In July 2020, the World Forum for the Harmonization of Vehicle Regulations (UNECE WP29) released the framework for the first legally binding specification in the field of cybersecurity for the automotive industry. The European Union and many other legislators will convert this bill into applicable law. The consequence in the European Union’s case is that the requirements outlined therein will bind new vehicle types from 2022 and all new vehicles from 2024 on. This is the first time that there is an obligation to consider cybersecurity risks in vehicles systematically.
For the Research and development departments, the direct consequence is that they have to establish a Cybersecurity Management System and implement the processes and methods described by ‘ISO/SAE 21434 Road vehicles – Cybersecurity engineering ‘. This standard will be available in early 2021 and describes best practices in engineering. But the consequences of the UNECE WP29 regulation against significantly further. Managing risk with a cybersecurity risk managing system can not only focus on the product. The whole ecosystem necessary to develop and maintain the vehicle as a product must be enabled for cybersecurity.
Cybersecurity governance structures and processes must be implemented or adapted to ensure a secure development environment. A secure supply chain has to be established, and the necessary support processes have to be implemented. All this has to be based on a well established, secure IT infrastructure, creating a platform for secure development. What doesn’t sound as new after all is not as easy to achieve as it seems. All the necessary processes and responsibilities must be designed well to fit the organization’s needs and avoid gaps in the defense against attackers. Achieving this will require many stakeholders’ input and support throughout many disciplines — a complicated and tedious way to go.
Figure 1: The increasing relevance of cybersecurity in the field of product development drives the convergence of product and IT security into an integrated model
The way to go is not only complicated; many organizations do not even know where to start. A comprehensive overlook of the as-is state of cybersecurity readiness is necessary to progress from there.
If your organization is one of the many that doubt where you stand and what is really required, contact us. Our Cybersecurity Readiness Assessment will identify your gaps and light the way of closing them.