
The first-ever regulation requiring vehicle type approval with regards to cybersecurity. Are you prepared?
In June 2020, the United Nations (UN) officially adopted two new regulations regarding automotive cybersecurity. Set out by UNECE WP.29, UN R155 mandates an automotive cybersecurity management system (CSMS), while UN R156 requires a software update management system (SUMS) for all vehicles. As mandatory requirements for vehicle type approval, the regulations affect the production of every single vehicle across the globe.
From OEMs, Tier-1 suppliers, all the way to software providers – everyone needs to be prepared.
Although many may think that “WP.29” refers to the newer regulations released in 2020, WP.29 is originally a ”Working Party on the Construction of Vehicles” that was established in 1952. It became officially known as WP.29 in March 2000 and the objective has always been to initiate and pursue actions for worldwide harmony in terms of the development of regulations for vehicles. The Working Party is the largest international vehicle regulatory system in the world.
While WP.29 has several working regulations for vehicles, the two regulations released in June 2020 are the first regulations that mandate cybersecurity for connected and autonomous vehicles, signaling the growing importance of securing intelligent transport systems.
Highlights
All You Need to Know About WP.29 Compliance
and stay prepared with AUTOCRYPT
Effects on the Automotive Industry

If the vehicle in question…
- Utilizes a wired or wireless connection to the vehicle’s internal communication network
- Utilizes a wired or wireless connection to the external communication network of the vehicle
- Connects indirectly to the vehicle network
- Utilizes electronic or optoelectronic hardware
- Includes software
- Includes sensors


WP.29 Regulation Checklist
While countries are beginning the steps towards full implementation, those in the automotive industry (including OEMs, Tier-1 Suppliers, Service Providers, etc.) can take it upon themselves to ensure that they are prepared for WP.29’s stipulations.
Cyber Security Management Systems (CSMS)
For Automotive Industry/Sector
- Identify and manage cybersecurity risks in vehicle design
- Verify that the risks are managed, including testing
- Ensure that risk assessments are kept current
- Monitor cyberattacks and effectively respond to them
- Support analysis of successful or attempted attacks
- Assess if cybersecurity measures remain effective for new threats and vulnerabilities
For Manufacturers
- CSMS is in place and its application to vehicles on the road is available
- Provide risk assessment analysis, identify what is critical
- Mitigation measures to reduce risks are identified
- Evidence that mitigation measures work as intended
- Ensure measures are in place to detect and prevent cyberattacks and support data forensics
- Monitor activities specific for the vehicle type
- Submit activity monitoring reports to relevant approval authority
Software Update Management Systems (SUMS)
For Automotive Industry/Sector
- Record hardware/software versions for vehicle type
- Identify software relevant for type approval
- Verify software on components
- Identify interdependencies, especially with regards to software updates
- Identify vehicle targets and verify compatibility with update
- Assess if software update affects type approval or legally defined parameters (including adding/removing functions)
- Assess if an update affects safety or safe driving
- Inform vehicle owners of updates
For Manufacturers
- SUMS is in place and its application to vehicles on the road is available
- Provide SU delivery mechanism and ensure integrity and authenticity
- Protect software identification numbers
- Ensure that software identification number is readable from the vehicle
For Over-the-Air (OTA) Software Updates
- Restore function if update fails
- Execute update only if sufficient power
- Ensure safe execution
- Inform users about each update and about their completion
- Ensure vehicle can conduct updates
- Inform user when a mechanic is needed
AUTOCRYPT's Solution for WP.29
Many companies have already begun to map out a timeline implementing changes to their existing supply chains to ensure that new vehicle models will be compliant with the regulations. However, the comprehensive nature of the compliance regulations can prove to be roadblocks for many, requiring additional assistance.
As an automotive cybersecurity solutions provider, AUTOCRYPT offers a three-fold, comprehensive approach to CSMS compliance, beginning with consultation, all the way to regular testing.
Consulting and Training
AUTOCRYPT’s security experts will work with you to conduct:
- Overview of existing CSMS
- TARA-based risk assessment
- Recommendations for security engineering
Security Product
AUTOCRYPT’s in-vehicle security solution provides security for ECUs and an Intrusion Detection System (IDS) for CAN bus network messages.
Testing
AUTOCRYPT’s red team will perform regular CSMS testing with:
- Vulnerability Scanning
- Fuzz Testing
- Penetration Testing
Manufacturers, suppliers, and service providers should be looking to get a head start on structuring their Cyber Security Management Systems, and preparing for type approval. Ultimately, AUTOCRYPT and WP.29’s goals are one and the same: security should be a priority before any vehicles go on the road.
AUTOCRYPT can fulfill WP.29’s new regulations through its comprehensive total security solution, AutoCrypt IVS.
By protecting the ECU and implementing an Intrusion Detection System for the CAN Bus network system, AUTOCRYPT ensures that the CSMS requirements for WP.29 are met.
With both IVS-ECU and IVS-IDS components of AutoCrypt IVS, in-vehicle networks are securely covered to ensure safe driving for all those involved.

Security reinforcement and monitoring for ECUs

Abnormal behavior / attack detection for internal and external communication networks

Related Solution
In-Vehicle Security
AUTOCRYPT provides complete security for the internal systems of the car, monitoring all communications and responding to malicious activities.

About AUTOCRYPT
AUTOCRYPT
AUTOCRYPT is a mobility security provider with the goal of providing a seamless and secure mobility experience for all.