New UN ECE Regulations on Cyber Security and Software Updates Adopted
Since the 1980s, when electronic engine management systems and anti-lock braking systems were first introduced, the amount of electronic systems incorporated into motor vehicles has rapidly increased. Modern vehicles include a vast array of electronic systems which, in addition to enhancing the vehicle’s safety and emissions performance, provide the vehicle occupants with numerous comfort, convenience and entertainment features.
In addition to this, many modern vehicles allow these onboard electronic systems to communicate with other electronic devices and electronic infrastructure outside the vehicle wirelessly. Providing this "connectivity" allows vehicle manufacturers to offer additional and enhanced services to their customers, and gives vehicle manufacturers the ability to update the software level of vehicles in service without the vehicle having to be taken into a dealership; referred to as "over the air updates". The down side of providing this "connectivity" is that it also provides a route for potential cyber-attacks on the vehicle.
As the automotive industry moves towards the introduction of ever more automated vehicles, the necessary onboard electronic systems and their ability to wirelessly communicate with infrastructure outside the vehicle and with other vehicles will become even more critical. Therefore, governments around the world have recognised the need to ensure that the cyber security of future vehicles is suitably regulated.
To address this situation, in 2016, the United Nations Economic Commission for Europe (UN ECE) World Forum for Harmonisation of Vehicle Regulations (WP.29) set up of a specific Task Force on cyber security and over the air software updates (TF CS/OTA). Between December 2016 and January 2020, this Task Force met 17 times and developed two new UN ECE Regulations; one on Cyber Security and Cyber Security Management Systems and one on Software Updates and Software Update Management Systems.
The draft UN ECE Regulation on Cyber Security and Cyber Security Management Systems requires vehicle manufacturers to have a cyber security management system in place and to demonstrate that each vehicle type has been designed in accordance with this management system. It includes requirements to ensure that:
- Assessments of potential cyber security risks are carried out during the design phase of the vehicle and updated throughout the vehicle’s life.
- Mitigation measures are put in place to address any identified risks.
- Testing is carried out to verify that the mitigation measures are effective.
- Attempted cyber-attacks on vehicles in service are monitored and assessed.
- Additional mitigation measures are put in place to address newly identified risks.
The draft UN ECE Regulation on Software Updates and Software Update Management Systems requires vehicle manufacturers to have a software update management system in place and to demonstrate that each vehicle type and its software updates have been designed in accordance with this management system. It includes requirements to ensure that:
- Hardware and software versions are recorded for all individual vehicles.
- Assessments of planned software updates are carried out to identify potential effects on the vehicle’s safety performance and type approval compliance.
- Assessments of planned software updates are carried out to ensure their compatibility with all of the other systems installed on the vehicle.
- The method of delivering the software update is secure.
- Software identification numbers are protected and can be readily checked.
- Any "over the air" updates are carried out safely.
Both of these draft Regulations were submitted to the World Forum for Harmonisation of Vehicle Regulations (WP.29) at its 181st session in June 2020, where they were formally adopted. The new Regulation on cyber security has been allocated Regulation No. 155 and the new Regulation on software updates has been allocated Regulation No. 156, but neither Regulation has yet been allocated a provisional entry into force date.
Official publication of the final version of these two new Regulations is expected during December 2020 or January 2021. Compliance with these new UN ECE Regulations will only become mandatory once Contracting Parties require such compliance in their National/Regional legislation. However, the European Union have already specified mandatory dates for compliance with the new cyber security requirements within (EU) 2019/2144, i.e. July 6, 2022 for new types of vehicle and July 7, 2024 for all new vehicles.