Proposal for a new UN Regulation as approved by GRVA during its 6th session for the type approval of vehicles with regard to their cybersecurity protection.

23. GRVA adopted GRVA-06-19-Rev.1 and requested the secretariat to submit it (without paras 5.3.1.-5.3.4.) as draft UN Regulation on Cyber Security and Cyber Security Management Systems to WP.29 and AC.1 for consideration and vote at their June 2020 session.

25. The expert from the United Kingdom and Northern Ireland, Co-Chair of the Task Force (TF) on Cyber Security and Over-The-Air issues (CS/OTA), presented the outcome of the TF. He introduced the proposed draft UN Regulation on Cyber Security and Cyber Security Management System (ECE/TRANS/WP.29/GRVA/2020/2 (withdrawn), ECE/TRANS/WP.29/GRVA/2020/3 amended by GRVA-05-05). He mentioned that the revised proposal entailed a recent proposal from Germany and the European Commission (paragraphs 5.3.1.-5.3.3.) in square brackets. He recalled that the TF was planning to deliver further documents accompanying the UN Regulation: a resolution and an interpretation document. He stated that these documents would be further elaborated during the next session of the TF and would distillate the learnings of the test phase in 2019. He informed GRVA that the work on a UN Global Technical Regulation (GTR) had to start.

26. The expert from Japan introduced GRVA-05-20 proposing amendments to paragraph 7.3.8. on the use of cryptographic modules.

27. The expert from the European Commission introduced GRVA-05-22, aimed at clarifying the consequences of the Cyber Security Management System certificate expiration.

28. The expert from Japan introduced GRVA-05-13, expressing strong objections to the proposed paragraphs 5.3.1.-5.3.3. establishing prerequisites to the granting of type approvals not in line with the 1958 Agreement and posing a sovereignty risk. The expert from the Russian Federation expressed a similar position and proposed to draft an alternative proposal.

29. The expert from France introduced, GRVA-05-29 proposing an alternative to the proposed paragraphs 5.3.1.-5.3.3. as well as amendments proposal for paragraph 7.4 and Annex 5.

30. The expert from the European Commission introduced a compromise proposal (GRVA-05-42) for paragraphs 5.3.1.-5.3.3. aimed at addressing the proposals from Japan and France.

31. The expert from OICA introduced GRVA-05-33. He stated that the test phase’s general outcome was the confirmation of the applicability of the former draft. He explained their major concerns with the current text. He mentioned their concerns from the industry point of view regarding the major type approval procedure modifications introduced by paragraphs 5.3.1.-5.3.3. and the major delay associated risks.

32. He stated that insufficient considerations were given to existing vehicle architectures and requested the introduction of transitional provisions. He also stated that the reporting provisions were excessive. He called on GRVA to consider these concerns and to resolve them on a consensus basis.

33. The expert from FIGIEFA introduced GRVA-05-15, proposing a process flow for national/regional authorities to define objective minimum compliance criteria for the UNECE cybersecurity regulation and a way forward for aftermarket issues.

34. GRVA reviewed in detail GRVA-05-05, having in mind the presentations received (paragraphs 26-32 above).

1. GRVA discussed the scope of the draft Regulation (keeping vehicles of Categories S, R, T, O in square brackets).
2. GRVA discussed GRVA-05-17 and agreed to keep the proposed paragraph 1.4.
3. GRVA agreed that the Regulation and the 1958 Agreement would not be prescribing the mutual recognition, among Contracting Parties, of CSMS (and Software Update Management System) certificates.
4. The expert from Singapore requested clarifications concerning the reporting obligations according to the draft Regulation and wondered whether any reporting would only be shared among the Contracting Parties of the 1958 Agreement. The Co-Chair of the TF explained that the current draft did not impose reporting on existing cyber security threats. He explained that there were already information sharing platforms such as Automotive Information Sharing and Analysis Center (AutoISAC) in the United States of America. GRVA invited the TF to address the question raised.
5. GRVA resumed discussion on the paragraphs 5.3.1.-5.3.3. The expert from the Russian Federation explained that provisions regarding the competencies of Technical Services should be introduced in Schedule 2 to the 1958 Agreement. He added that GRVA-05-42 was not enough and that not trusting Approval Authorities was not a good idea, as it would be time consuming and expensive. He stated that the Database for Exchange of Type Approval documentation (DETA) could have a useful role to play, that the TF could be entitled to learn from type approvals and propose relevant Regulation amendments to GRVA, as necessary, and he proposed the corresponding regulatory wording (GRVA-05-51). The expert from the Republic of Korea stated that these paragraphs could be misused. The expert from CEN proposed an alternative procedure based on the so-called common criteria approach and referred to WP.29-179-28 and WP.29-179-29. The TF Co-Chair noted that the common criteria approach was not complete. The expert from FIA introduced GRVA-05-16. GRVA requested the TF to provide comments on this document. GRVA noted to availability of GRVA-05-02 reproducing ISO/SAE DIS 21434 addressing aspects of the draft Regulation but not the mutual recognition aspect.

35. The Secretary produced a consolidation of the draft Regulation based on the input received during the session (GRVA-05-05/Rev.1). GRVA agreed to use this consolidation as a basis for further work until the next GRVA session.

25. The expert from the United Kingdom and Northern Ireland, Co-Chair of the Task Force (TF) on Cyber Security and Over-The-Air issues (CS/OTA), presented the outcome of the TF. He introduced the proposed draft UN Regulation on Cyber Security and Cyber Security Management System (ECE/TRANS/WP.29/GRVA/2020/2 (withdrawn), ECE/TRANS/WP.29/GRVA/2020/3 amended by GRVA-05-05). He mentioned that the revised proposal entailed a recent proposal from Germany and the European Commission (paragraphs 5.3.1.-5.3.3.) in square brackets. He recalled that the TF was planning to deliver further documents accompanying the UN Regulation: a resolution and an interpretation document. He stated that these documents would be further elaborated during the next session of the TF and would distillate the learnings of the test phase in 2019. He informed GRVA that the work on a UN Global Technical Regulation (GTR) had to start.

26. The expert from Japan introduced GRVA-05-20 proposing amendments to paragraph 7.3.8. on the use of cryptographic modules.

27. The expert from the European Commission introduced GRVA-05-22, aimed at clarifying the consequences of the Cyber Security Management System certificate expiration.

28. The expert from Japan introduced GRVA-05-13, expressing strong objections to the proposed paragraphs 5.3.1.-5.3.3. establishing prerequisites to the granting of type approvals not in line with the 1958 Agreement and posing a sovereignty risk. The expert from the Russian Federation expressed a similar position and proposed to draft an alternative proposal.

29. The expert from France introduced, GRVA-05-29 proposing an alternative to the proposed paragraphs 5.3.1.-5.3.3. as well as amendments proposal for paragraph 7.4 and Annex 5.

30. The expert from the European Commission introduced a compromise proposal (GRVA-05-42) for paragraphs 5.3.1.-5.3.3. aimed at addressing the proposals from Japan and France.

31. The expert from OICA introduced GRVA-05-33. He stated that the test phase’s general outcome was the confirmation of the applicability of the former draft. He explained their major concerns with the current text. He mentioned their concerns from the industry point of view regarding the major type approval procedure modifications introduced by paragraphs 5.3.1.-5.3.3. and the major delay associated risks.

32. He stated that insufficient considerations were given to existing vehicle architectures and requested the introduction of transitional provisions. He also stated that the reporting provisions were excessive. He called on GRVA to consider these concerns and to resolve them on a consensus basis.

33. The expert from FIGIEFA introduced GRVA-05-15, proposing a process flow for national/regional authorities to define objective minimum compliance criteria for the UNECE cybersecurity regulation and a way forward for aftermarket issues.

