A single automotive cyber security standard at last: WP.29
Estimated reading time: 5 minutes
Last updated October 2023
Car makers and their suppliers already work hard to secure their vehicles. The UN's WP.29 has given the industry a shared standard to guide their actions.
In 1982, New York became the first US state to force drivers and passengers to wear seatbelts. There was a lot of resistance from freedom-loving motorists. But the seat belt lobby held firm. They dismissed the libertarian argument as "the right to go through the windshield."
But what was remarkable about the decision was how long it had taken: about thirty years!
Today, the seatbelt question is settled. But there's a new safety issue for regulators: automotive cyber security standards. The good news is that the public is universally supportive this time. And the regulators are acting much faster.
They need to.
New vehicles have become data centres on wheels. Today's cars support up to 150 Electronic Control Units (ECUs) and up to 100 million lines of code. As a result, data flows in and out of the vehicle from multiple sources.
There are already 192 million connected cars on the road in 2023.
Why are automotive cyber security standards important?
The bad news?
Every point of connection is a potential 'in' for hackers.
At the most extreme end, automotive cyber security risks can be terrifying – hackers taking remote control of a vehicle.
This is not just theory.
In November 2020, university researchers critically hacked into and stole a Tesla Model X in about two minutes. They only needed a key fob, a Raspberry Pi and a replacement engine control unit. This kit cost around $200.
But the more likely threat is that bad actors will intercept car data for financial reasons. For example, they are installing malware into a vehicle's operating system and demanding payment for removing it.
Regrettably, these attacks are already happening. H1 2023 Upstream Security report shows a rise in data breaches (37% of incidents) and backend server attacks (40%) compared to the same period the year before.
Clearly, the automotive industry does take automotive cyber security standards seriously. Manufacturers are working hard to defend against threats, and bodies like the Car Connectivity Consortium (CCC) provide a forum for sharing standards and insights.
In 2014, digital security specialist Craig Smith published The Car Hacker's Handbook. In an interview with TechCrunch, Smith said: "The expectation is that the manufacturer has done proper security tests. But you need some method for third-party review."
The good news spells WP 29.
UNECE WP.29 – the same automotive cyber security standard for everyone?
This brings us back to those car safety laws. Since the 1950s, the United Nations has been involved in improving the safety of vehicles, passing regulations on seat belts, steering wheels, headlights and more.
In 2018, it began looking at automotive cyber security standards.
The United Nations Economic Commission for Europe (UNECE) created a new WP.29 regulations to do what Smith said – ensure all car makers meet clear performance and audit requirements before their vehicles hit the road. It displays an 'Approval Authority' that will vet participating manufacturers.
Observers believe this is a breakthrough moment.
In its 2020 report Cybersecurity In Automotive, McKinsey wrote in response:
The 2020 framework
The WP.29 Cybersecurity regulations were approved in June 2020. They give the automotive sector a framework to put in place processes to:
• Identify and manage cybersecurity risks in vehicle design
• Verify that risks are managed
• Make sure risk assessments are kept current
• Monitor attacks and respond to them
• Analyse successful or attempted attacks
• Review cybersecurity measures in the light of new threats
• Ensure security lifecycle management (across the development, production and post-production phases)
Changes to the WP29 regulation since early 2021
- In February 2021, WP.29 adopted a corrigendum to the regulation to clarify the requirements for the cybersecurity management system (CSMS).
- In June 2021, WP.29 adopted a supplement to the regulation to add new requirements for the security of over-the-air (OTA) software updates.
- In November 2021, WP.29 adopted a corrigendum to the supplement to clarify the requirements for the security of OTA software updates.
The most significant change is adding new requirements for the security of OTA software updates.
The new requirements require vehicle manufacturers to implement several security measures, including:
- Authenticating the OTA software updates to ensure they are from a trusted source.
- Encrypting the OTA software updates to protect them from unauthorised access.
- Verifying the integrity of the OTA software updates to ensure they have not been tampered with.
- Securely installing the OTA software updates to prevent unauthorised access to the vehicle during the installation process.
WP 29 guidelines
WP.29 guidelines refer to data protection under GDPR and other aspects issued by the Article 29 Working Party (WP29) and to regulations and harmonisation efforts related to vehicle standards under the UNECE WP.29.
Heated car seats, air con, digital radio… automotive cyber security?
The European Union has already adopted WP.29 regulations. They will be mandatory for all new vehicle types in the EU from July 2022. South Korea and Japan have also committed.
It's a good start, given that the three regions produced 32 million vehicles in 2018.
With this directive, the UN is making automotive cyber security standards non-negotiable. The hope is that motorists will factor cyber security into their buying decisions – like air-con or heated seats.
This shift is already happening.
In a consumer study by IBM, 62 per cent of consumers said they would consider one brand over another if it had better security and privacy.
However, it's also important to remember that good cybersecurity is not just a defensive measure. By reducing crime and boosting trust, car makers will accelerate the development of new features and business models such as:
Shared ownership/access
Systems that let drivers easily rent a nearby car or grant car access to their owned vehicle to a friend.
In-car detection systems
Systems for altering lighting and temperature to improve driver alertness
V2V communication
Systems that broadcast car position and speed to other connected vehicles to avoid accidents
Payments
Automatic payments (without driver participation) for parking, battery charging, fuel and more
Real-time information
Live journey planning to avoid traffic and find parking spaces
Smartphone and voice integration
Giving the driver control of in-car entertainment, links to smart home, etc.
Location-triggered alerts
Marketing alerts sent by local businesses to the in-car display
Stakeholders are already testing some of these scenarios.
A good example is the NordicWay collaboration between public and private partners in Finland, Norway, Sweden and Denmark.
