Advancements in driving automation, autonomous technologies and connectivity is ushering in a new era for mobility. Modern vehicles contain multiple computers and hundreds of millions of lines of code to control the interconnected mechanical, electrical, media and infotainment systems. As automation and in-vehicle technologies become more connected, the number of attack surfaces and vulnerabilities escalates, introducing new complexity and risk for original equipment manufacturers (OEMs) and their suppliers. In addition to traditional standards and best practices, manufacturers must now address cybersecurity as part of their quality and safety management practices.
UL can provide end-to-end advisory support to help you understand and implement emerging cybersecurity standards and best practices. We can review your existing processes or assist you in creating new frameworks to secure your products, achieve successful type approval and bring safer automotive innovations to the global market.
Automotive cybersecurity standards and regulations
United Nations Economic Commission for Europe (UNECE) World Forum for Harmonization of Vehicle Regulations (WP29) to regulate motor vehicles and motor vehicle equipment
WP29 under UNECE is releasing new cybersecurity and over-the-air software requirements prioritizing the safety and security of vehicle automation and connectivity, advanced driver assistance systems (ADAS) and dynamics such as steering and braking. WP29 will present cybersecurity as non-negotiable for securing market access and type approval across member markets, including the EU, Japan, Korea and many others.
ISO/SAE 21434 standards
ISO/SAE 21434 includes cybersecurity risk management requirements for road vehicles with electrical and electronic (E/E) systems, components, interfaces and communications. The requirements cover the product’s entire life cycle, from concept, design, threat analysis and risk assessment (TARA) framework and development, through production, operation, maintenance and decommission.
Automotive cybersecurity gap analysis
We can conduct a gap analysis of your existing cybersecurity management system to evaluate compliance UNECE WP 29 regulations and ISO/SAE 21434 requirements for type approval.
Automotive cybersecurity management system (CSMS) framework
The CSMS framework is a systematic risk-based approach defining organizational processes, responsibilities and governance to manage risk associated with vehicle cyberthreats. CSMS requirements span the development, production and post-production phases and include:
- Cybersecurity management within the organization
- Identification of risks
- Assessment, categorization and treatment of identified risks
- Risk management verification
- Vehicle type cybersecurity testing
- Helping ensure the risk assessment is kept current
- Monitoring, detection, and responding to cyberattacks, threats and vulnerabilities
- Cybersecurity effectiveness assessments
- Supply chain management
We can help you evaluate your existing CSMS framework against WP29 regulations and ISO/SAE 21434 requirements.
Automotive cybersecurity risk management framework
An organizational risk management system is a mandatory requirement for an ISO/SAE 21434 compliant CSMS framework. The risk management framework can be used to implement an overall cybersecurity risk management system and applies to all cybersecurity engineering activities within the organization.
The objective of the risk management system is to:
- Develop a risk management strategy to identify and mitigate risks effectively.
- Create a risk management culture where employees understand the importance of monitoring and managing risks.
We can help you to develop an ISO/SAE 21434 compliant risk management system that includes:
- Guidelines for the development of a risk management strategy, including processes, policies and templates to effectively identify, assess and mitigate risks
- Processes for performing risk assessment and risk treatment in accordance with ISO 3100
- Policies for embedding a risk management culture within the organization
Threat Analysis and Risk Assessment (TARA) framework
Threat Assessment and Remediation Analysis (TARA) is an engineering methodology used to identify and assess cybervulnerabilities and select countermeasures to mitigate these vulnerabilities. The objective of a TARA is to create a security testing framework based on the identification of assets, attack surfaces, associated damage scenarios, threats and the rating of the threats. You can then use this testing framework to formulate a test plan and create the appropriate test cases to determine if the appropriate countermeasures have been implemented properly to mitigate the identified threats.
Expert guidance to help you secure your automotive products, components or systems from cyber threats
Secure your innovations with our expert support. We provide comprehensive and proven security services that help allow you to protect vehicles and their passengers while also creating engagement driving experiences. Our advisory services can help you understand what’s required to implement a thorough automotive cybersecurity management system that covers risk management, threat analysis, internal and external cybersecurity, and supply chain management. You can rely on UL for trusted security expertise in order for you to innovate and develop new technologies that drive increased consumer demand. Our deep understanding of automotive best practices helps enable OEMs and automotive suppliers to thrive in the age of connected vehicles.