Insights into WP.29 and the Automotive Sector

  /  ICS Security   /  Cybersecurity   /  Insights into WP.29 and the Automotive Sector
Insights into WP.29 and the Automotive Sector

Insights into WP.29 and the Automotive Sector

Interview by Greg Orloff, Senior Analyst and CBDO with IIoT World and Ian Todd, IoT Practice Lead, Security Services with BlackBerry on WP.29 

Visit this link for more information on WP.29

The UNECE World Forum for Harmonization of Vehicle Regulations (WP.29) is a unique worldwide regulatory forum within the institutional framework of the UNECE Inland Transport Committee.

Three UN Agreements provide the legal framework allowing Contracting Parties (member countries) attending the WP.29 sessions to establish regulatory instruments concerning motor vehicles and motor vehicle equipment.

WP.29 Cybersecurity Regulation  

The adopted “proposal for a new UN regulation on uniform provisions concerning the approval of vehicles with regards to cybersecurity and cybersecurity management system” specifies a list of processes vehicle manufacturers must put in place to:

  • Identify and manage cybersecurity risks in vehicle design
  • Verify that the risks are managed, including testing
  • Ensure risk assessments are kept current
  • Monitor cyberattacks and respond effectively
  • Analyze successful and attempted cyberattacks
  • Assess if the cybersecurity measures are effective against new threats and vulnerabilities

Manufacturers must demonstrate that they fulfill the following requirements:

  • Have in place an automotive security management system and its application to vehicles on the road is available
  • Provide a risk assessment analysis that identifies critical risks
  • Have measures to detect and mitigate cyberattacks and provide evidence that the mitigations work
  • Possess data forensics capability
  • Monitor activities specific to the vehicle type
  • Transmit monitoring reports to the authority responsible for approving vehicles for sale (homologation authority)

A detailed list of the threats and mitigations in an appendix (Annex 5) requires OEMs to address:

  • Back-end servers
  • Communications channels (includes external connectivity)
  • Software update procedures
  • Unintended human actions
  • Vehicle data and code
  • Components that could be exploited without sufficient hardening

BlackBerry QNX Readiness Assessment

To help you navigate the regulations and prepare your development teams for these new requirements, BlackBerry QNX’s Professional Services team has created a WP.29 readiness assessment to provide the risk management techniques and insight needed to improve conformity to the WP.29 regulation.

Learn more about QNX vs Linux

BlackBerry’s WP.29 readiness assessment uses a data-driven methodology to help you understand your organization’s conformity to the regulation and your overall cybersecurity posture, identify cybersecurity risks, and create a roadmap to WP.29 compliance. A robust methodology combines BlackBerry’s industry-leading security expertise and cutting-edge cybersecurity technology through a systematic, step-by-step professional services engagement.

BlackBerry’s WP.29 readiness assessment is aligned to WP.29, ISO 21434, ISO 27001, NIST, GDPR and other leading frameworks and regulations across four domains – cyber security management, monitoring and response, risk management, and the development life cycle.

The package includes:

  • Workshops with an embedded systems security expert
  • Automated analysis of binary images and support files to understand the software bill of materials (SBOM), leakage of personal data and supply chain insights
  • Detailed report with observations, risks, conformity levels and a pragmatic set of recommendations

Visit this link for more information.