It is investigating ideas such as how to create 'dynamic environmental zones'. This signals hybrid cars to switch to electric when specific limits are exceeded on pollution, noise, presence of vulnerable people, etc.
What is automotive cyber security? It starts with three key vulnerabilities…
The WP.29 regulations provide important benchmarks for stakeholders on automotive cyber security standards.
They give the 'what', not the 'how.
In other words, they don't prescribe specific actions.
So, how should the connected vehicle industry approach the challenge?
First, let's establish where the vulnerabilities are. They can be grouped into three areas.
#1. The vehicle
To repeat, a connected car has around 150 (and rising) Electronic Control Units. The ECUs send data via air or physical media (such as fobs and USB sticks). Attackers can exploit any vulnerabilities here.
#2. The communications layer
Vehicle data in transit provides another opportunity for hackers – leading to distributed denial of service (DDoS) attacks, spoofing and other data breaches.
#3. The application layer
Obviously, all this vehicle data has a final destination – from city authorities to entertainment providers to fleet owners and more. Strong cybersecurity is needed to ensure that only authorised entities can access the data and that these stakeholders protect their systems.
Security by design from the car factory floor to the scrapyard
The above points show automotive cyber security does not stop when the car leaves the factory. It is needed throughout the entire vehicle lifecycle (up to 15 years).
And it extends to all participants in the value chain – not just the manufacturer.
For this reason, experts believe the best way to ensure car safety is with a security-by-design approach.
This means that every OEM and supplier must bake in security features, not retrofit them later. They should also be able to detect and react to attacks over time.
This process starts with a risk analysis, which lists all threats and vulnerabilities and the impact of any attack.
The next stage is to give every device a trusted digital ID. With trusted credentials, the system can recognise legitimate partners and spot attackers. These IDs can be held in a (physical) tamper-resistant Secure Element for even stronger protection.
Finally, to protect the data, there should be end-to-end encryption of all communication at rest and in motion. This will render any stolen data useless.
So, let's look at how these principles should be applied in a connected car context.
• Give every ECU a secure identity
As we have established, the connected vehicle hosts multiple ECUs from multiple vendors.
To ensure the car is safe, manufacturers should give every ECU a diversified, random ID related to its serial number.
This secure ID can then authenticate the ECU throughout the vehicle's lifecycle, granting access only to authorised users using Public Key Infrastructure (PKI).
The manufacturer must ensure it selects only ECUs manufactured in a secure environment.
• Integrate the secure ECUs
OK, so the vendors have created secure ECU IDs. Now, it's up to the vehicle manufacturer to integrate them all – and take ownership of who can access them.
The best practice at this stage is to change the ECU credentials so that only the carmaker knows them.
• Maintenance and updates
As anyone with a smartphone knows, software needs to be regularly updated.
Cars are no different.
Let's say an ECU needs a firmware upgrade. A good security-by-design process will enable temporary access credentials for maintenance personnel.
It can also schedule regular over-the-air software updates – and enable new ones when fresh risks emerge or legislation changes (which will save money on factory recalls).
Finally, it will permanently deactivate all credentials at the car's end of life.
Responding to threats: the Security Operations Centre
Needless to say, good security by design will provide protection, but it will never completely deter attackers. For this reason, the connected car ecosystem needs to monitor and respond to threats as they occur.
To do this, stakeholders can set up a Security Operations Centre (SOC).
The SOC is a well-established concept in enterprise IT but is relatively new in automotive.
Vehicle SOC security operatives can analyse data from every part of the connected car ecosystem – from the R&D lab to assembly – to produce meaningful alerts. They can look for indicators of compromise – clues that show an attack may be imminent. They can then respond with countermeasures such as over-the-air updates.
We witness pivotal moments in the progression of automotive cybersecurity standards, especially with the widespread adoption of the UNECE WP.29 regulation.
As the industry continues to integrate these standards, they serve as a crucial framework for all involved parties.
Furthermore, this regulation may catalyse the next wave of innovation in connected car technology.
*McKinsey & Company' Cybersecurity In Automotive' Report 2020
TOP 5 FAQs about UNECE WP.29
What does WP29 stand for?
WP.29 represents the "World Forum for Harmonization of Vehicle Regulations" under the United Nations Economic Commission for Europe (UNECE). It's a platform for international collaboration on automotive regulations, ensuring safety, environmental protection, and trade efficiency. WP means "working party" and refers to a group or committee assigned to work on a specific issue or set of issues.
Is WP29 mandatory?
While WP.29 sets forth harmonised vehicle regulations. Countries that adopt these regulations make them mandatory for vehicle manufacturers selling within their borders, ensuring standardisation in safety and environmental performance.
What is the WP29 CMS regulation?
The WP.29 CMS (Cybersecurity Management System) regulation demands that manufacturers ensure robust cyber protection for vehicles throughout their entire lifecycle, from design to decommissioning.
What is the UNECE WP.29 Cybersecurity regulation?
The UNECE WP.29 Cybersecurity regulation requires automotive manufacturers to establish cybersecurity measures to prevent cyber threats. This includes creating a management system, risk assessments, and continuous monitoring against potential vulnerabilities and threats.
Is there a difference between WP29 and UN R155?
WP29 is the organisation that develops and adopts international regulations for vehicles, and UN R155 (United Nations' regulation N° 155) is a specific regulation developed by WP29 and addresses cybersecurity.
More resources on automotive cyber security standards and regulations
- UNR 155 on cyber security and cyber security management system
- ISO 21434 2021 on cyber security engineering
-
Why we need a secure future for the Automotive Digital Key (SCmagazine - 23 Sept 2023)
- Seven benefits of autonomous cars
- The connected car (Infographic)
- Thales strengthens its leadership in automotive cybersecurity with a new certification