WP.29 Cybersecurity Vehicle Regulation Compliance
What is WP.29?
Learn about the UNECE WP.29 regulations, the countries where they apply and how they aim to mitigate the cybersecurity risks posed to passenger vehicles.Contact Us
WP.29 adopted a new international automotive cybersecurity regulation in June 2020 to pave the way for connected vehicles and mitigate the cybersecurity risks posed to passenger vehicles. The regulation establishes performance and audit requirements for cybersecurity and software update management for new passenger vehicles sold in the European Union and dozens of other countries. Specifically, WP.29 is the name of the World Forum for Harmonization of Vehicle Regulations, a United Nations Economic Commission for Europe’s (UNECE’s) Sustainable Transport Division working party. WP.29 incorporates into its regulatory framework technological innovations to make vehicles safer and more environmentally sound.
The cybersecurity and software update proposals adopted by WP.29 require automakers to implement measures to:
- Manage vehicle cybersecurity risks
- Secure vehicles by design to mitigate risks along the supply chain
- Detect and respond to security incidents across the vehicle fleet
- Provide safe, secure software updates that do not compromise vehicle safety
Three lifecycle phases are specifically called out in the cybersecurity regulation: development, production, and post-production, which includes monitoring, detecting and responding to cyberattacks.
Passenger cars, vans, trucks and buses and other light vehicles are subject to the regulation, which enters into force in January 2021.
Countries where WP.29 applies
WP.29 applies to the 54 countries that participate in the 1958 UNECE Transportation Agreements and Conventions, such as the EU, UK, Japan, and South Korea, which together produced one-third of the world’s vehicles in 2018. Many more countries that do not formally participate in the 1958 agreement accept United Nations(UN)-compliant vehicles. All manufacturers (including US and Canadian automakers) selling into these markets need to consider the implications of WP.29 regulation for their products and processes.
Countries that do not participate in WP.29 include the US, Canada, and China, which are not signatories to the 1958 agreement and do not recognize UN vehicle regulation. UN-compliant vehicles are not authorized for import to these countries without additional compliance testing specific to the countries’ own transportation safety laws. The US, Canada and China are part of a separate 1998 UN Agreement on UN Global Technical Regulations (UN GTRs). It is possible that signatories to the 1998 agreement might ultimately adopt the same or similar requirements as a GTR.
Enforcement of WP.29 regulations
UN regulations are legally enforceable. If a country or region adopts and enforces WP.29 regulations, proof of compliance is needed for an automotive manufacturer to achieve type approval to sell into a market. In Europe, type approval provides mutual recognition of compliance at the whole vehicle level, so a manufacturer can obtain certification for a vehicle type in one EU country and market it across the EU without further tests. Approval requires the manufacturer to convince a technical services auditor that it has met the WP.29 requirements.
In addition to preventing the sale of non-compliant vehicles in their market, countries and regions can force the withdrawal of such vehicles or force a recall.
Details of the two adopted proposals
Learn about the two parts of WP.29 regulations – cybersecurity and software updates – and details of requirements in each.
WP.29 cybersecurity regulation
The adopted “proposal for a new UN regulation on uniform provisions concerning the approval of vehicles with regards to cyber security and cybersecurity management system” specifies a list of processes vehicle manufacturers must put in place to:
- Identify and manage cybersecurity risks in vehicle design
- Verify that the risks are managed, including testing
- Ensure risk assessments are kept current
- Monitor cyberattacks and respond effectively
- Analyze successful and attempted cyberattacks
- Assess if the cybersecurity measures are effective against new threats and vulnerabilities
Manufacturers must demonstrate that they fulfill the following requirements:
- Have in place a cybersecurity management system and its application to vehicles on the road is available
- Provide a risk assessment analysis that identifies critical risks
- Have measures to detect and mitigate cyberattacks and provide evidence that the mitigations work
- Possess data forensics capability
- Monitor activities specific to the vehicle type
- Transmit monitoring reports to the authority responsible for approving vehicles for sale (homologation authority)
A detailed list of the threats and mitigations in an appendix (Annex 5) requires OEMs to address:
- Back-end servers
- Communications channels (includes external connectivity)
- Software update procedures
- Unintended human actions
- Vehicle data and code
- Components that could be exploited without sufficient hardening
Specifically, some of the wider cybersecurity requirements include:
18.104.22.168. The vehicle manufacturer shall demonstrate that the processes used within their Cyber Security Management System ensure security is adequately considered, including risks and mitigations listed in Annex 5.
