UN regulations on cybersecurity and software updates

Two United Nations regulations on cybersecurity and software updates by UNECE’s World Forum for Harmonization of Vehicle Regulations, were adopted on 24th June 2020. It requires measures be implemented across 4 distinct disciplines:

• Managing vehicle cyber risks;
• Securing vehicles by design to mitigate risks along the value chain;
• Detecting and responding to security incidents across vehicle fleet;
• Providing safe and secure software updates and ensuring vehicle safety is not compromised, introducing a legal basis for so-called “Over-the-Air” (O.T.A.) updates to on-board vehicle software.

The regulation applies to passenger cars, vans, trucks and buses, light four-wheeler vehicles if equipped with automated driving functionalities from level 3 onwards – this covers the new automated pods, shuttles etc.; trailers if fitted with at least one electronic control unit. They will enter into force in January 2021.

Working Party on Automated/Autonomous and Connected Vehicles under the United Nations Economic Commission for Europe (UNECE) has prepared these two regulatory frameworks- 

1.UN Regulation on cybersecurity and of their cybersecurity management systems

2. UN Regulation on Software Updates and Software Updates Management Systems

Broad adoption of these regulations across the world is expected, amongst and beyond the 54 Contracting Parties to UNECE’s 1958 Agreement.

Japan has indicated that it plans to apply these regulations upon entry into force. The Republic of Korea has adopted a stepwise approach, introducing the provisions of the regulation on Cybersecurity in a national guideline in the second half of 2020, and proceeding with the implementation of the regulation in a second step. In the European Union, the new regulation on cyber security will be mandatory for all new vehicle types from July 2022 and will become mandatory for all new vehicles produced from July 2024.

The framework offered by the new UN Regulations is expected to speed up innovation and new economic opportunities among suppliers, IT companies, specialist niche firms and start-ups, particularly in the software development and services market.

The UN Regulation on cybersecurity and cybersecurity management system, provides a framework for the automotive sector to put in place the necessary processes to:

• Identify and manage cyber security risks in vehicle design;
• Verify that the risks are managed, including testing;
• Ensure that risk assessments are kept current;
• Monitor cyber-attacks and effectively respond to them;
• Support analysis of successful or attempted attacks;
• Assess if cyber security measures remain effective in light of new threats and vulnerabilities.

All of these will be audited by national technical services or homologation authorities.

The type approval principles under the 1958 Agreement mean that manufacturers will need to demonstrate, prior to putting vehicles on the market, that they fulfil the following requirements:

• Cyber Security Management System is in place and its application to vehicles on the road is available;
• Provide risk assessment analysis, identify what is critical;
• Mitigation measures to reduce risks are identified;
• Evidence, through testing, that mitigation measures work as intended;
• Measures to detect and prevent cyber-attacks are in place;
• Measures to support data forensics are in place;
• Monitor activities specific for the vehicle type;
• Reports of monitoring activities will be transmitted to the relevant homologation authority.

The other regulation on Software Updates and Software Updates Management Systems applies to vehicles permitting software updates of passenger cars, vans, trucks and buses; trailers; agricultural vehicles. The Regulation text is available at: https://undocs.org/ECE/TRANS/WP.29/2020/80

This regulation provides a framework for the automotive sector to put in place the necessary processes for:

• Recording the hardware and software versions relevant to a vehicle type;
• Identifying software relevant for type approval;
• Verifying that the software on a component is what it should be;
• Identifying interdependencies, especially with regards to software updates;
• Identifying vehicle targets and verifying their compatibility with an update;
• Assessing if a software update affects the type approval or legally defined parameters (including adding or removing a function);
• Assessing if an update affects safety or safe driving;
• Informing vehicle owners of updates;
• Documenting all the above.

All of these will be audited by national technical services or homologation authorities.

The type approval principles under the 1958 Agreement mean that manufacturers will need to demonstrate, prior to putting vehicles on the market, that they fulfil the following requirements:

• Software Update Management System is in place and its application to vehicles on the road is available;
• Protect SU delivery mechanism and ensure integrity and authenticity;
• Software identification numbers must be protected;
• Software identification number is readable from the vehicle;
• For Over-The-Air software updates:
  • Restore function if update fails;
  • Execute update only if sufficient power;
  • Ensure safe execution;
  • Inform users about each update and about their completion;
  • Ensure vehicle is capable of conducting update;
  • Inform user when a mechanic is needed.