Working Party on Automated and Connected Vehicles | Session 11 | 27 Sep-1 Oct 2021
Web conference
Agenda Item 5. (a)
Cyber security and data protection

35. The expert from the United Kingdom of Great Britain and Northern Ireland, Co-Chair of the IWG on Cyber Security and Over-the-Air issues (CS/OTA), reported on the activities of the group (GRVA-11-05).

36. He introduced ECE/TRANS/WP.29/GRVA/2021/20, with recommendations on uniform provisions concerning cyber security and software updates, suitable for the purpose of the Contracting Parties of the 1998 and 1958 Agreements. He explained that no UN Global Technical Regulation was envisaged because of the difficulty to define acceptance criteria, which would depend on how a vehicle is equipped. He stated that these recommendations, covering cyber security and software updates and permitting the use of Regulation No. X Software Identification Number (RxSWIN), can be followed and adapted to national circumstances.

37. He reported on the activities of the group concerning the review of the request by the expert from CEMA to remove vehicle categories S, T and T from the scope of UN Regulation No. 156. He explained, that following a technical discussion, the group confirmed that vehicles of these categories were using Over-the-air Software updates and that the scope of UN Regulation No. 156 was fine. He suggested that the scope of UN Regulation No. 155 could be expanded to vehicles of Categories S, R and T as both regulations went hand in hand.

38. He also reported on group’s activities on ECE/TRANS/WP.29/GRVA/2021/20 following a request for clarification on the transition clauses specified in paragraphs 7.3.1. and 7.3.4. with regards to the extension of type approvals first issued before 1 July 2024 and applied for such extension after that date. He explained that the group developed amendments to (a) the UN Regulation No. 155 (Cyber Security and Cyber Security Management System, and (b) the respective Interpretation Documents for UN Regulation No. 155 (ECE/TRANS/WP.29/2021/59), in order to clarify under which circumstances extensions were possible and which additional information was expected to be provided by the vehicle manufacturer applying for approval.

39. The expert from Canada stated the world of cyber security was very active including on vulnerability assessment tools. He mentioned existing services as suitable mitigation tools. He highlighted that Canada published Transport Canada’s Vehicle Cyber Security Strategy as well as Canada’s vehicle cyber security guidance. He stated that the work of the IWG was not completed.

40. The expert from the United Kingdom of Great Britain and Northern Ireland, Co-Chair of the group, acknowledged that the world of cyber security was evolving, and that regulations and other activities, as those mentioned above, were going hand in hand.

41. The expert from the United States of America proposed that ECE/TRANS/WP.29/GRVA/2021/20 should be kept at GRVA level for the time being.

42. The expert from the European Commission recalled that the document was mandated by the Framework Document on Automated Vehicles and wondered why it should not be transmitted to WP.29.

43. The Secretary of the IWG explained that some elements were missing in the document and that he would try to provide a corrected version as soon as possible.

44. GRVA agreed that there was no urgency and agreed to consider a revised document at its January 2022 session.

45. GRVA adopted ECE/TRANS/WP.29/GRVA/2021/21 and requested the secretariat to submit it to WP.29 as supplement to UN Regulation No. 155 (for consideration and vote by AC.1 in March 2022) and as amendment to the Interpretation document for UN Regulation No. 155 (also for consideration and vote by WP.29 in March 2022).

46. The expert from Japan, co-organizer of the workshop on the implementation on UN Regulation No. 155 that took place on 8 July 2021, introduced GRVA-11-18, explaining the purpose of the workshop and reporting on the outcomes of this workshop.

47. The expert from France announced that their Approval Authority was going to issue a Cyber Security Management System Certificate of Conformity. GRVA clarified that the activities performed under the workshop on the implementation of UN Regulation should not stop Contracting Parties to issue type approvals.

48. GRVA agreed that the secretariat together with National Traffic Safety and Environment Laboratory (Japan) organize further workshops on the implementation of UN Regulation No. 155.

49. The expert from Germany asked whether the Cyber Security and Over-the-Air issues (CS/OTA) group was having plans for updating the annexes of the Regulation.

50. GRVA noted that the mandate of the IWG was running until November 2022 and discussed the inclusion of vehicles of Categories S, R and T in the scope of UN Regulation No. 155 and the corresponding timeline as well as the question raised by Germany (para. 49).

51. The expert from Japan suggested that the review of the Regulation would be needed at some point and inquired whether a regular IWG meeting would be needed for the time being.

52. The expert from the European Commission stated that there was no emergency to include vehicles categories S, R and T in UN Regulation No. 155 and that he did not have views on the timeline.

53. The expert from CEMA supported a discussion concerning the vehicles categories S, R and T of UN Regulations Nos. 155 and 156.

54. The secretariat asked whether GRVA would wish to discuss the deletion of the Categories R, S and T from the scope of UN Regulation No. 156. The expert from UK supported that the categories S, R and T would remain in UN Regulation No. 156. He explained that the question was about UN Regulation No. 155. He added that the implementation of the Regulation was a matter of relevance for the Contracting Parties. He supported a discussion on UN Regulation No. 155.

55. The expert from Finland suggested that the categories would belong to the scope of both regulations but that there was no hurry to insert them.

56. GRVA agreed to resume consideration at its twelfth session regarding the scopes of UN Regulations Nos. 155 and 156 with regards to Categories R, S and T.

Documentation
GRVA-11-05 IWG CS/OTA: Report on the updates
GRVA-11-18 UN R155: Questions and Answers/Comments in Session A derived from the Workshop on the implementation of the regulation (NTSEL)
GRVA/2021/20 Proposal for Recommendations on uniform provisions concerning cyber security and software updates
GRVA/2021/21 UN R155: Proposal for amendments