AUTOMOTIVE CYBERSECURITY
THE CYBERSECURITY ACT
The Cybersecurity Act establishes the cybersecurity certification framework for products and services. The Act introduces an EU-wide cybersecurity certification framework for ICT products, services and processes. Companies doing business within the EU will benefit from having to certify their ICT products, processes and services only once and see their certificates recognised across the European Union. The Cybersecurity Act itself is a framework, providing guidelines and information for the inferior although more detailed effort for the operation of standardization organizations. Thanks to the legislator this framework provides harmonized standards for the market.
AUTOMOTIVE INDUSTRY
The Cybersecurity Act in itself doesn’t formulate any requirement directly to the market. A major cybersecurity challenge has been introduced to the automotive industry by the UNECE WP29 regulation. It is a preventive action to signifi cant cybersecurity risks. Hackers seek to access electronic systems and data, threatening vehicle safety and consumer privacy. WP29 introduces two new UN Regulations on Cybersecurity and Software Update entered into force in January 2021, which requires four distinct disciplines to be implemented:
• Managing vehicle cyber risks
• Securing vehicles by design to mitigate risks along the value chain
• Detecting and responding to security incidents across vehicle fleet
• Providing safe and secure software updates and ensuring vehicle safety is not compromised, introducing a legal basis for so-called „Over - the - Air” (O.T.A.) updates to onboard vehicle software
The objective of UN regulations no. 155 and no. 156 is to regulate cybersecurity for automotive players, introduced by the legislation: EU 2019/2144
• R155: Formation and operation of Cybersecurity Management System (CSMS) at organizational level
• R156: Formation and operation of Software Update Management System (SUMS) at organizational level
It is the responsibility of car manufacturers to comply with legal requirements and ensure the cybersecurity of their complete supply chain. Effective in the EU from 6 July 2022 for new types and from July 2024 for all newly manufactured vehicles. (Japan and South Korea follows a similar timeline.)
This applies to passenger cars, vans, trucks and buses; Categories M and N + O if fi tted with at least one ECU + L6 and L7 also if equipped with automated driving functionalities from level 3 onwards.
OVERVIEW OF ISO/SAE 21434
The ISO/SAE 21434 is a detailed list of requirements built into a standard in order to comply with the legal requirements of WP29. It is a description of the specific technical requirements, tasks, work products for the design and operation of the CSMS and the SUMS. 21434 is an independent certifi cation/audit, which requires a quality management system, therefore there are overlaps with ISO 16949 and ISO 9001 compliance.
The ISO/SAE 21434 standard provisions the following aspects of cybersecurity management:
• Overall | Management of cybersecurity activities
• Project dependent | Design and implementation of cybersecurity activities with responsibilities
• Continuous | Permanent cybersecurity activities (monitoring, vulnerability analysis etc.)
• Risk assessment methods | Risk assessment
• Security by design | Cybersecurity activities during design, development, manufacturing and operation phases
• Distributed | Assure cybersecurity in the supply chain (verifi cation of suppliers)
The regulation implies that ISO/SAE 21434 certified suppliers/component manufacturers are preferred. It is the responsibility of car manufacturers to ensure that they comply with the legal requiements of WP 29. If a component manufacturer/supplier is certifi ed, the car manufacturer can accept the conformity of the supplier and the supplied product, which is an incentive aspect for the supply chain to fulfi l the cybersecurity requirements for themselves as well.
Certification:
• ISO/SAE 21434 certifi cation independently
• Unifi ed certifi cation process with multiple standards
• Annual reviews per standard package
Consultancy:
• Education: Preparation, how to meet the requirements of 21434
• System design – Documentation writing and examinations required for the certifi cation
• Security by design fulfi lment - consulting on cybersecurity of products under development
• Other obligatory examinations for 21434 compliance:
• Risk analysis
• Vulnerability Testing - The standard requires periodic testing
The 21434 certifi cation is valid for a maximum of three years, however, it may be reviewed at any time.