What is UNECE WP.29? The Changing Automotive Cybersecurity Landscape
Over the last 5 years the automotive industry has undergone massive change, moving from an industry often seen as being a laggard for new technology adoption, to one that is now pushing the boundaries in multiple areas. Almost every aspect of modern vehicle design has changed, as vehicles become fully connected, embrace advanced driver assistance and machine learning capabilities. Vehicles will also start to leverage the same software platforms we find in our mobile devices and embrace new internal architectures and networks, that are designed to move the gigabits of data between the in-vehicle systems.
This is translating into new behavioural models, as consumers now need to place their trust in the quality and reliability of these advanced services, for example, trusting the data integrity in sensors and how it is interpreted by Advanced Driver Assistance Systems (ADAS).
As the pace of change continues to accelerate, software is now at the centre of new vehicle design, and this creates challenges for an industry, that for many years, has viewed software as a black box environment. This gives us the insight to perhaps, what will be one of the big changes to the automotive industry to date, the new cybersecurity regulations that are set to be introduced from mid-2022 onwards.
What is UNECE WP.29?
The United Nations Economic Commission for Europe (UNECE) World Forum for Harmonization of Vehicle Regulations Working Party 29 (WP) is set to introduce a new set of regulations covering vehicle cybersecurity that will have a profound impact on the automotive industry. Under existing UN legislation, dating back as far as 1958, member countries attending the WP.29 working sessions can define and establish regulatory instruments for motor vehicles.
While this may initially sound like a complicated approach to setting up new regulations, especially given the existence of other regulatory bodies such as the ISO and SAE, the UNECE WP.29 is playing an important role in the industry with these new regulations set to be adopted in more than 60 countries. Despite its name the regulations will not only be adopted within Europe, but also outside of the region with important countries such as Japan and Korea already committed to implementing them as soon as possible.
Some of the critical elements to WP.29 include:
- Harmonization of fragmented regulations: With a multitude of cybersecurity standards, regulations, and frameworks it can be a major challenge for vehicle OEMs to develop common platforms that will meet each country specific needs. UNCECE WP.29 aims to bring a uniform approach around what OEM is required to do to achieve compliance in as many countries as possible.
- Structure and procedure: WP.29 does not tell an OEM how to implement cybersecurity, but rather provides them with the details of the structure, process and methods (in effect the best practice) that should be implemented within the OEM in order to place cybersecurity at the heart of the vehicle design process and which in turn will enable the OEMs to best protect the vehicle. Specifically, this requires each OEM to have a Cybersecurity Management System (CSMS) in place, that will touch all aspects of the business, and that it is adhered to within the business.
- The regulations (as per Annex 5) also lists out the specific threat and vulnerabilities that must be covered in order to achieve compliance. However, it should be noted that they do not mandate how they are to be addressed. It is recognised that the specifics of each vehicle’s cybersecurity frameworks and protection methods will be unique to the wider vehicle design, software architecture and features and services being implemented.
- A proactive approach to cybersecurity: OEMs will be required to proactively monitor their fleets of vehicles to look for new emerging threats and to be able to remediate these, through software updates, as soon as possible. It will not be possible to maintain compliance if know issues are addressed in a timely manner – i.e. don’t wait for the car to be taken to the dealership for servicing.
- Type Approval: In order to achieve and maintain compliance OEMS, will need to clearly show how they are meeting the Type Approval requirements all the way through production and in the post-production phase.
Implications for the Industry
Trustonic believes that WP.29 is an important step forward for the industry. While it may initially bring in additional overhead and the need for radical changes for internal design processes within the automotive industry, it should ultimately bring greater clarity and focus on cybersecurity which can only be a positive development. Critically, it will enable OEMs to follow a common set of processes with the confidence that they can then deliver vehicles to a wide range of markets.
One crucial point for OEMs, and suppliers, is that the vehicles which are already under development for production from mid-2022 onwards will need to comply with these new regulations. Thus, OEMs already need to be surrounding themselves with proven and trusted suppliers who have security as a core principal for their offerings.
Per the point above WP.29 is not just about the OEM. Its impact will be felt across the entire whole automotive supply chain. Moving forwards OEMs will require suppliers (tier 1/2/3) to show compliance to the regulations. This means that each building block that goes into the vehicle containing even the smallest piece of software, will now have to come with evidence that it has been designed with security in mind. If a vendor cannot provide this proof, it will become increasingly difficult for the OEM to accept or integrate the code into their WP.29 compliant vehicles.
However, this will also create new opportunities. For suppliers who embrace this change, it will yield an opportunity to develop closer working relationships with the customers. Delivering secure vehicles will require a more tightly integrated set of working relationships. Thus, the next few years could be critical for those suppliers whose solutions will be covered by WP.29. Act now and with the right focus and you have the potential to build long term relationships. Wait and you run the risk of being devalued to the role of “just a supplier” or even worse be out manoeuvred by the competition.
It is also highly likely that WP.29 will drive greater collaboration between component suppliers, in order that they can work together to provide OEMs with complete solutions that have the right level of compliance and supporting documentation – thus making it easy for the OEM to integrate their solutions in to vehicles.
Finally, enhanced cybersecurity will play a key role in building the confidence of vehicle users to engage with and pay for many of the advanced connected vehicle services that should provide new high growth revenue streams for OEMs moving forwards.
As the provider of the industry’s leading Trusted Execution Environment (TEE) with more than 16M deployments in vehicle, and growing, Trustonic’s solutions will sit at the heart of the next-generation of secure vehicles. Using a hardware-backed secure environment to perform critical operations, such as encryption and biometric authentication, and to provide trusted environment for applications and services will provide a robust platform for building your future secure solutions.
Want to learn more? Get in touch below.