On June 25, 2020, after roughly two years of preparations and revisions, the United Nations formally adopted two new regulations on automotive cybersecurity.
Automotive regulations are not a new topic at the United Nations; since the early 1950’s the UN has been involved in regulating the safety and security standards of vehicles. However, because of the newness of the topic, it took until 2018 for the UN to start developing regulations for automotive cybersecurity.
But why now? According to Juniper Research, 775 million consumer vehicles will be connected via telematics or by in-vehicle apps by 2023, up from 330 million vehicles in 2018. Additionally, the International Data Corporation predicts that by that same year, nearly 70% of worldwide new light-duty vehicles and trucks will be shipped with embedded connectivity. Other connected vehicle research indicates that the global connected vehicle market is expected to grow to $122 billion by 2023, expanding at a compound annual growth rate of 14%.
As the market for connected vehicles expands, global automotive OEMs, Tier 1 and 2 suppliers, and other players continue to develop various services, components, and technologies for the connected car. Consequently, as vehicle connectivity grows and demand for embedded solutions increases, the risk of cyber attacks against connected vehicles increases.
According to a recent report from General Services Administration (GSA) from March 2020, cars have up to 100 million lines of code, and by 2030, many expect them to have about 300 million lines of software code. This creates countless opportunities for cyber attacks, putting drivers at a huge risk. Thus, each new connected service and capability introduces additional points of entry for hackers and opportunities for potential cyber, fraud and data-breach incidents, threatening both companies, drivers and road users.
For automotive cybersecurity regulations, the demand for increased security is clear throughout the industry, governments and road users. One such automotive cybersecurity effort can be observed through the regulations developed with the United Nations Economic Commission for Europe (UNECE)’s WP.29. According to the UNECE overview, the objective of WP.29 is “to initiate and pursue actions aimed at the worldwide harmonization or development of technical regulations for vehicles.” In response to the growing prevalence of connected vehicles, there has been a new Working Party on Automated/Autonomous and Connected Vehicles (GRVA). WP.29 and the GRVA have developed new automotive cybersecurity regulations together and as of June 25th this year, two new WP.29 automotive cybersecurity regulations have been adopted.
In a press release on June 25, 2020, the UNECE explains:
“The two new UN Regulations, adopted by UNECE’s World Forum for Harmonization of Vehicle Regulations, require that measures be implemented across 4 distinct disciplines: Managing vehicle cyber risks; Securing vehicles by design to mitigate risks along the value chain; Detecting and responding to security incidents across vehicle fleet; Providing safe and secure software updates and ensuring vehicle safety is not compromised, introducing a legal basis for so-called “Over-the-Air” (O.T.A.) updates to on-board vehicle software.”
The first regulation focuses on uniform provisions concerning the approval of vehicles with regard to cybersecurity and cybersecurity management systems (CSMS). The second regulation is on vehicle software update processes and software update management systems (SUMS).
See below for more information: