As Cyber Risks Escalate, ISO/WD 24882 Sets New Standards for Safety and Availability in Agricultural OEMs
The digital transformation sweeping through the Automotive and Mobility ecosystem has also made its mark on the Agriculture sector. As a result, OEMs, suppliers, and other stakeholders must now prioritize the safety and security of agricultural operations, defending against cyber threats that could severely disrupt farming activities.
ISO/WD 24882 is one of the recent regulatory initiatives in the Automotive and Mobility ecosystem. Focusing specifically on agricultural machinery and tractors, it focuses on developing cybersecurity standards and addressing the increasing integration of digital and electronic systems in these devices.
This new standard aims to establish engineering requirements for the cybersecurity of electrical and electronic systems for Agriculture OEMs, including components and interfaces. It covers the entire lifecycle of these systems, from concept through to decommissioning, ensuring that cybersecurity risks are managed effectively.
Essentially, OEMs in the agricultural sector will be required to implement cybersecurity practices aligned with this new standard, impacting how they design, produce, and maintain machinery. Upon final approvals, OEMs will need to demonstrate compliance with cybersecurity requirements, which could involve new processes, tools, and technologies to manage risks effectively.
ISO/WD 24882 introduces new cybersecurity requirements for Agriculture OEMs
The new standard outlines cybersecurity requirements that highlight the importance of protecting access to devices’ components, command and control functions, and sensitive data:
- Risk Assessment – OEMs must conduct comprehensive cybersecurity risk assessments for their connected systems and components during the concept and development phases.
- Design and Development – Cybersecurity must be integrated into the design and development processes of agricultural machinery, with specific requirements for hardware, software, and communication interfaces.
- Production and Maintenance – The standard mandates the implementation of secure production and maintenance practices, ensuring that cybersecurity is maintained throughout the lifecycle of the machinery.
- Decommissioning – Even at the end of a device’s life, OEMs need to consider secure decommissioning procedures to prevent unauthorized access to sensitive data and systems.
Comparing ISO/WD 24882 and ISO/SAE 21434
Both ISO/WD 24882 and ISO/SAE 21434 focus on cybersecurity engineering but cater to different sectors, agriculture and automotive, and their unique challenges. Whereas ISO/SAE 21434 focuses on cybersecurity risk management for road vehicles, including passenger cars, trucks, buses, and motorcycles, to address risks across the entire supply chain, ISO/WD 24882 focuses on cybersecurity engineering for electrical and electronic systems in agricultural machinery.
With cyber resilience in mind, these two standards share many similarities. Both standards emphasize cybersecurity throughout the lifecycle of the systems they cover—from initial concept to decommissioning. Both also require thorough risk assessment and management strategies to identify, evaluate, and mitigate cybersecurity risks. Each standard aims to provide a unified framework for cybersecurity within its respective industry, facilitating global compliance and interoperability. The two standards highlight the importance of cybersecurity practices not only within the primary manufacturing entity but also across the entire supply chain, ensuring that all stakeholders adhere to the required standards.
However, industry-specific requirements vary. ISO/WD 24882 is tailored to the unique challenges of the agricultural sector, which involves machinery often operating in isolated or rural environments, potentially with less frequent updates or connectivity compared to automotive vehicles. In comparison, ISO/SAE 21434 addresses the complexities of modern road vehicles, which are highly connected and often involve advanced driver-assistance systems (ADAS) and autonomous driving technologies.
Furthermore, ISO/WD 24882 focuses more on the threats associated with the rural deployment and operational environment of agricultural machinery, where connectivity might be limited but unauthorized access or tampering could have severe consequences. ISO/SAE 21434, on the other hand, deals with the high connectivity of modern vehicles, including vehicle-to-everything (V2X) communications, and addresses threats like remote hacking, data breaches, and over-the-air updates.
ISO/WD 24882 Aligns with The Cyber Resilience Act, But Expands Resilience Beyond the EU
The Cyber Resilience Act (CRA) is a proposed regulation by the European Union that aims to enhance the cybersecurity of digital products and connected devices across the EU. Expected to be finalized in 2025, it is expected to set a precedent for cybersecurity regulations globally, ensuring that products placed on the market meet stringent cybersecurity requirements throughout their lifecycle.
The CRA applies to a wide range of products, including software, hardware, and connected devices. Manufacturers, including those in the agricultural sector, will need to comply with these requirements to sell their products within the EU. This proposed legislation mandates that manufacturers must ensure the cybersecurity of their products from design through to the end of life, including post-market monitoring and updates. The CRA is also expected to drive innovation in cybersecurity practices, pushing manufacturers to develop more secure products. This is particularly important for the agriculture sector, where secure, connected technologies are becoming increasingly vital to operations.
Furthermore, the CRA will require Agriculture OEMs to implement more rigorous cybersecurity measures, particularly for connected and digital products. This aligns closely with the requirements of ISO/WD 24882, making compliance with both the standard and the CRA essential for market access in the EU.
While there are no known significant conflicts between the CRA and ISO/WD 24882, OEMs should be aware of the potential for overlapping or conflicting requirements. The CRA might impose certain cybersecurity requirements that are broader or more prescriptive than those in ISO/WD 24882, which could lead to conflicts in how these requirements are implemented. For example, the CRA could mandate specific post-market surveillance or update mechanisms that are not fully aligned with the procedures outlined in ISO/WD 24882.
ISO/WD 24882 is also expected to impact the implementation of UNECE WP.29 R155, which is expanding to cover agriculture OEMs
Initially focused on cybersecurity management systems (CSMS) for road vehicles, R155 is expanding to cover other vehicle categories, including agricultural machinery. R155 requires OEMs to implement and maintain a cybersecurity management system that identifies and manages cyber risks throughout the vehicle lifecycle, from development to decommissioning.
While R155 provides a broader, regulatory framework, ISO/WD 24882 could offer more detailed, technical guidance tailored to the unique needs of agricultural machinery. This would help manufacturers meet R155’s requirements more effectively. It may be early to determine, but as ISO/WD 24882 is developed specifically for agricultural machinery, it could help shape the cybersecurity requirements that R155 mandates for agriculture vehicles. ISO/WD 24882 may also serve as a reference or be integrated into the framework that agricultural OEMs must follow to comply with R155.
For agricultural device manufacturers, adopting ISO/WD 24882 in conjunction with R155 compliance could become crucial for accessing markets where R155 is a legal requirement. This is particularly relevant in the EU and other regions adopting UNECE regulations.
Indeed, ISO/WD 24882 is still under development and has not yet reached the final stages of approval. The timeline for when a standard becomes effective can vary depending on the progress of the drafting, review, and approval processes. As cybersecurity threats evolve, both R155 and ISO/WD 24882 are likely to be updated. Manufacturers who adopt ISO/WD 24882 early will be better positioned to adapt to future regulatory changes, including any updates to R155 that further tighten cybersecurity requirements.
Given the advanced connectivity and data-driven applications that drive innovation across the Agriculture sector, ISO/WD 24882 is poised to play a critical role in safeguarding agricultural machinery against cyber threats, demanding that OEMs adapt their processes to meet stringent cybersecurity requirements. This will lead to more secure, reliable agricultural operations and align the industry with global cybersecurity standards.