While Israel does not participate in the World Forum for Harmonization of Vehicle Regulations, the new UN Regulations that will be further elaborated in this article are extremely relevant for Israeli companies active in the field of autonomous and connected vehicles. These companies are advised to familiarize themselves with the requirements of the UN Regulations to ensure that their products and services remain relevant for car manufacturers located in or exporting to jurisdictions where these regulations will be binding, such as the EU, Japan and South Korea.
The interest in autonomous and connected vehicles grows rapidly, causing the automotive sector to transform profoundly as manufacturers respond to the interest by introducing digitalized in-car systems. Today, cars contain up to 150 electronic control units and about 100 million lines of software code, projected to rise to 300 million lines of code by 2030.
The increased cybersecurity risks that accompany this development, as hackers seek to access electronic systems and data, are addressed by two new UN Regulations on Cybersecurity and Software Updates, adopted by UNECE’s World Forum for Harmonization of Vehicle Regulations on 24th June 2020. These regulations set out clear performance and audit requirements for the manufacturers of autonomous and connected vehicles.
The two new regulations are set to become mandatory in the European Union for all new connected vehicle types from July 2022. Other participating countries, namely Japan and the Republic of Korea, also intend to apply these regulations. They will require that measures be implemented across four distinct disciplines as follows:
- Managing vehicle cyber risks;
- Securing vehicles by design to mitigate risks along the value chain;
- Detecting and responding to security incidents across vehicle fleet;
- Providing safe and secure software updates and ensuring vehicle safety is not compromised, introducing a legal basis for “Over-the-Air” (O.T.A.) updates to on-board vehicle software.
About the UN Regulation on Cybersecurity and Cyber Security Management Systems
This UN Regulation requires car manufacturers to be able to demonstrate, prior to putting a vehicle on the market, that they have put in place a cybersecurity management system, amongst others, to:
- Identify and manage cybersecurity risks in vehicle design;
- Verify that the risks are appropriately managed;
- Ensure that the risk assessments are kept current;
- Monitor, detect and respond to cyber-attacks and effectively respond to them;
- analyse attempted or successful cyber-attacks, and analyse if the cybersecurity measures implemented are still effective in light of new cyber threats that may have been identified.
In addition, the vehicle manufacturer has to be able to demonstrate that
- Cyber threats are mitigated within a reasonable timeframe, and
- The monitoring activities shall be ongoing and also include vehicles after first registration while respecting the privacy rights of car owners and drivers.
All of these will be audited by the national approval authorities, which are appointed on a national level by each participating country, or the technical services of such approval authority.
Reports of monitoring activities will be provided at least once a year to the relevant approval authority or technical service, including relevant information on new cyber-attacks. The approval authority or technical service may then, if necessary, require the manufacturer to remedy any detected ineffectiveness.
About the UN Regulation on Software Updates and Software Updates Management Systems
This UN Regulation requires car manufacturers to be able to demonstrate, prior to putting a vehicle on the market, that they have put in place a software update management system that:
- Records the hardware and software versions relevant to a vehicle type;
- Identifies software relevant for type-approved systems;
- Identifies interdependencies, especially with regards to software updates;
- Assesses whether a software update affects the type approval or legally defined parameters (including by adding or removing a function);
- Assesses if an update affects safety or safe driving;
- Informs vehicle users of updates;
- For Over-The-Air software updates:
- An update may not impact safety if conducted during driving;
- Execute update only if the vehicle has sufficient power;
- Ensure safe execution;
- Inform users about each update and about their completion;
- Ensure vehicle is capable of conducting update;
- Inform the user when a mechanic is needed.
In addition, the vehicle manufacturer has to be able to demonstrate that:
- Software updates will be protected to prevent manipulation, and
- The update processes are protected from being compromised.
All of these will be audited by national technical services or approval authorities.
Every modification of the vehicle type which affects its technical performance or the documentation required by this regulation shall be notified to the approval authority which granted the original type approval (i.e. a certificate of conformity, recognized by all participating countries) with regard to a software update procedure. The approval authority may then, if necessary, require a further test report from the technical service responsible for conducting the tests.
We will be happy to answer any additional questions you may have. Feel free to contact any of us: