22/11/2019

1

F. Guichard

UNECE/TRADE/WP.6 29 May 2019Geneva, Room XII

Cyber Security related activities at GRVA

François E. GuichardMechanical Engineer

(Technical) Secretary of the Working Party on Automated/Autonomous and Connected Vehicles (GRVA)

F. Guichard

Content

• Presentation of the UNECE’s World Forum “WP.29” and its “GRVA”

• Cyber security in transport – introduction

• Task Force on Cyber Security and OTA issues

• Standards and Regulations - essential

22/11/2019

2

F. Guichard

Agenda 2030 – Sustainable Development Goals

Our challenges:• Environmental issues• Road safety tragedy• Urban transport• …

F. Guichard

UNECE and vehicle regulationsConventional vehicles

Automated and Connected Vehicles70

22/11/2019

3

F. Guichard

Content

• Presentation of the UNECE’s World Forum “WP.29” and its “GRVA”

• Cyber security in transport – introduction

• Task Force on Cyber Security and OTA issues

• Standards and Regulations - essential

F. Guichard

Cyber security in Transport

• Aviation (ICAO)

– ICAO Assembly Resolution A39-19

– Declaration on cybersecurity in civil aviation (Dubai, UAE, April 2017)

– ICAO Cyber Security and Resilience Symposium (Oct. 2109)

Including a number of recommendations at state level

• Maritime (IMO)

– Guidelines on maritime cyber risk management (MSC-Fal.1/Circ.3)

The resolution encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company's Document of Compliance after 1 January 2021.

– Reference to voluntary guidelines, ISO/IEC 27001 and the NIST Framework

22/11/2019

4

F. Guichard

Cybersecurity – wake up call

F. Guichard

Technical progress and new behaviors

@Tesla @Chevy Bolt

OTA updates

22/11/2019

5

F. Guichard

Technical progress and … new behaviors

@Volvo @Faurecia

F. Guichard

Cyber security and automotive• Adoption of a Guideline on cyber security and data protection

United Nations (UNECE) Guideline on Cyber Security and Data Protection adopted in 2016

The guideline includes requirements regarding:

• Security (by design)

• Privacy (by design and by default)

• Secure software updates

• Integrity of internal communication as well as online services

It also states (among others) :

• The system shall be accessible for verifying the measures implemented by automotive manufacturers, component/system suppliers and service providers to ensure cybersecurity and data protection by independent authorised audit

• The protection of connected vehicles [...] requires verifiable security measures according security standards (e.g. ISO 27000 series, ISO/IEC 15408)

• Establishment of the Task Force on Cyber Security and OTA issues in 2016

22/11/2019

6

F. Guichard

Content

• Presentation of the UNECE’s World Forum “WP.29” and its “GRVA”

• Cyber security in transport – introduction

• Task Force on Cyber Security and OTA issues

• Standards and Regulations

F. Guichard

Task Force on Cyber Security and OTA issues

Chairpersons Cyber security

CSMS approval

Cyber security approval

(OTA) Software updates

SUMS approval

SU approval

SI requirements

Work

First drafts

Testing Phase

Fine tuning

Focus on the following key safety elements:• Cyber security• Software Updates

Ambition:Completion in February 2020

NTSEL DfT NHTSA

22/11/2019

7

F. Guichard

Test phase• The first draft regarding cyber security was subject to a test phase.

– The aims of the test phase were to verify the effectiveness/robustness of both proposed Regulation and to verify that approval authorities/technical services are able to assess the information and, if provided the same information, reach the same conclusions

• Countries were invited to test the regulatory text drafted:

– Involved 7 countries (in Europe and Asia)

– Involved 15 vehicle manufacturers (globally)

– One manufacturer was able to work with two technical services to provide for a joint assessment of the same information

• No requirement imposed on countries to select inspectors with a specific profile

Countries involved experts with certified expertise, including both TA and cyber profiles

• Risk management approach is assessed positively.

This can be recommended as in ECE/CTCS/WP.6/2019/9 tabled this week

F. Guichard

Content

• Presentation of the UNECE’s World Forum «WP.29»

• Automation and connectivity innovations

• Some regulatory activities aimed at addressing technological progress

• Standards and Regulations

22/11/2019

8

F. Guichard

Regulation through cooperation with various sectors & SDOs

• Lighting and Light Signalling sector:

– IEC standards: IEC 60061, IEC 60809

Specific UN Regulations on light sources

• Tire sector:

– ISO, ETRTO, JTMA standards

Regulation on tires

Regulation on tire installation

• ICT and Telecom sector:

– eCall

– Cyber Security and OTA

F. Guichard

Cyber security regulations and standardsInitial R&D

Technology Testing Production Type approval

Communi-cation

Field monitoring

Incident management

Software updates

Certification framework

Management Status

UN Regulation on cybersecurity

X O X X X X X Pending

UN Regulation on Software updates

X O X X X Pending

ISO / SAE 21434 (cybersecurity

engineering)

X O O O X O O X Drafting

ISO 24089 (software update

engineering)

X O X O X Drafting

SAE J 3061 (Guidebook for cyber physical

vehicle systems)

X O O O O X Final (01/2019)

IEC 62443 X X X Final(02/2019)

Source: Dr. Markus Tschersich

22/11/2019

9

F. Guichard

Standards to prepare supply chain for compliance

Objectives Regulation Standardization

Ensuring capabilityof the organization

Cyber security management systemCertificate of compliance

VehicleType A

VehicleType B

... VehicleType N

Cyber security performance of the vehicles

Audit of Organization e.g. based on ISO/SAE 21434

Assessment report e.g. based on ISO/SAE 21434

UN Regulation on Cybersecurity

Source: Dr. Markus Tschersich

F. Guichard

THANK YOU VERY MUCHFOR YOUR ATTENTION

UNECE

http://www.unece.org/automated-vehicles

Francois.Guichard@un.org