Presentation on the work of the Task Force on Cybersecurity and Over-the-Air Software Updates.
24. The expert from the United Kingdom, Co-Chair of the Task Force on Cyber Security and Over-The-Air software updates (TF CS/OTA) reported (GRVA-03-02) on the work of the group (recommendations, a draft regulatory text with provisions for the approval of a manufacturer Cyber Security Management System and provisions for the approval of a vehicle with regards to cyber security), including the ongoing testing activities. He clarified that the outcome of the work did not aim at specifying technical solutions, preventing all kind of cyber security events to happen, securing systems outside of the vehicles (e.g. pendrives), specifying durability requirements, listing all risks and corresponding mitigation solutions, but rather a systems-based approach to security management.
25. He explained that the current testing phase was aimed at checking the robustness of the proposal. He noted that manufacturer involvement represented seventy per cent of the global sales. The expert from AVERE confirmed that North American manufacturers were involved in the testing phase. The output could result in the production of interpretation guidelines if necessary.
26. He answered to the questions raised by the GRVA experts. He confirmed that the work was involving Contracting Parties using the regime of self-certification, but that no Country had indicated their intention to become a sponsor in the sense of the 1998 Agreement.
27. The expert from the European Commission requested clarifications about the purpose of the non-regulatory text in ECE/TRANS/WP.29/GRVA/2019/2. He noted the importance to define pass/fail criteria (also for audits) in the context of mutual recognition of type approvals. He expressed the need to consider covering hardware updated in this context. He stated that cyber security impacts privacy protection and mentioned other regulations in other jurisdictions that could complement or impact the ongoing work, such as the European General Data Protection Regulation (GDPR).
28. The expert from France proposed to revisit the definition of a type in the regulatory draft. He proposed to consider the vehicle architecture as one discriminatory feature.
29. The expert from Germany expressed support to the test phase work and expressed the need to consider lifetime provisions.
30. The expert from CLEPA explained that their industry would have a role to play to support cyber security and asked that GRVA consider provisions that would address their role.
31. The expert from Sweden noted the proposal on slide 16 of GRVA-03-02 “UNECE may decide to develop a harmonized framework on [the post production and vehicle support by the manufacturer] topic” and proposed to reflect on this point.
32. The expert from Spain expressed concern with the lack of guarantee over the whole life cycle and proposed to look at practices of other industry sectors to explore best practices. She also noted that these activities were linked with the activities of existing cyber security authorities and that frameworks were already existing. She stated that the outcome of the test phase should result into amendments instead of interpretation documents.
33. The expert from ITU stated that basic requirements should be built in the communication side and that support provisions could be linked to the life of the communication system (He mentioned as an example the Global System for Mobile Communications (GSM) protocol shutdown).