The new regulations show that car producers must constantly demonstrate verifiable risk management and carry out relevant tests. They should be able to monitor, ward off and react to cyber attacks. This includes forensic skills to analyze successful or attempted attacks. Evidence of this should be able to be documented. Company documents that detail the relevant processes.
The UN regulation working group would provide a kind of checklist on which those affected could work. In addition to the general rules for cybersecurity, there would also be requirements for future type approval procedures. For example, it has to be proven that manufacturers use a special cybersecurity management system. Vehicle builders would also have to show that planned remedial measures worked and that they could actually locate and prevent attacks.
ISO Standardization Process and The UN Regulations
There is some overlap between the ongoing ISO standardization process and the UN regulations. At ISO, the entire area of the supply chain is covered more broadly and the focus is also on gateways, control units, the infotainment system and sensors such as radar or cameras. At the UN level, the entire vehicle is in view with the entire electronic architecture and networking interfaces.
Manufacturers had already carried out an initial gap analysis in view of the obligation to observe both regulatory strands. The car maker was responsible for the entire architecture and had to apply for type approval. Suppliers and sub suppliers would be obliged to provide adequate documentation of the delivered systems, software or components. Since a liability case could end up in court, the minimum requirements could not be taken lightly.
The standardization experts explained that the EU plans to make the UN requirements binding for all vehicle types will start in July 2022. Asia has already adopted the rules for autonomous vehicles as a precautionary measure and from the middle of the year it should become binding for all types there. The USA was not directly involved in the ratification process, but wanted to draw up its own list of requirements based on the UN guidelines.