ETSI EN 303 645 & UNECE WP.29 – The importance of cybersecurity legislation for connected IoT and automotive devices
Internet of Things [IoT] and automotive technology are becoming ever more advanced, and increasingly central parts of our everyday lives. GlobalPlatform reports that 75.44 billion new connected devices are set to be deployed by 2025, as a response to the ever-growing demand for the technology.
However, with this proliferation of connected devices comes the increased threat of highly sophisticated attacks designed to steal users’ personal data. One only has to consider that, in the first half of 2021, over 1.5 billion attacks against IoT devices were detected, and that the number of attacks has recently increased by over 100%.
Cybersecurity is key to building consumer trust
If Original Equipment Manufacturers [OEMs] are to build confidence in, and usage of, connected devices, consumers need to feel that their devices are well protected from potential threats.
Unfortunately, however, IoT and automotive technology often lacks the necessary cybersecurity features that adequately mitigate and combat the dangers posed, with only 4% of deployed products having security in place.
To address this issue, the relevant regulatory bodies for both connected IoT and automotive have brought forward important, new cybersecurity legislation for their respective sectors.
For IoT, ETSI’s new EN 303 645 standard is influencing IoT regulations across the world, and for automotive, UNECE WP.29 regulation is leading the way globally.
These standards and regulations will play a vital role in transforming the security of IoT and automotive technology in years to come. Therefore, if OEMs wish to avoid the consequences of non-compliance, they must be aware of the legislation, and what is required of them.
What is ETSI EN 303 645?
ETSI EN 303 645 is a new standard brought forward by the Technical Committee on Cybersecurity [TC CYBER] for the European Telecommunications Standards Institute [ETSI]. ETSI is the body that is responsible for producing telecoms standards for use throughout Europe.
The EN seeks to establish a new standard for cybersecurity that creates a security baseline for IoT-connected consumer devices, and provides a basis for future IoT certification schemes. It achieves this through the delivery of ‘protection profiles’ – minimal baseline sets of requirements targeted at mitigating well-defined and described threats – for particular device types.
This enables other regulatory bodies to then build their own certification schemes to validate devices against these profiles, ensuring that consumers are given the best possible protection against potential threats. In practice, industry bodies and governments alike are looking to ETSI to provide a foundation upon which to build.
Furthermore, although there is no single, global standard, local standards are increasingly becoming ‘compatible’ with the ETSI approach. It is expected that the growing adoption of the EN within the IoT industry will help influence other industries to adopt similar schemes designed to bring cybersecurity front and centre for the benefit of consumers.
The ETSI EN 303 645 standard sets out 13 key cybersecurity provisions that OEMs must factor into their consumer IoT devices. These include having the means to manage reports of vulnerabilities in place, and ensuring software is regularly updated.
Furthermore, there must be a guarantee of software integrity and personal data security, and OEMs must ensure that systems are made resilient to outages. Additionally, the EN includes a data protection provision to assist OEMs in providing a number of features to IoT devices that seek to protect users’ personal data.
This includes giving consumers clear and transparent information about what personal data of theirs is processed, how it used, by whom, and for what purpose with each device in service. In doing so, these requirements also ensure that OEMs are compliant with other vital security requirements, such as the General Data Protection Regulation [GDPR].
However, compliance with ETSI EN 303 645 requirements is not the final step that OEMs must take when it comes to the legislation. They must also prove that their devices comply with the standard by passing an evaluation performed by a third-party testing laboratory. In this way, devices can be independently assessed to determine whether they have correctly met the requirements and recommendations set out by the standard.
What is UNECE WP.29?
The United Nations Economic Commission for Europe World Forum for Harmonisation of Vehicle Regulations Working Party 29 [UNECE WP.29] is responsible for defining the criteria for Type Approval for wheeled vehicles, equipment, and parts. It is the largest international vehicle regulatory system in the world, and its primary responsibility is to keep vehicle regulations updated and relevant to support international commerce and market access.
With the automotive industry having undergone significant changes in the last few years as vehicles become fully connected – embracing advanced driver assistance and machine learning – software has become a central part of vehicle design. Because of this, UNECE WP.29 has recently brought forward new legislation that seeks to ensure that ample cybersecurity is in place for connected vehicles.
There are various, critical elements to UNECE WP.29. Firstly, it seeks to harmonise the range of fragmented regulations that make it challenging for OEMs to develop common platforms that will meet each country’s specific needs.
This has been a significant cybersecurity issue in regions of the world where there have been many complex specifications for OEMs to follow. It achieves this harmonisation by establishing a uniform approach around what OEMs are required to do in order to ensure compliance in as many countries as possible.
Furthermore, while UNECE WP.29 does not explicitly tell OEMs how to implement cybersecurity, it provides them with the details of the structure, process and methods that need to be implemented within the organisation. This helps ensure that cybersecurity is at the heart of the vehicle design process and, therefore, that OEMs can apply the best possible protection to their vehicles.
