Modern vehicles designed for smart mobility have improved IoT connectivity. However, connected cars have also introduced software vulnerabilities and increased the risks of cybersecurity threats. Because the automotive sector faces an increase in threats, governments and regulators are taking measures to regulate the industry and mitigate cyberattacks. Here are ten things you should know about the cybersecurity regulations for the automotive industry:

1. Why connectivity makes vehicles vulnerable ?

It’s predicted by the United Nations Economic Commission for Europe (UNECE) that cars will have approximately 300 million lines of software code by 2030. Today, the average car has about 100 million lines of code and 150 electronic control units. The increase in code also means an increase in cybersecurity vulnerabilities and, therefore, threats.

2. What the regulations hope to achieve ?

The intentions of the cybersecurity regulations for automotive are to improve vehicle safety and increase anti-theft security. However, the regulations were also developed to boost energy efficiency, which helps protect the environment.

3. Potential financial losses due to cyberattacks

The projected financial losses by 2023 for the automotive industry may reach up to $24 billion.

4. The approval of cybersecurity regulations for the automotive sector

On June 23rd, 2020, the UN Economic and Social Council proposed a new regulation that enforced uniform provisions for the approval of vehicles. The regulations would outline new processes and cybersecurity measures. On June 25th, 2020, two new UN regulations were adopted - one for cybersecurity and the other for software updating (and their respective management systems).

5. The United Nations Economic Commission for Europe’s role in the automotive regulations

Under the UN Economic and Social Council’s jurisdiction is the United Nations Economic Commission for Europe (UNECE). The UNECE’s Inland Transport Committee (ITC) addresses the global needs in inland transport. One of its subsidiaries is the World Forum for Harmonization of Vehicle Regulations (WP.29).

6. Towards an International Adoption ?

The goal of UNECE is to initiate and pursue actions aimed at the worldwide harmonization or development of technical regulations for vehicles. Even-though there are only 54 contracting member states to UNECE’s 1958 Agreement, a broad adoption of these regulations across the world is expected.

7. Areas of application and implementation

The regulation on cybersecurity applies to vehicles such as cars, vans, trucks and buses if equipped with automated driving functionalities (>= level 3), whereas the regulation on software updates applies too all vehicles supporting software updates.

The WP.29 regulations require automobile manufacturers to enforce control processes across four areas.

1. The first domain manages cyber risks in vehicles.
2. The 2^nd aims to mitigate risks along the value chain.
3. The 3^rd area of implementation focuses on the detection and response to security issues across vehicle fleets.
4. The last provides software updates to ensure vehicles are not compromised.

8. The cybersecurity and IoT threats that the regulation address

The WP.29 regulations intend to mitigate threats related to vehicle update processes, data loss, breaches, and communication connections, including external connectivity such as back-end server threats and human error.

9. How the regulations mitigate cyber threats and vulnerabilities

The regulation has identified seven main cyber threats to the vehicle, its components, and it's back-end servers, leading to 69 different attack routes. The regulation provides 23 cybersecurity mitigations to secure these areas from threats potentially.

10. Important enforcement dates

By Q2 2021, the regulations should be finalized and published. If the schedule is followed, new vehicle type approvals by July 2022 will need to comply with the cybersecurity system regulations to achieve acceptance. In the EU, the regulation will be mandatory for all new vehicles manufactured starting July 2024.

If you wish to learn more about this regulation, get prepared or get pre-audited by sector specialized cybersecurity experts, feel free to get in touch.