After more than 60 years of setting standards and crafting regulations for the automotive industry, two high-powered global organizations are now addressing automotive cybersecurity needs at every point along the supply chain. The United Nations World Forum for Harmonization of Vehicle Regulations (WP 29) and the International Organization for Standardization (ISO/SAE) are behind this new focus, and it’s likely to have a major impact on every player in the industry. The regulators have set an ambitious deadline for meeting end-to-end requirements, which, not surprisingly, is sparking increased cybersecurity activity among OEMs and their entire supply chains.

Cars today include as many as 150 electronic control units, requiring roughly 100 million lines of software coding — “four times more than a fighter jet.” Digitizing electrical and electronic systems enables carmakers to deliver greater connectivity and automation. But there’s an unsettling downside to increased digitization: it’s become easier than ever for cyber criminals to hack into in-vehicle systems.

The UN organization has responded to this reality with its new WP.29 Cybersecurity and Cyber Security Management Systems (CSMS) regulation. Aimed at OEMs and Tier 1 and Tier 2 suppliers, the regulation introduces processes for managing every phase of the vehicle security lifecycle, from development through production and post-production. At each stage, manufacturers must demonstrate compliance with the processes defined in the regulation.

In addition, the regulation requires that in order to get “type approval” for a newly-made vehicle, the OEMs will need to meet all required cybersecurity processes managed by a CSMS (In other words, type approval depends on holding a CSMS certificate.)

Aimed at OEMs and Tier 1 and Tier 2 suppliers, the regulation introduces processes for managing every phase of the vehicle security lifecycle, from development through production and post-production.

Mapping the implementation of cybersecurity systems

The even more detailed ISO/SAE 21434 standard, to which the WP.29 regulation refers, maps out the proper implementation of cybersecurity management systems in great detail, offering comprehensive guidance throughout the process. To create the standard, ISO collaborated with SAE International, a global association of engineers who helped devise a lengthy list of directives. For example, it outlines rules for:

  • Developing organizational cybersecurity policies, documentation, training, configuration, change management, and general processes.
  • Ensuring cybersecurity at the project level.
  • Assigning cybersecurity responsibilities and activities between customers and suppliers throughout the supply chain.
  • Monitoring security vulnerabilities on a consistent schedule and conducting ongoing risk assessments.
  • Documenting and analyzing security breaches.

ISO/SAE 21434 may help the automotive industry nurture a “cybersecurity culture,” says Dr. Gido Scharfenberger-Fabian, convenor of the ISO expert group. It’s meant to help carmakers, OEMs, and Tier 1 and Tier 2 providers “consider cybersecurity issues at every stage of the development process and in the field, increasing the vehicle’s own cybersecurity defences and mitigating the risk of potential vulnerabilities for every component,” he explains.

The challenge of scalability

Driving toward Compliance: Auto Industry Scaling up to Meet New Regulations for In-Vehicle Cybersecurity

As the new regulations become tangible, cybersecurity teams must mobilize to update their cybersecurity practices and begin implementing methodical and systematic procedures across all their organizations.

The WP.29 regulation and ISO/SAE 21434 standard — which apply to all passenger cars, vans, trucks, and buses — went into effect in January 2021. The WP.29 rules will become mandatory in the European Union for all new vehicle types in July 2022, and mandatory for all new vehicles produced as of July 2024.

As the new regulations become tangible, cybersecurity teams must mobilize to update their cybersecurity practices and begin implementing methodical and systematic procedures across all their organizations. Performing a Threat Analysis and Risk Assessment (TARA) is one of the first essential steps. The practical knowledge gained from that process can then be translated into action. It’s a challenging process that calls for a significant investment of resources and effective tools.

Fortunately for OEMs and Tier 1 suppliers, there is an existing technology and cybersecurity tools that will enable the automated implementation of these security procedures. Cybersecurity tools can help automate threat identification and prevention while offering visibility and control, which simplifies in-vehicle cybersecurity across the multiple layers of complex supply chains. Every vehicle becomes a platform for connected computing and part of an open ecosystem that allows rapid deployment of protection against threats. Technology can streamline the management of key processes as well, including risk assessment, planning, and creating and enforcing policies.

Driving toward Compliance: Auto Industry Scaling up to Meet New Regulations for In-Vehicle Cybersecurity

When regulatory compliance is mandated throughout an entire organization, scalability is key

When regulatory compliance is mandated throughout an entire organization, scalability is key. Compliance scalability is particularly challenging because automotive companies always have many projects underway — and never enough people to focus on cybersecurity. Cybersecurity tools can solve the scalability problem by managing the process with maximum efficiency, helping companies run operations, delegate, collaborate, and generate reports. Reusing proven cybersecurity resources for multiple projects is another major factor in achieving scalability.

The introduction of WP.29 regulations and the ISO/SAE 21434 standard illuminates the fact that cybersecurity lifecycle management is an ever-dynamic process that requires constant attention. In this new regulatory environment, it would be a mistake for auto industry players to linger on the sidelines. Companies that act promptly today could be spared the pain of seeing dormant vulnerabilities erupt into a full-blown crisis tomorrow.