This specifically requires each OEM to have a Cybersecurity Management Systems [CSMS] in place. This is a systematic risk-based approach that defines organisational processes, responsibilities, and governance to treat risks associated with cyber threats to vehicles, and protect them from attacks. In adopting the CSMS, OEMs must ensure that it touches all aspects of the business, and that it is adhered to within the business.
The regulations also detail the specific threats and vulnerabilities that must be protected against if OEMs are to attain compliance. OEMs are required to proactively monitor their fleets to watch out for emerging threats, and to be able to remediate these via software updates as soon as possible.
If identified issues failed to be addressed in a timely manner, OEMs will be unable to remain compliant. To achieve and maintain compliance, OEMs must also clearly demonstrate how they are meeting Type Approval requirements all the way through the production and post-production phases.
One crucial point that OEMs and suppliers should be aware of is that vehicles already under development for production from mid-2022 onwards must comply with the new regulations. As such, OEMs should already be surrounding themselves with proven and trusted suppliers who have established security as a core principle of their offerings.
The dangers of non-compliance with UNECE WP.29
There are a number of reasons why OEMs need to avoid failing to comply with UNECE WP.29’s legislation. Firstly, if automotive OEMs do not comply, they will not be granted Type Approval for certain markets, which would mean they could not sell their products in those regions. This could not only have a hugely detrimental impact on revenue but could also severely damage the reputation of the OEM, as well as its position as an organisation committed to ensuring cybersecurity.
If an OEM were to ignore Type Approval for a certain market altogether, it would leave itself open to legal action from consumers for selling a product that has not met the necessary security standard. Again, this could prove extremely costly and hugely detrimental to the organisation’s public image.
Why comply with ETSI EN 303 645?
With ETSI EN 303 645, however, the issue of compliance is far more nuanced. This is because the impact of non-compliance varies greatly on a regional basis. For example, in some areas of the world, the focus is far more on providing information, such as energy certificates, rather than on the prevention of sale. Given this, it is likely that, over time, the controls for the EN will get tighter, and compliance will become increasingly mandatory in places where it currently is not, for example via legislative mechanisms. To ensure that they are best prepared for this eventuality, OEMs must take the necessary steps now to ensure compliance.
Why do these regulations matter?
The rollout of ETSI EN 303 645 and UNECE WP.29’s new legislation both mark crucial turning points in the cybersecurity standards of the consumer IoT and automotive sectors respectively. ETSI’s EN is not only important as the first globally applicable cybersecurity standard for consumer IoT devices, but is already recognised as a foundation for basic level assurance for this type of device.
Additionally, it will provide a basis for IoT regulation around the world. In this sense, ETSI EN 303 645 aims to deliver 24/7 protection to consumers and their devices, thereby greatly minimising the capacity for attacks to successfully steal sensitive personal data.
While UNECE WP.29 may bring additional overheads for OEMs initially – along with a need for radical changes to internal design processes within the automotive industry – it should ultimately bring greater clarity and focus on cybersecurity.
Furthermore, it will also allow OEMs to follow a common set of processes with the confidence that they can deliver vehicles to a wide range of markets. These, of course, are positive developments for the sector itself, as well as for consumers.
In both cases, it provides OEMs with a level of commonality that has not previously existed. This should help to elevate the inclusion of cyber security as a starting point for new product development, as opposed to it being a bolt on or afterthought.
It should also result in lower testing and certification costs, especially for lower volume markets where the regional requirements may have been prohibitively expensive versus the potential sales opportunities.
How Trustonic is helping
Trustonic is a leading provider of the industry-leading Trusted Execution Environment [TEE] – an environment for executing code in which those executing the code can have high levels of trust in the surrounding environment.
As such, we have the solution to help OEMs ensure that they are compliant with relevant cybersecurity legislation and that they have the highest possible level of protection. This includes the ability to establish trusted connections between devices and cloud-based servers, which is crucial for over-the-air updating.
Our hardware-backed security is recognised as a gold standard for the consumer IoT industry.
We recently certified our TEE using the industry-standard Common Criteria Protection Profile, defined by GlobalPlatform, and achieved a class-leading EAL5+ certification.
Our TEE has also been deployed in more than 16 million vehicles and growing, sitting at the heart of the next generation of secure vehicles. Using a hardware-backed secure environment to perform critical operations, e.g., encryption and biometric authentication, and providing a trusted environment for applications and services will provide a robust platform for building future secure solutions.
OEMs choose our solution because, as a strongly certified component, it makes its considerably easier for them to meet both ETSI EN 303 645 and UNECE WP.29 requirements than by using alternative approaches.
Connected devices have become a truly intrinsic part of our lives in recent years, and play a hugely significant role in our daily routines. Despite the benefits that they bring, they can also compromise our privacy and safety if they are not correctly designed and prepared with security standards like ETSI EN 303 645 and UNECE WP.29.
OEMs owe it to their customers to ensure that they can feel confident in using their products and, in doing, so improve adoption of the technology.
We at Trustonic possess both the knowledge and means to assist OEMs in making this happen.