United Nations Economic Commission for Europe (UNECE)

Are you and your company prepared?

In June 2020, the United Nations (UN) officially adopted two new regulations regarding automotive cybersecurity.

The two regulations regarding cybersecurity management systems (CSMS) and software update management systems (SUMS) will affect the automotive industry in a tremendous way. 

From OEMs, Tier-1 suppliers, all the way to software providers - everyone needs to be prepared.

unece WP.29 사이버보안 법규 이미지

Although many may think that “WP.29” refers to the newer regulations released in 2020, WP.29 is originally a ”Working Party on the Construction of Vehicles” that was established in 1952. It became officially known as WP.29 in March 2000 and the objective has always been to initiate and pursue actions for worldwide harmony in terms of the development of regulations for vehicles. The Working Party is the largest international vehicle regulatory system in the world.

While WP.29 has several working regulations for vehicles, the two regulations released in June 2020 are the first regulations that mandate cybersecurity for connected and autonomous vehicles, signaling the growing importance of securing intelligent transport systems.

The two regulations will be implemented across 4 distinct disciplines:

Manage vehicular cyber risks

Secure vehicles by design,
mitigating risks along value chain

Detect and respond to security incidents for fleets

Provide safe and secure software updates, with legal basis for OTA updates for on-board software

For the 54 contracting parties to the agreement, this means that within the next few years, they will have to make major changes in the way that service providers and manufacturers prioritize cybersecurity.

Because the regulations are binding for the contracting parties, those that do not comply may face trade issues and face challenges in brand imaging, as the lack of prioritizing safety and security will not allow for a trusting, long-term relationship with partners or consumers.

If the vehicle in question...

  • Utilizes a wired or wireless connection to the vehicle’s internal communication network
  • Utilizes a wired or wireless connection to the external communication network of the vehicle
  • Connects indirectly to the vehicle network
  • Utilizes electronic or optoelectronic hardware
  • Includes software
  • Includes sensors

While countries are beginning the steps towards full implementation, those in the automotive industry (including OEMs,Tier-1 Suppliers, Service Providers, etc.) can take it upon themselves to ensure that they are prepared for WP.29’s stipulations.

Cyber Security Management Systems (CSMS)

For Automotive Industry / Sector

 Identify and manage cyber security risks in vehicle design

 Verify that the risks are managed, including testing

 Ensure that risk assessments are kept current

 Monitor cyber-attacks and effectively respond to them

 Support analysis of successful or attempted attacks

 Assess if cyber security measures remain effective for new threats and vulnerabilities

For Manufacturers

 CSMS is in place and its application to vehicles on the road is available

 Provide risk assessment analysis, identify what is critical

 Mitigation measures to reduce risks are identified

 Evidence that mitigation measures work as intended

 Ensure measures are in place to detect and prevent cyber-attacks, and support data forensics

 Monitor activities specific for the vehicle-type

 Transmit reports of monitoring activities to relevant approval authority

Software Update Management Systems (SUMS)

For Automotive Industry / Sector

 Record hardware / software versions for vehicle type

 Identifying software relevant for type approval

 Verifying the software on a component

 Identify interdependencies, especially with regards to software updates

 Identify vehicle targets and verify compatibility with update

 Assess if software update affects type approval or legally defined parameters (including adding/removing functions)

 Assess if an update affects safety or safe driving 

 Inform vehicle owners of updates

For Manufacturers

 SUMS is in place and its application to vehicles on the road is available

 Provide SU delivery mechanism and ensure integrity and authenticity

 Protect software identification numbers

 Ensure that software identification number is readable from the vehicle

For Over-the-Air (OTA) software updates

 Restore function if update fails

 Execute update only if sufficient power

 Ensure safe execution

 Inform users about each update and about their completion

 Ensure vehicle can conduct updates

 Inform user when a mechanic is needed

DISCLAIMER: This document is for informational purposes only. Information is general in nature, and is not intended to and should not be relied upon or construed as a legal opinion or legal advice regarding any specific issue or factual circumstance. Information may not contain the most up-to-date information. Readers of the document should contact their cyber security solutions provider for the most up-to-date information to obtain advice with respect to regulation compliance. 

Many companies have already begun to map out a timeline of implementing changes to their existing supply chains to ensure that new vehicle models will be compliant with the regulations. However, the comprehensive nature of the compliance regulations can prove to be roadblocks for many, requiring additional assistance.

As an automotive cybersecurity solutions provider, AUTOCRYPT offers a three-fold, comprehensive approach to CSMS compliance, beginning with consultation, all the way to regular testing.

Consulting & Training

AUTOCRYPT security experts will work with you to conduct:
 Overview of existing CSMS
 TARA-based risk assessment
 Recommendations for security engineering

Security Product

AutoCrypt IVS (In-Vehicle Systems) provides security for ECUs and an Intrusion Detection System (IDS) for CAN bus network messages. 


Regular CSMS testing with:
 Vulnerability Scanning
 Fuzz Testing
 Penetration Testing

Manufacturers, suppliers, and service providers should be looking to get a head start on structuring their Cyber Security Management Systems, and preparing for type approval. Ultimately, AUTOCRYPT and WP.29’s goals are one and the same: security should be a priority before any vehicles go on the road.

AUTOCRYPT can fulfill WP.29’s new regulations through its comprehensive total security solution, AutoCrypt IVS.

By protecting the ECU and implementing an Intrusion Detection System for the CAN Bus network system, AUTOCRYPT ensures that the CSMS requirements for WP.29 are met.

With both IVS-ECU and IVS-IDS components of AutoCrypt IVS, in-vehicle networks are securely covered to ensure safe driving for all those involved.

Security reinforcement and monitoring for ECUs

Abnormal behavior / attack detection for internal and external communication networks

WP.29 Regulations affect nearly 60 countries, their automotive manufacturers, and service providers. Implementation is already underway in many countries and will be in full effect by 2022.

As a security company, we are fully on board with more comprehensive cybersecurity measures for connected vehicles.

Download our free resource for a comprehensive overview of the new regulations and what you and your company can do to prepare before the regulations go into force in July 2022.