New regulations: Seeking the optimum security approach
The new UNECE WP.29 and ISO/SAE 21434 requirements represent a paradigm shift for the automotive industry: In the future, vehicle type approval will be contingent on an appropriate cybersecurity management system (CSMS) being in place. For automotive manufacturers and suppliers, the rapid implementation of compliant product security tailored to potential risks is becoming a key competitive factor. Because the products and the supply chain in the automotive sector are so complex, cyberrisks must be assessed and continuously addressed over the entire vehicle life cycle and across the entire supply chain.
This calls for precise analysis of the participants in the automotive ecosystem and what they each must do to deliver an appropriate level of protection. In turn, the security they provide must be underpinned by technical and organizational measures: trust anchors must be implemented in the products themselves, e.g., hardware security modules or trusted execution environments; at the same time, audits and certifications can boost confidence in suppliers’ and manufacturers’ capabilities.
Figure 1: The complex automotive ecosystem with its many participants and interactions from a security perspective.
Appraisals lead to an optimum improvement roadmap
The aim is not just to fulfill the regulatory requirements of the recently passed UN regulation and the coming ISO/SAE standard, but to find the optimum security approach with the maximum effectiveness for one’s own corporate strategy and product roadmap. This requires companies to implement organizational and technical measures in the form of a comprehensive cybersecurity management system (CSMS) that will enable them to define, control, manage, and improve cybersecurity on an ongoing basis along the entire value chain. The Product Security Organization Framework PROOF (developed by ESCRYPT and KPMG), for example, offers a comprehensive approach and roadmap.
To this end, the first important step is an appraisal or gap analysis to identify not only any holes but also existing strengths, for example assets such as a quality assurance system or processes for achieving functional safety. Only if the state of relevant cybersecurity aspects in the organization is completely transparent can a company draw up an optimum roadmap that prioritizes measures, makes best use of existing potential, and carries unused potential forward – thus leading the company safely to its goal in the short period of time remaining before the UN regulation is implemented.
Figure 2: A CSMS comprises classic security management domains (outer ring and center) and domains that focus on the products and their users (middle ring).
Technical gap analysis for retrofitting vehicles
As of 2024, the UN regulation will also apply to new sales of vehicle types approved prior to 2022. As a result, manufacturers and suppliers may have to reinvest in components and systems, doubling the strain on their development departments to complete the next generation of products on time and potentially retrofit legacy products by 2024. In doing so, it is important to maintain a balance between the actual security gain and economic efficiency. A technical gap analysis of the vehicle architecture can provide a solid basis for such considerations.
This relevance for type approval means it is necessary to securely implement all requirements as efficiently as possible on the first attempt. Appraisals provide the basis for this as a way to identify building blocks already in place, such as tried-and-true functional safety processes or existing management systems. In turn, this enables bespoke implementation plans to be drawn up based on the company’s individual situation. Key success factors for successful cybersecurity programs are support from security partners with experience in setting up such management systems, expert knowledge of automotive security, and reflection on one’s own strengths.
Click here to read about the new security challenges posed by UNECE regulation and ISO/SAE 21434.