Log in to the online community
In response to these challenges, the new UNECE WP.29 type approval regulations for cybersecurity and over-the-air (OTA) updates enter into force in January 2021. The cybersecurity management standard ISO/SAE 21434 “Road Vehicles – Cybersecurity Engineering” is also hotly anticipated next year. But is the industry ready?
Stepping up in this connected world is a major challenge for the established automotive industry and Intelligent Transport Systems (ITS) providers. A number of these challenges can’t be solved without addressing deep-rooted issues such as reluctance to collaborate, a lack of specialised security talent, and engineering processes that don’t consider security throughout the lifecycle.
The ARTS TN have organised a webinar on Automotive Cyber Security on 21 October 2020 at 11.00hrs BST. Ahead of the webinar we’d like to hear your views on the following questions:
• How well are automotive and ITS businesses positioned to deal with security in their products and services?
• What do the various industries need to do to create conditions where security can be assured by design throughout the lifecycle of their products and services?
• What are the gaps, how big are they, and what capabilities are needed to address them?
If you have other questions that you’d like to post here, we will also consider these for discussion by our experts in the Q&A panel during the webinar.
Please do let us know how you see the industry responding to the challenges of security, and if you're not sure then why not propose a question for the panel?
The UNECE WP.29 regs, supported by ISO/SAE 21434 will be a much needed focal point, as industry has been desperate for something to coalesce around on these issues. 21434 will specifically require that "A cybersecurity audit shall be performed to independently judge whether the organizational processes achieve the objectives of this document" and the DIS has been out since February, but I suspect this won't hit home until the standard is in force. It's going to be a steep learning curve for the manufacturers, the independent reviewers and the regulators. I'm involved in the development of ISO PAS 5112 currently, which is an auditing standard tied to 21434, but it's early days for that and it won't be a full standard. One of our speakers, Paul Wooderson, will be talking more about this at the webinar.
There were lots of questions from the audience that prompted a lively discussion. We didn't have time to answer everyone's questions live, but our speakers have kindly agreed to answer some more here. First up we have some answers from Paul Wooderson of HORIBA MIRA.
Q: What framework will UNECE WP.29 use (for compliance demonstration) before 21434 is issued?
Paul: ISO/SAE 21434 is widely seen as a key way of implementing the requirements of the regulation and demonstrate that they are met. However there is no formal reference to ISO/SAE 21434 or any other standard or framework in the regulation itself; rather it allows any appropriate means to demonstrate compliance. Therefore vehicle manufacturers can use evidence of following ISO/SAE 21434 or appropriate combinations of other standards to demonstrate that they meet the regulation's requirements.
Q: Should ResiCav software be installed in the car? Or does it run on a PC?
Paul: ResiCAV is not software specifically but the project looked holistically at the challenge of achieving cybersecurity resilience. This included examining the technical and economic feasibility of solutions and methods that involve both in-vehicle and off-board aspects, as well as the capabilities and facilities that are required for the UK to develop, validate and operate these solutions.
Q: I am "lucky" enough to own a top USA brand of car that is leading autonomous driving. I am not sure the frequent updates have appropriate quality control since they fix one thing and break another. As a driver Im not sure I would know my car was secure or indeed had been compromised? THe pace and drive for commercial advantage feels way in advance of regulation. Who is holding suppliers to account?
Paul: This is indeed a challenging area in which the pace of technological change is greater than the speed at which regulation can keep up. The introduction of the new UNECE regulations for cybersecurity and software updates mean that adequate cybersecurity and safe and secure software updates are now a condition for getting new vehicles type approved for use in regions that adopt the regulations. This is an important step, although the pace differential of course still remains. Within the constraints of current regulatory frameworks, the new regulations do require ongoing monitoring, detection and response to emerging threats, although in the future more dynamic forms of assurance and regulation are likely to be required.