Understanding the UNECE WP.29 Cybersecurity Regulation (CSMS)

On June 25, 2020, after roughly two years of preparations and revisions, the United Nations formally adopted two new regulations on automotive cybersecurity ¹. Automotive regulations are not a new topic at the United Nations; since the early 1950’s the UN has been involved in regulating the safety and security standards of vehicles, including regulations on seat belts, steering wheels, and even headlights. However, because of the newness of the topic, it took until 2018 for the UN to start developing regulations for automotive cybersecurity.

 

This recent WP.29 automotive cybersecurity regulatory adoption begs the question: Why now?

According to Juniper Research ², 775 million consumer vehicles will be connected via telematics or by in-vehicle apps by 2023, rising from 330 million vehicles in 2018. Additionally, the International Data Corporation predicts that by that same year, nearly 70% of worldwide new light-duty vehicles and trucks will be shipped with embedded connectivity ³. Other connected vehicle research indicates that the global connected vehicle market is expected to grow to $122 billion by 2023, expanding at a compound annual growth rate of 14% ⁴.

As this connected vehicle ecosystem expands, global automotive OEMs, Tier 1 and 2 suppliers, and other smart mobility players continue to develop various services, components, and technologies for the connected car. Consequently, as vehicle connectivity grows and demand for embedded solutions rise, the risk of cyber attacks against connected vehicles increases. According to a March 2020 GSA and McKinsey report ⁵, currently, cars have up to 150 ECUs and about 100 million lines of code, and by 2030, many expect them to have roughly 300 million lines of software code. This amount of code creates extensive opportunity for cyber attacks, not only on the car itself but also on all components of its ecosystem.

To curtail the expected rise of cyber attacks against connected vehicles, which could cost the automotive industry up to $24 billion in losses by 2023 ⁶, governmental bodies and independent regulators have made an effort to demand an increase in ingrained cybersecurity measures from OEMs, component and software suppliers, and mobility services.

Regulations also allow for faster and more effective vehicle development and are often introduced due to common industry interests. In the case of automotive cybersecurity regulations, the demand for increased security is clear throughout the industry, governments, and road users alike. Independent efforts to secure connected vehicles takes a considerable amount of time and money. In contrast, when cybersecurity efforts are compounded in the form of regulations, they lead to more timely, effective, and reliable vehicles.

According to the UNECE overview, “The objective of the WP.29 is to initiate and pursue actions aimed at the worldwide harmonization or development of technical regulations for vehicles.” ⁷ In response to the growing prevalence of connected vehicles, the WP.29 decided to convert the Working Party on Brakes and Running Gear (GRRF) into the new Working Party on Automated/Autonomous and Connected Vehicles (GRVA). Together, the WP.29 and the GRVA developed new automotive cybersecurity regulations.

As of June 25, 2020, two new WP.29 automotive cybersecurity regulations have been adopted

In a press release published on June 25, 2020, the UNECE explains that “The two new UN Regulations, adopted yesterday by UNECE’s World Forum for Harmonization of Vehicle Regulations, require that measures be implemented across 4 distinct disciplines: Managing vehicle cyber risks; Securing vehicles by design to mitigate risks along the value chain; Detecting and responding to security incidents across vehicle fleet; Providing safe and secure software updates and ensuring vehicle safety is not compromised, introducing a legal basis for so-called “Over-the-Air” (O.T.A.) updates to on-board vehicle software.” ⁸

As stated, the first regulation (and the one henceforth discussed in this blog) focuses on uniform provisions concerning the approval of vehicles with regard to cybersecurity and cybersecurity management systems (CSMS). The second regulation is on vehicle software update processes and software update management systems (SUMS).

The regulations are expected to be finalized and published in early 2021 and apply to the 54 contracting parties (states/countries, which do not include US or Canada). Once the regulations enter into force, OEMs in the member states will be required to implement specific cybersecurity and software-update practices and capabilities for Vehicle Type approvals. According to the McKinsey and GSA report ⁹, when looking at the current passenger car market in the ten largest countries regulated under UNECE WP.29, the new regulations will likely affect over 20 million vehicles worldwide, not including commercial vehicles, or any other type of motor vehicle regulated under UNECE WP.29.

OEMs that do not comply with the regulations may face trade barriers and other complications; those that do acquire the necessary certification, have the ability to brand their companies as secure and build mutual trust with customers. Ultimately, the regulations effectively make cybersecurity an inviolable element of future connected vehicles.

Understanding the scope of the WP.29 Cybersecurity and Cybersecurity Management Systems (CSMS) regulation

The uniqueness of the WP.29 CSMS regulation is both in its practical approach to automotive cybersecurity, with concrete examples of threats, and specified mitigations, but also in its holistic approach to automotive cybersecurity, with a process and governance perspective, an IT perspective, as well as a product and OT perspective.

The regulation specifically explains what needs to be done, however, it intentionally does not include an explicit definition of how the regulatory requirements can be met, nor does it mandate detailed technical measures. Instead, through the use of relevant standards (such as the ISO/SAE 21434) and implementing appropriate mitigations, OEMs should be able to showcase how the principles of the regulation are being met.

