Automobile manufacturers and their suppliers face the major challenge of protecting their vehicles from cyber attacks. In order to ensure vehicle safety and at the same time implement necessary innovations, the UNECE World Forum for Harmonization of Vehicle Regulations working group has defined transnational regulations. We asked our Managing Partner Peter Kobriger for his expert opinion!
Peter, what does the UN regulation of UNECE/WP.29 mean specifically for vehicle safety? And what challenges do you see ahead for future vehicle development?
The upcoming UNECE regulation UN R155 requires first and foremost a careful analysis in dealing with cyber security risks. As a prerequisite for this, every vehicle manufacturer should set up a so-called cyber security management system and provide evidence of cyber security risk analyses, implemented countermeasures and tests carried out, to name just a few points. Finally, a so-called technical service, i.e. TÜV, DEKRA, etc., is to certify the implementation at the vehicle manufacturer.
Of course, some will now moan, "not another new administrative act in addition to quality management, information security, etc.". I can very well understand these concerns. Nevertheless, a cyber security management system, for example, forms the necessary basis for a structured and systematic handling of cyber security attacks and their defense. A system like this relates to the entire life cycle of a vehicle, from development to production, support in operation, and the controlled discontinuation of product support. I am convinced that every car manufacturer has a very strong interest in bringing its vehicles to the market as safely as possible and continuously securing its fleet on the road against newly discovered vulnerabilities. After all, who would want to sit in an autonomously driving car with the uncertainty that some third party could possibly jeopardize personal safety?
In vehicle development, the prerequisites must now be created to understand cyber security as an integral part of development. Roughly speaking, this begins with the analysis of attack paths and the creation of a cyber security concept, and continues with continuous consideration in actual software and hardware development, and finally culminates in comprehensive testing.
The topic of cyber security requires active action on the part of automotive manufacturers and their suppliers. What exactly do manufacturers and their suppliers need to be prepared for, and what role does Zielpuls play?
Customer confidence, image and liability cases are in themselves weighty reasons for manufacturers and suppliers to bring safe products onto the market. UN R155 will add even more momentum to the rapid implementation, as it is expected to be relevant for type approvals from mid-2022. The cyber security management system required by UN R155 will be specified in the upcoming ISO/SAE 21434 standard, "Road vehicles - Cybersecurity engineering." The ISO is independent of UNECE regulation, but covers all requirements.
By being type-approval relevant, UN R155 particularly affects vehicle manufacturers. Since they also have to provide evidence of the cyber security of their suppliers' services, it can be assumed that sooner or later they will demand ISO 21343 certification from suppliers. Special interface agreements will also be used to regulate the way in which data is exchanged between suppliers and manufacturers. After all, the right data must be available in the right format. Manufacturers and suppliers must also continuously exchange information about known weak points and how to eliminate them.
Zielpuls supports the implementation of the relevant cyber security mechanisms and measures over the entire lifecycle of relevant vehicles or products. This includes the complete set-up of a cyber security management system according to UN R155 or ISO/SAE 21434, the organization and coordination of the information flow in the supply chain as well as within the customer organization, so that all approval-relevant information is available. We are also actively involved in monitoring cyber attacks. We provide support in designing and setting up so-called Vehicle Security Operation Centers - VSOC - and can also operate these within our Accenture network on request. That sounds huge and all-encompassing. That's why it's always important to me personally that we don't design a bloated organization, but that we respond to individual needs with sense and understanding and implement practicable solutions.
With which customers is Zielpuls already working on the implementation of the UN regulation and what are the biggest challenges in the day-to-day project work?
We are currently supporting two automotive manufacturers in the implementation of the requirements from UN R155 and ISO/SAE 21434 respectively, in the upcoming certifications and will also support the operational business at the beginning. These are very exciting and versatile tasks, where we also look at the supply chains and support in the ongoing standardization.
At the same time, we are investigating the relevant ISO requirements for a Tier 1 supplier and defining an efficient implementation.