In just six short months, a major new cybersecurity obligation will hit the automotive industry in the shape of a UN mandated regulation. I wanted to share some thoughts about its significant potential impact for car makers and the obligations to ensure the cybersecurity of their vehicles. Regulation shapes not only what we have to do (as an industry) but also how quickly we have to move to make it happen.
The new regulation from the United Nations Economic and Social Council, WP.29/GRVA (The Working Party on Automated/Autonomous and Connected Vehicles) is due to go live in January 2021. And frankly, that’s not very far in the future….considering the average development time for new cars.
What this means to car makers (the OEMs: the big brands in the car world, in other words) is that they will be automatically and ultimately responsible for the cybersecurity of a vehicle, not only at the point of sale or throughout its warranty period, but throughout its entire lifecycle. And that’s where this new regulation is a significant and important shift.
Failure to gain, or maintain, WP.29/GRVA certification would result in the vehicle manufacturer losing market access within signatory countries.
The work of the GRVA relates closely to ISO 21434 and ISO 26262 standards which also address cybersecurity and safety in vehicles – and how these ultimately impact vehicle design and passenger safety.
Once it’s in place, WP.29/GRVA will benefit consumers and – if approached correctly – the industry. Recent years have demonstrated the potentially ruinous costs associated with vehicle recalls (both to balance sheets and to corporate reputations): US recalls alone cost the industry $22 billion in 2016.
This will shift the emphasis from firefighting and expensive recalls, to prevention; but to minimise the financial impact of the introduction of GRVA, car makers must start preparing for compliance immediately – and that could mean looking at protecting vehicles already in production.
This upcoming regulation reinforces the need for projects such as Secure-CAV. Many of the mandatory requirements have a direct solution under development as part of the Secure-CAV consortium to help automotive OEMs achieve both compliance and functional cyber-resilience. One example of this is the CAN Bus Sentry which protects the in-vehicle message infrastructure by detecting and tackling rogue CAN frames. Frames that contravene normal operation or have inappropriate origin can be neutralised or modified. This is real-time, in-life, detection and mitigation of cyber threats to automotive systems, and is likely to be pivotal to gaining GRVA certification.
Although the responsibility of the regulations falls ultimately on the shoulders of the vehicle manufacturer, it requires the entire industry to support and comply with it – and in particular, it’s the underlying technologies that hold the secret to compliance. Industry consortia like Secure-CAV, and innovative technologies such as hardware-based security are set to be an important part of that effort.