The emphasis on the word ‘processes’ in the regulation is a clear bid to provide guidance for cybersecurity structures without mandating low-level technical specifications. The regulation was intentionally drafted in a technology-neutral way, giving some flexibility to OEMs to decide how to ensure the cybersecurity of their vehicles. Because of the dynamic nature of the automotive cyber environment, rigid technical measures could be counterproductive.

The WP.29 regulation demands a split approach to automotive cybersecurity requirements, with requirements for CSMS approval and Vehicle Type approval

Both approaches have a correlating certification and approval process. The first focuses on Cyber Security Management Systems (CSMS, the namesake of the regulation) and includes cybersecurity requirements for an OEM’s organizational structure, processes, and governance. CSMS certification demands evidence from the OEM, including test reports and threat modeling, in order to prove that due diligence was done in ensuring cybersecurity throughout the lifecycle of the vehicle.

The second is a more specific Vehicle Type approval, which involves actually testing the vehicle and certifying that the design of vehicle architecture, the risk assessment procedures, and implementation of cybersecurity controls were executed correctly. In this approval process, an authority tests an individual type of vehicle to check if the cybersecurity measures were actually implemented.

As its name indicates, the CSMS approval focuses specifically on the management systems involved in automotive cybersecurity, meaning that the OEM must ensure that the processes in place to manage the cybersecurity within connected vehicles are effective. The CSMS regulation dictates that the regulation applies to vehicles within the M and N (vehicles with at least 4 wheels) categories, the O category (if fitted with at least one electronic control unit), and vehicles in categories L6 and L7 that are equipped with autonomous driving functions beyond level 3.

In the CSMS approval requirements, the WP.29 attempts to take what was once a relatively arbitrary process (or, in some cases, no process at all), and add beneficial guidelines. Undoubtedly, a thorough, defined, and refined process of cybersecurity management lends itself to more effective cybersecurity.

The main principles involved in CSMS approval demand lifecycle implementation, risk assessment and management, cyber threat and attack processes, timeliness, data and telematics usage, and supply chain management.

Vehicle Type requirements detail the various steps an OEM must take for type approval and then, in Sections 8-10, the regulation explains that Vehicle Type approval must be maintained throughout the potential modification of vehicles and the extension of a vehicle if it impacts the vehicle’s technical performance with respect to cybersecurity. It is important to note that in order for an OEM to receive Vehicle Type approval, it must first complete the CSMS approval.

The main principles involved in Vehicle Type approval demand the application of CSMS, Tier 1 and 2 supplier management, an in-depth TARA (threat analysis and risk assessment) process, threat reporting, aftermarket responsibility, and data and telematics usage.

The regulation lists cyber threats, vulnerabilities, and mitigations that must be considered for CSMS certification

Though appended at the end of the regulation, Annex 5 is not to be overlooked as it includes the regulation’s most specific stipulations, namely, a list and mapping of cyber threats and their corresponding mitigations. The regulations list of threats and vulnerabilities must be considered when it comes to effective risk assessment and management, however, it is important to note that while the list of threats, vulnerabilities, and mitigations is extensive, that it is not exhaustive.

To help OEMs and automotive suppliers understand and assess the risks associated with connected vehicles, the regulation includes detailed descriptions of threats, and even goes as far as to offer specific examples of potential attack methods. Annex 5 includes 69 different attack routes due to 7 different high-level cyber threats and vulnerabilities, namely: back-end servers, vehicle communication channels, vehicle update procedures, unintended human actions, external connectivity and connections, vehicle data/code, and other vulnerabilities.

To aid in the management of said risks, the regulation also offers 23 cybersecurity mitigations with the potential to secure a vehicle, its components, and back-end servers against these threats. The regulation divides its suggested mitigations related to the aforementioned 7 categories of threats into two main categories: mitigations for threats related to the vehicle itself, and threats related to arenas outside of the vehicle, like the back-end servers. Mitigations for threats against vehicles include the threats related to vehicle communication channels, vehicle update processes, unintended human actions, external connectivity and connections of the vehicle, data loss and breaches, the physical manipulation of systems, and other vulnerabilities. Mitigations for threats outside of the vehicle includes threats related to back-end servers and unintended human actions.

By mentioning such a high number of these back-office and communication threats, the regulation seems to indicate where the highest cyber risk is found. This elevated risk is not merely because of the number of threats associated with the vulnerabilities, but because of the direct and dangerous impact that these threats can have on the road user. Ultimately, as with the ISO/SAE 21434 standard, the WP.29 regulation was developed to keep consumers and drivers safer and more secure.

Tier 1 and Tier 2 suppliers also need to implement cybersecurity measures

The WP.29 regulation clearly indicates that the onus of supply chain cybersecurity management lies upon the OEM, where it is the responsibility of the vehicle manufacturer to ensure that all vehicle components and parts, both hardware and software, are secure. While the regulation does not indicate the method by which an OEM must verify the cybersecurity of the Tier 1 and 2 components, it does clearly demand (in Section 5.1.1) that the OEM must “collect and verify the information required under this Regulation through the supply chain so as to demonstrate that supplier-related risks are identified and are managed”.

In addition to the direct threats an OEM may face and thus need to mitigate, the list in Annex 5 also offers threats that must be mitigated at a Tier 1 or Tier 2 component level. Some of those threats include malicious internal (CAN) messages, the manipulation of functions designed to remotely operate systems like remote keys, immobilizer, and charging pile, as well as corrupted applications, both hardware or software that are engineered to enable an attack or fail to meet design criteria to stop an attack.

One of the many potential mitigations to these threats offers insight into the interconnected role between OEMs and Tier 1s. The regulation suggests that as a mitigation to the threat of corrupted applications, software shall be security assessed, authenticated, and integrity protected. Software components are provided to the OEM by other supply chain partners, and thus the OEM must demand that those suppliers ensure the integrity of their components.

Additionally, the regulation clearly demands cybersecurity measures throughout the entire lifecycle of the vehicle, which includes the development, production, and post-production phases.  While the OEM can ensure cybersecurity measures are in place during the production and much of the post-production phase, it must rely on its suppliers and then service providers to provide cybersecurity measures during the development (of all the components, chips, parts, etc) of the vehicle as well as aid in securing post-production services such as OTA updates, smart services related to the connected car (remote unlock door or engine start), access control for software, and more.

Upstream Security’s central role within automotive cybersecurity

As the regulation highlights through its listing of relevant threats and vulnerabilities, cyber attacks target not only endpoint devices (vehicles and fleets), but back-end servers, entire network environments, and connected car services. As such, OEMs must integrate the necessary cybersecurity measures to achieve powerful protection against not only in-vehicle threats, but also remote attacks and data breaches. While in-vehicle cybersecurity tools are used to protect against some attacks, connected vehicles require a centralized cybersecurity solution.

In contrast to mere in-vehicle tools, a centralized cybersecurity solution offers both endpoint detection and brings together multiple indications from connected car layers for complete, comprehensive, and early detection, thus securing vehicles from attacks that target back-end servers, smart mobility services, and multiple vehicles at once.

For true protection of the connected car ecosystem, OEMs and connected car service providers must consider a defense-in-depth and an end-to-end protection approach, with cybersecurity solutions to cover in-vehicle security, IT security, and the automotive cloud. Upstream’s automotive cloud cybersecurity platform covers the entire operational security element of the vehicle through four vital spaces within this ecosystem:

1. 1. The vehicle itself
   2. The communication channels to and from the vehicles
   3. The automotive cloud hosting the vehicle’s control systems
   4. Connected car services

Upstream’s centralized automotive cloud-security platform protects connected cars’ entire ecosystem and offers vital technologies such as digital-twin profiling and behavioral analysis. Based on correlating multiple data feeds, cloud-based cybersecurity provides full visibility of all the connected vehicles and services, and turns that data into actionable cybersecurity insights to alert on real-time cyber events and prevent attacks as they occur.

In the next few years, as cybersecurity regulations and standards become globally implemented and enforced, OEMs, Tier 1 and 2 suppliers, and mobility service providers must continue in their efforts to ensure safe and secure automotive products and services and meet the expectations of their regulators and consumers. Ultimately, the goal of the regulation, the goal of the OEMs, and Upstream’s solutions are the same: to protect connected vehicles and especially their drivers against the ever-growing and very real threat of cyber attacks.

 

Learn more about Upstream’s tools, webinars, and resources regarding the WP.29 regulation HERE.

 

__________________________

 

¹ http://www.unece.org/info/media/presscurrent-press-h/transport/2020/un-regulations-on-cybersecurity-and-software-updates-to-pave-the-way-for-mass-roll-out-of-connected-vehicles/doc.html
² https://www.juniperresearch.com/press/press-releases/in-vehicle-commerce-opportunities-exceed-775mn
³ https://www.idc.com/getdoc.jsp?containerId=prUS45092819
⁴ https://www.marketwatch.com/press-release/connected-vehicle-market-reach-12251-bn-by-2023size-and-share-analysis-by-with-top-players-forecast-2020-04-06?tesla=y
⁵ https://www.gsaglobal.org/wp-content/uploads/2020/03/Cybersecurity-in-automotive-Mastering-the-challenge.pdf
⁶ https://upstream.auto/news/press-release-global-automotive-cybersecurity-report-2019/
⁷ http://www.unece.org/trans/main/wp29/faq.html
⁸ http://www.unece.org/info/media/presscurrent-press-h/transport/2020/un-regulations-on-cybersecurity-and-software-updates-to-pave-the-way-for-mass-roll-out-of-connected-vehicles/doc.html
⁹ https://www.gsaglobal.org/wp-content/uploads/2020/03/Cybersecurity-in-automotive-Mastering-the-challenge.pdf
¹⁰ Pun intended