Note: this is the first in a series of posts around the new UNECE WP.29 regulations for cybersecurity and software updating
Connected cars have become one of the most prominent implementations of the internet-of-things. In fact, cars themselves have become internet-of-things environments, usually with between 70 and 100 Electronic Control Units (ECUs) embedded in each vehicle. These ECUs work with sensors and other hardware units, and are connected internally by busses (a small in-car network) as well as to the outside world using mobile sim-cards. As with computers and smartphones, software has become increasingly prominent in managing vehicle functionality and has replaced many formerly hard-wired functions in classic ECUs. In fact, the growing dominance of software has helped modern vehicles become known as “computers on wheels.”
Unfortunately, software also makes vehicles vulnerable to potential cyber-attacks. According to the United Nations Economic Commission for Europe (UNECE), new vehicles include approximately 100 million lines of software code, and that number is expected to triple by 2030. In response to this trend, the UNECE World Forum for Harmonization of Vehicle Regulations adopted two new cybersecurity regulations in June 2020 – one for ECU cybersecurity and one for software updating – and they require automobile manufacturers to implement control processes across four domains:
These new regulations present a major challenge to automobile Original Equipment Manufacturers (OEMs) due to the complex and decentralized technical architecture in modern vehicles, as well as the necessary reliance on supply chain partners for software (classic OEMs have just a 10-30 percent share of self-developed software in their cars). Additionally, the cybersecurity talent shortage makes it difficult to recruit employees with the specialized skills required to assess cyber risks, implement controls and perform other mitigating activities. Also, different manufacturers are at varying stages of maturity with vehicle cybersecurity, and many will be building the capabilities required to comply with the WP.29 regulations almost from scratch.
Key Challenges for Automobile Manufacturers
While enforcement dates for WP.29 cybersecurity compliance may seem relatively far off – in the EU, for example, manufacturers must be able to show cybersecurity compliance for all vehicles, both new and legacy models, as of July 2024, to receive vehicle type approval (the deadline is two years earlier for newly developed car series). This is a significant challenge given the development cycle of new models, which is typically around three to four years. In other words, engineers developing new models for 2022 or 2024, when the regulations are in force, are already into their development projects and must now retrofit cybersecurity into their designs.
There are several key challenges automobile manufacturers are facing today as they work to move their manufacturing, supply and aftermarket processes to WP.29 compliance:
The most fundamental question automobile manufacturers are dealing with right now is: “Who owns these new WP.29 requirements?” Typically, engineering owns the automobile design and manufacturing process, but the IT department (more specifically, the CISO) owns cybersecurity. IT and engineering have been crossing paths for some time in the automobile industry – with the convergence of operations and information technology networks, and with an increasing number of ECUs and digital capabilities in vehicle designs.
To reconcile ownership of the new regulations, most manufacturers are either making the CISO the point person for WP.29 cybersecurity compliance, or creating a new role in the engineering department (Chief Product Security Officer being a commonly used title). Either way, establishing clear ownership is an important first step to addressing the new WP.29 cybersecurity and software update requirements. However, this is just crossing the first organizational hurdle as departments that typically work in their own silos urgently need to cooperate to assure cyber secure vehicles. These departments include R&D, cybersecurity, IT, quality, procurement, aftermarket, and more.
Cybersecurity is different from other vehicle quality processes, because software components must be tested much earlier and more often than other vehicle hardware components. (You can test a hardware system by driving millions of miles with pre-series/pre-production cars – this will never be a successful approach with software because by the time those cars are available, it’s already too late.)
To achieve sound cybersecurity practices, the automotive supply chain needs to be differentiated between hardware and software. The software part needs to work like a professional technology company for software development. Software is currently developed through a combination of internal development organizations and tier-1 suppliers. To incorporate cybersecurity processes that enable WP.29 compliance, OEMs will need to develop new processes that not only change how software is developed, but also evolve relationships with those tier-1 suppliers.
When the vehicle goes away – responsibility stays. Under the new regulations, manufacturers are responsible for cybersecurity measures across the entire vehicle lifecycle. As a result, the aftermarket duties of OEMs to sustain cybersecurity for their fleets represent a cost and profitability risk. And, they need skilled people to manage the fleet’s compliance in the aftermarket. As might be expected, current aftersales organizations are not prepared for this brand-new challenge. These factors require the creation of new teams to manage these processes, and staffing these teams will be difficult amid a cybersecurity talent shortage.
Acquiring the right expertise may also require enlisting the help of external assistance. At the strategic level, consulting organizations with a strong focus on the automobile industry can provide expertise in WP.29 regulations to help manufacturers build their compliance programs. At the tactical level, specialists in penetration testing, cyber secure software design, software update management, fleet monitoring and other cybersecurity disciplines may be required for software security assurance.
Third Party Operations
As mentioned above, automobile manufacturers typically outsource software and ECU system development to supply chain partners. This introduces significant complexity into WP.29 compliance, because those partners now must adhere to secure coding and testing practices that ensure the software installed in vehicles is cyber secure.
These challenges will require a realignment of the relationship between manufacturers and their computer technology supply chain partners. Manufacturers will need access to source code, and will also need to implement rules around which tools and technologies are used to develop the software. Ideally OEMs and their software suppliers work with one source code (including free and open source software, or FOSS) repository, which contains just cyber- and quality-approved source code modules. All of these new rules and requirements will need to be detailed in revised contracts, which today only define software/hardware functionality requirements, not WP.29-specific cybersecurity requirements.
Manufacturers will also rely on their software suppliers to deliver updates for the life of the car, which creates ramifications for the business model around selling cars. They will need to develop ways to finance the update process, so they do not defray profit margins over the life of the car.
Beginning the Compliance Journey
Deloitte is currently engaged in WP.29 cybersecurity projects with more than 10 international automobile manufacturers. Based on this experience, the following initial steps can help automobile manufacturers move in the right direction toward WP.29 cybersecurity compliance:
The new WP.29 cybersecurity regulations will have a fundamental impact not only on the automobile supply chain and manufacturing process, but also on automobile manufacturers’ after-market support requirements and the business model for selling cars. Complying with these requirements may seem daunting – but it is achievable if manufacturers take a methodical approach that starts now. And, as automobiles become increasingly reliant on software for everything from entertainment to safety and suspension options, it is likely less costly to implement more secure software development and update processes now, than it would be to respond to and remediate a serious cybersecurity incident later.
Thilo Bebber is a Director in Deloitte Germany’s Automotive Cyber Security practice, and supports global Automotive clients to securely digitalize their processes, businesses, and products. In this context, Thilo helps clients to understand the requirements and impact of upcoming new Cyber Security Risks, compliance requirements for vehicles, and how to adhere to these in a smart, suitable, and cost effective manner.
Ingo Dassow is a Director in Deloitte Germany’s Automotive Cyber Security practice, and provides services in the Automotive industry, where he is responsible for the implementation of solutions and management systems to enable Cybersecurity management for product and production. His team are establishing standards around Cybersecurity Engineering following ISO 21434, ISO/PAS 21448, ISO 24089, and IEC 62443. He leads the Deloitte premium partnership with Autosar.
Andi is a Partner in the Deloitte Germany’s Automotive practice with 28 years’ experience in technology and regulatory consulting. He is familiar with the developments in vehicle technology and the rising number of global regulations that OEMs and Suppliers need to adhere to.