(a) The processes used within the manufacturer’s organization to manage cyber security
(c) The processes used for the assessment, categorization and treatment of the risks identified
(d) The processes in place to verify that the risks identified are appropriately managed
(g) The processes used to monitor for, detect and respond to cyber-attacks
(h) The processes used to provide relevant data to support analysis of attempted or successful cyber-attacks.
7.3.1. The manufacturer shall have a valid Certificate of Compliance for the Cyber Security Management System relevant to the vehicle type being approved.
7.3.2 The vehicle manufacturer shall identify and manage, for the vehicle type being approved, supplier-related risks.
7.3.7 Provide data forensic capability to enable analysis of attempted or successful cyber-attacks.
8.1 Every modification of the vehicle type which affects its technical performance with respect to cybersecurity and/or documentation required in this Regulation shall be notified to the approval authority
Read the full text of the WP.29 cybersecurity and cybersecurity management system regulation.
WP.29 software update regulation
The adopted “proposal for a new UN regulation on uniform provisions concerning the approval of vehicles with regards to software update and software updates management system” applies to vehicles that permit software updates. The regulation applies to trailers and agricultural vehicles, in addition to passenger cars, vans, trucks and buses.
The WP.29 software update regulation requires a vehicle manufacturer to put in place processes to:
- Record the hardware and software versions relevant to a vehicle type
- Identify software relevant for type approval
- Verify that the software on a component is what it should be
- Identify interdependencies, especially with regards to software updates
- Identify vehicle targets and verify their compatibility with an update
- Assess if a software update affects the type approval or legally defined parameters
- Assess if an update affects safety or safe driving
- Inform vehicle owners of updates
- Document all the above
Manufacturers must demonstrate that they fulfill the following requirements:
- Have in place a software update management system and its application to vehicles on the road is available
- Protect the software update delivery mechanism and ensure integrity and authenticity
- Protect software identification numbers
- Ensure the software identification number is readable from the vehicle
- Over-the-air software updates must:
- Restore function if the update fails
- Execute the update only if there is sufficient power
- Ensure safe execution
- Inform users about each update and its completion
- Ensure the vehicle is capable of conducting an update
- Inform the user when a mechanic is needed
Read the full text of the WP.29 software update and software update management regulation.
Interrelationship of WP.29 with other cybersecurity standards
Learn about how WP.29 is related to other cybersecurity standards, such as ISO 21434, ISO 24089 and the upcoming frameworks for software bill of materials (BOM).
Demonstrating compliance with industry standards enables organizations to demonstrate compliance with government regulations, such as WP.29. Auto manufacturers can look to ISO/SAE21434, ISO27001, NIST Cyber security Framework, the EU’s General Data Protection Regulation (GDPR) and other cyber security frameworks and regulations for insight. Three of the many relevant industry standards are:
ISO/SAE 21434 and ISO/AWI 24089
Although WP.29 does not mention ISO/SAE 21434 (cybersecurity engineering) and ISO/AWI 24089 (software update engineering), it is understood that if an OEM and its supply chain can demonstrate compliance against these standard frameworks, then that compliance can be used to demonstrate compliance with the WP.29 regulation. Similarly, demonstrating compliance against these two standards should afford OEMs protection from liability.
As an international automotive cybersecurity framework with explicit controls, ISO 21434 will likely be the framework most OEMs and Tier 1 suppliers align or certify to. A timing issue exists, however. The WP.29 regulation will likely come into force before these industry standards are finalized.
Frameworks for software bill of materials (SBOM)
A software bill of materials (SBOM) can uncover security vulnerabilities and build a foundation for better cybersecurity. There are currently a number of organizations working on a framework for a more transparent software supply chain to itemize components in a software bill of materials (SBOM). The expectation is that consumer demand for transparency will cause suppliers to deliver high-quality, more secure code.
The WP.29 regulation requires OEMs to demonstrate supplier-related cybersecurity risks, so compliance with the future frameworks for SBOM should help organizations demonstrate compliance with the WP.29 regulation.