Skip to main content

UN Regulations on Cybersecurity and Software Updates to pave the way for mass roll out of ‎connected vehicles ‎

UN Regulations on Cybersecurity and Software Updates to pave the way for mass roll out of ‎connected vehicles ‎

The automotive sector is undergoing a profound transformation with the digitalization of in-car systems that are necessary to deliver vehicle automation, connectivity and shared mobility. Today, cars contain up to 150 electronic control units and about 100 million lines of software code – four times more than a fighter jet –, projected to rise to 300 million lines of code by 2030.

This comes with significant cybersecurity risks, as hackers seek to access electronic systems and data, threatening vehicle safety and consumer privacy.

Two new UN Regulations on Cybersecurity and Software Updates will help tackle these risks by establishing clear performance and audit requirements for car manufacturers. These are the first ever internationally harmonized and binding norms in this area.

The two new UN Regulations, adopted yesterday by UNECE’s World Forum for Harmonization of Vehicle Regulations, require that measures be implemented across 4 distinct disciplines:

  • Managing vehicle cyber risks;
  • Securing vehicles by design to mitigate risks along the value chain;
  • Detecting and responding to security incidents across vehicle fleet;
  • Providing safe and secure software updates and ensuring vehicle safety is not compromised, introducing a legal basis for so-called “Over-the-Air” (O.T.A.) updates to on-board vehicle software.

 

The regulations will apply to passenger cars, vans, trucks and buses. They will enter into force in January 2021.

Japan has indicated that it plans to apply these regulations upon entry into force. 

The Republic of Korea has adopted a stepwise approach, introducing the provisions of the regulation on Cybersecurity in a national guideline in the second half of 2020, and proceeding with the implementation of the regulation in a second step.

In the European Union, the new regulation on cyber security will be mandatory for all new vehicle types from July 2022 and will become mandatory for all new vehicles produced from July 2024.

Together, the EU, the Republic of Korea and Japan accounted for some 32 million vehicles produced in 2018, representing just over one third of global production.

Given the widespread use of UN Regulations in the automotive sector around the world, the broad adoption of these regulations across the world is expected, among and beyond the 54 Contracting Parties to UNECE’s 1958 Agreement.

According to recent research, the need to strengthen automotive cybersecurity will trigger massive investments – increasing from 4.9 billion USD in 2020 to 9.7 billion USD in 2030. The framework offered by the new UN Regulations will spur significant innovation and new economic opportunities among suppliers, IT companies, specialist niche firms and start-ups, particularly in the software development and services market.

Note to editors
About the UN Regulation on Cybersecurity and Cyber Security Management Systems

The regulation applies to passenger cars, vans, trucks and buses, light four-wheeler vehicles if equipped with automated driving functionalities from level 3 onwards – this covers the new automated pods, shuttles etc.; trailers if fitted with at least one electronic control unit.

The Regulation text is available at: http://www.unece.org/DAM/trans/doc/2020/wp29grva/ECE-TRANS-WP29-2020-079-Revised.pdf

The UN Regulation provides a framework for the automotive sector to put in place the necessary processes to:

  • Identify and manage cyber security risks in vehicle design;
  • Verify that the risks are managed, including testing;
  • Ensure that risk assessments are kept current;
  • Monitor cyber-attacks and effectively respond to them;
  • Support analysis of successful or attempted attacks;
  • Assess if cyber security measures remain effective in light of new threats and vulnerabilities.
All of these will be audited by national technical services or homologation authorities.

The type approval principles under the 1958 Agreement mean that manufacturers will need to demonstrate, prior to putting vehicles on the market, that they fulfil the following requirements:

  • Cyber Security Management System is in place and its application to vehicles on the road is available;
  • Provide risk assessment analysis, identify what is critical;
  • Mitigation measures to reduce risks are identified;
  • Evidence, through testing, that mitigation measures work as intended;
  • Measures to detect and prevent cyber-attacks are in place;
  • Measures to support data forensics are in place;
  • Monitor activities specific for the vehicle type;
  • Reports of monitoring activities will be transmitted to the relevant homologation authority.

About the UN Regulation on Software Updates and Software Updates Management Systems

The UN Regulation applies to vehicles permitting software updates of passenger cars, vans, trucks and buses; trailers; agricultural vehicles.

The Regulation text is available at: https://undocs.org/ECE/TRANS/WP.29/2020/80

The UN Regulation provides a framework for the automotive sector to put in place the necessary processes for:

  • Recording the hardware and software versions relevant to a vehicle type;
  • Identifying software relevant for type approval;
  • Verifying that the software on a component is what it should be;
  • Identifying interdependencies, especially with regards to software updates;
  • Identifying vehicle targets and verifying their compatibility with an update;
  • Assessing if a software update affects the type approval or legally defined parameters (including adding or removing a function);
  • Assessing if an update affects safety or safe driving;
  • Informing vehicle owners of updates;
  • Documenting all the above.

All of these will be audited by national technical services or homologation authorities.

The type approval principles under the 1958 Agreement mean that manufacturers will need to demonstrate, prior to putting vehicles on the market, that they fulfil the following requirements:

  • Software Update Management System is in place and its application to vehicles on the road is available;
  • Protect SU delivery mechanism and ensure integrity and authenticity;
  • Software identification numbers must be protected;
  • Software identification number is readable from the vehicle;
  • For Over-The-Air software updates:
    • Restore function if update fails;
    • Execute update only if sufficient power;
    • Ensure safe execution;
    • Inform users about each update and about their completion;
    • Ensure vehicle is capable of conducting update;
    • Inform user when a mechanic is needed.

United Nations Economic Commission for Europe

Information Unit

Tel.: +41 (0) 22 917 12 34

Email: [email protected]

Reproduction is permitted provided that the source is acknowledged.