As we near the end of 2020, the term “WP.29” has become an oft-discussed topic for those of us in the automotive industry, especially when it comes to compliance and the need for universal regulations for vehicles and security. Although we throw this term around quite a bit when it comes to discussion of the new regulations, WP.29 is not the name or title of the regulations, but the shorthand title of the working party – World Forum for Harmonization of Vehicle Regulations. This working party is part of the United Nations Economic Commission for Europe (UNECE).
Though this working party has been established for over 50 years, the concept of transportation has evolved and continues to develop. With the rise of autonomous vehicles, a new working party within WP.29 was commissioned – the GRVA, Working Party on Automated/Autonomous and Connected Vehicles – which began its work on drafting up a new UN regulation for cyber security management systems for these vehicles.
In June 2020, WP.29 released two new regulations for the industry, and while the regulations themselves are quite complex in terms of all the details, generally it divides up into the implementation of a Cybersecurity Management System (CSMS) and Software Update Management System (SUMS).
Of the two, the CSMS compliance regulation is what may take people off-guard as it’s quite a large, umbrella term. While “system” in terms of computing refers to a hardware or software system handled by a server, in this case a “system” is merely the people, products, and processes that one goes through in order to ensure that cybersecurity needs are being met.
Delving further, a CSMS should cover the entire lifecycle of a vehicle from development, production, and even post-production. Security is to be prioritized in all areas, not merely to monitor and detect abnormal activity, but to prevent it from even happening in the first place as well as risk identification and assessment.
What does this mean for the automotive industry?
Firstly, manufacturers will be held to a much higher standard, as they will have to hold a valid Certificate of Compliance for proper implementation of the aforementioned CSMS. The documentation that they submit will have to provide information on the supply chain of all parts and software, risk assessment, test results, mitigations, and treatment/management history. The manufacturers will also have to demonstrate that vehicles are protected against the risks and describe future testing and security measures in comprehensive detail.
The regulations enter into force in January 2021. However, this does not mean that at the stroke of midnight all regulations will become mandated. This is simply the date when countries that have signed the 1958 UNECE agreement can begin to integrate the regulations into national legislation. For example, in the European Union, the regulations will be mandatory beginning in July 2022. This means automotive manufacturers will have to consider the region in which their automotive business operations take place. Though their headquarters may be in one country, if sales and software providers are located in another region, jurisdiction will take precedent.
Therefore, this regulation not only affects vehicle manufacturers but also suppliers, software-providers, and service providers who will also have to comply with the cybersecurity management system requirements to be able to work with manufacturers. After all, the term “system” is all-encompassing when it comes to securing the vehicles on the road.
For cybersecurity companies, this means being able to provide products and solutions that ensures compliance of manufacturers, suppliers, and providers with the WP.29 regulations. However, although CSMS seeks to be comprehensive in terms of security solutions, the number of companies that can provide comprehensive solutions are quite limited.
Here at AUTOCRYPT, we believe that security should not be a complex, or multi-stop issue. From V2X to in-vehicle systems, we ensure that all points of the vehicle environment are covered in terms of security, and are here to work with companies who are looking to meet the compliance requirements for the new WP.29 regulations.
For more information about AUTOCRYPT’s solutions, visit our official WP.29 page.
However, as keys become more connected and less physical, there is yet another element to consider: cybersecurity. It is crucial that we consider that the more connectivity we usher in, the more enticing it can be for attackers to look for a way to infiltrate. This is why it is also essential to incorporate security technology like Public Key Infrastructure (PKI) into the system to guarantee security even in its convenience.
While we will ultimately get to a point in vehicle evolution where a physical key does not necessarily need to be carried around, the reality is that though the idea of the traditional key will change, ultimately the concept will remain. A key’s purpose is to help its owner access different entry points, but to also keep them safe by locking out unwanted intruders. Therefore, no matter the form of the key, digital or physical, security will remain essential.
For more information about AUTOCRYPT and its digital key, learn more here.