecurity risks.
• Requirements:
  • Manufacturers must implement a Software Update Management System (SUMS) that controls the process of updating vehicle software, including verifying the integrity and authenticity of updates.
  • SUMS must include procedures for ensuring updates do not affect existing cybersecurity measures.
  • Vehicles must be able to apply software updates securely throughout their lifecycle, with a focus on avoiding vulnerabilities during the update process.

URL Reference: – R156e.pdf - UNECE. (n.d.-b). [https://unece.org/sites/default/files/2024-03/R156e%20(2).pdf](https://unece.org/sites/default/files/2024-03/R156e (2).pdf)

UNECE WP.29 – Compliance

WP.29 requires vehicle manufacturers to implement and maintain both CSMS and SUMS to comply with cybersecurity and software update regulations. Key compliance requirements include:

Documentation and Certification

• Manufacturers must maintain detailed documentation of their cybersecurity and software management practices.
• They must demonstrate compliance through certification from relevant authorities, such as type-approval authorities in participating countries (e.g., the European Union).
• Certifications must be periodically reviewed and updated as part of an ongoing compliance process.

Ongoing Monitoring and Risk Management

• Cybersecurity is not a one-time implementation but requires continuous monitoring of the vehicle’s ecosystem to identify and address potential vulnerabilities.
• Manufacturers must have processes in place for threat detection, incident reporting, and vulnerability management.

UNECE WP.29 – Impact

WP.29 is recognized by over 60 countries, including the European Union, Japan, South Korea, and others, making it a globally harmonized framework for vehicle regulations.

Harmonization with ISO/SAE 21434: WP.29 regulations work in tandem with the ISO/SAE 21434 standard to provide a unified approach to automotive cybersecurity.

While ISO/SAE 21434 defines the technical framework for cybersecurity, WP.29 outlines the regulatory and compliance aspects.

URL Reference:

• Vehicle regulations | UNECE. (n.d.). https://unece.org/transport/vehicle-regulations
• https://unece.org/sites/default/files/2021-01/GRVA-08-23e.pdf

UNECE WP.29 – Implications

WP.29 has profound implications for the global automotive industry, especially as it relates to connected and autonomous vehicles.

Key highlights include:

• Vehicle Compliance for Global Markets: Manufacturers must comply with WP.29 to sell vehicles in regulated markets, such as the EU, Japan, and South Korea.
• Impact on Supply Chains: Vehicle manufacturers must ensure that all suppliers involved in vehicle software, electronics, and cybersecurity also comply with WP.29 standards.
• Cost of Compliance: Implementing and maintaining CSMS and SUMS requires significant investment in cybersecurity infrastructure, processes, and personnel. However, failure to comply can result in fines, market access issues, and potential liability for cybersecurity incidents.

UNECE WP.29 – Implementation

• Toyota: Implemented CSMS and SUMS in its vehicle design and production processes. The company continuously monitors the cybersecurity of its connected vehicles through both internal and external security audits.
• Volkswagen: Aligned its cybersecurity processes with WP.29 by introducing new software development and update management practices that prioritize cybersecurity. The company’s vehicle update process ensures compliance with SUMS.
• Ford: Established a cybersecurity operations center to monitor threats and implement security patches, aligning its processes with WP.29 to ensure regulatory compliance in its global markets.

UNECE WP.29 – Conclusion

UNECE WP.29 is a crucial regulatory framework for ensuring the cybersecurity and safe operation of modern connected and autonomous vehicles.

By focusing on both cybersecurity management systems (CSMS) and software update management systems (SUMS), the regulation provides a robust, standardized approach to managing the security of vehicles throughout their lifecycle.

For automakers and suppliers, complying with WP.29 is critical to maintaining access to global markets and ensuring the long-term security of their products.

Questions / Case Study

• How will WP.29 impact automobility cybersecurity jobs and the skills required for future professionals?
• What challenges might automakers face when implementing CSMS and SUMS?
• How does WP.29 compare with other regional regulations, such as those in the U.S.?

Case Study Activity:

• Analyze a real-world example of a cybersecurity breach in a connected vehicle and evaluate how WP.29 regulations might have helped prevent or mitigate the breach.
• Research and present how a specific automaker (e.g., Toyota, Ford, or Volkswagen) is adapting to WP.29’s cybersecurity regulations.

ISO 31000

• An international standard for risk management (2018).
• Provides a consistent methodology for risk assessment and management across industries.
• Is not industry-specific, applicable to any public, private, or community entity and adaptable for all sectors.
• Provides best practices for identifying, managing, and treating risks.
• Intent for decision-making at strategic, operational, and project levels.

URL Reference:

• Wikimedia Foundation. (2024, August 26). ISO 31000. Wikipedia. https://en.wikipedia.org/wiki/ISO_31000

---

Risk: The “effect of uncertainty on objectives,” encompassing both positive and negative consequences.

• Stakeholder: Any individual or group that can affect or be affected by a decision or activity.
• Risk Management Framework vs. Process:
  • Framework: Foundations for designing, implementing, and improving risk management.
  • Process: Application of management policies to identify and evaluate risks.

URL Reference:

• Wikimedia Foundation. (2024, August 26). ISO 31000. Wikipedia. https://en.wikipedia.org/wiki/ISO_31000

---

• Key Elements:
  • Policy and objectives for risk management.
  • Accountabilities, processes, and resources.
  • Use of the PDCA (Plan-Do-Check-Act) cycle for continuous improvement.
• Steps:
  • Establishing the context.
  • Risk identification, analysis, and evaluation.
  • Risk treatment, monitoring, and review.
  • Communication and consultation.

URL Reference:

• Wikimedia Foundation. (2024, August 26). ISO 31000. Wikipedia. https://en.wikipedia.org/wiki/ISO_31000

---

Ways to Address Risk:

• Avoiding the risk.
• Accepting or increasing risk for opportunities.
• Reducing or removing the risk.
• Sharing the risk (e.g., through contracts or insurance).
• Retaining the risk by informed decision.

URL Reference:

• Wikimedia Foundation. (2024, August 26). ISO 31000. Wikipedia. https://en.wikipedia.org/wiki/ISO_31000

---

• Key Considerations:
  • Align ISO 31000 with existing governance frameworks.
  • Embed risk management into all organizational processes, including supply chains.
  • Establish risk management policies and reporting structures.
• Challenges:
  • Re-engineering existing practices to fit the ISO 31000 framework.
  • Ensuring senior management accountability.
  • Embedding risk management in decision-making processes across all levels.

URL Reference:

• Wikimedia Foundation. (2024, August 26). ISO 31000. Wikipedia. https://en.wikipedia.org/wiki/ISO_31000

---

• Key Points:
  • Requires adaptation and harmonization with existing systems for effective use.
  • Criticized for vague language in some areas.
  • Not designed for certification purposes.
• Summary:
  • Provides comprehensive guidance for risk management.
  • Effective for integrating risk management into all organizational levels.
  • Requires commitment from leadership and alignment with existing systems.

Call to Action: Consider how ISO 31000 can improve an organization’s risk management practices.

URL Reference:

• Wikimedia Foundation. (2024, August 26). ISO 31000. Wikipedia. https://en.wikipedia.org/wiki/ISO_31000