34. GRVA reviewed in detail GRVA-05-05, having in mind the presentations received (paragraphs 26-32 above).

1. GRVA discussed the scope of the draft Regulation (keeping vehicles of Categories S, R, T, O in square brackets).
2. GRVA discussed GRVA-05-17 and agreed to keep the proposed paragraph 1.4.
3. GRVA agreed that the Regulation and the 1958 Agreement would not be prescribing the mutual recognition, among Contracting Parties, of CSMS (and Software Update Management System) certificates.
4. The expert from Singapore requested clarifications concerning the reporting obligations according to the draft Regulation and wondered whether any reporting would only be shared among the Contracting Parties of the 1958 Agreement. The Co-Chair of the TF explained that the current draft did not impose reporting on existing cyber security threats. He explained that there were already information sharing platforms such as Automotive Information Sharing and Analysis Center (AutoISAC) in the United States of America. GRVA invited the TF to address the question raised.
5. GRVA resumed discussion on the paragraphs 5.3.1.-5.3.3. The expert from the Russian Federation explained that provisions regarding the competencies of Technical Services should be introduced in Schedule 2 to the 1958 Agreement. He added that GRVA-05-42 was not enough and that not trusting Approval Authorities was not a good idea, as it would be time consuming and expensive. He stated that the Database for Exchange of Type Approval documentation (DETA) could have a useful role to play, that the TF could be entitled to learn from type approvals and propose relevant Regulation amendments to GRVA, as necessary, and he proposed the corresponding regulatory wording (GRVA-05-51). The expert from the Republic of Korea stated that these paragraphs could be misused. The expert from CEN proposed an alternative procedure based on the so-called common criteria approach and referred to WP.29-179-28 and WP.29-179-29. The TF Co-Chair noted that the common criteria approach was not complete. The expert from FIA introduced GRVA-05-16. GRVA requested the TF to provide comments on this document. GRVA noted to availability of GRVA-05-02 reproducing ISO/SAE DIS 21434 addressing aspects of the draft Regulation but not the mutual recognition aspect.

35. The Secretary produced a consolidation of the draft Regulation based on the input received during the session (GRVA-05-05/Rev.1). GRVA agreed to use this consolidation as a basis for further work until the next GRVA session.

Mark up of the draft UN Regulation on cyber security (WP.29/2020/79) towards transposition of technical requirements into an instrument under the 1998 Agreement.

25. The representative of Japan introduced, on behalf of China, European Union, Japan and the United States of America, WP.29-178-10/Rev.2 containing amendments to ECE/TRANS/WP.29/2019/34 – Framework Document on Automated/autonomous Vehicles. He explained that the amendments included editorial amendments as well as a restructured Table 1 containing details on (i) current activities, (ii) expected future activities and (iii) references to the key safety principles mentioned in the document.

26. The representative of the Republic of Korea introduced WP.29-178-19, proposing additional amendments to ECE/TRANS/WP.29/2019/34. The representative of Sweden proposed to insert into Table 1 considerations related to para. 4 (j) regarding vehicle inspection. The representative of CITA supported the position of the representative of Sweden.

27. WP.29 adopted ECE/TRANS/WP.29/2019/34 as amended by WP.29-178-10/Rev.2 and requested the secretariat to issue it as a reference document with the symbol ECE/TRANS/WP.29/2019/34/Rev.1.

72. The Secretary of GRVA introduced ECE/TRANS/WP.29/2019/34/Rev.1, the framework document on automated/autonomous vehicles. He further informed GRSG on the establishment of new IWGs for functional requirements for automated vehicles, validation methods for automated driving, EDR/DSSAD and Cyber Security/OTA.

73. Following questions from delegates, GRSG noted that elements related to human-machine interface (HMI) and other activities than driving that were currently under discussion at the Global Forum for Road Safety (WP.1) would also be covered under IWG on functional requirements for automated vehicles, while elements for driver monitoring were still discussed by IWG on Automated Controlled Steering Functions (ACSF).

Proposal for provisions regarding the extension, expiration, or withdrawal of a cybersecurity approval.

28. The expert from the Netherlands, Chair of the IWG on Database for Exchange of Type Approval documentation (DETA), introduced GRVA-07-25 (aimed at clarifying DETA related provisions in ECE/TRANS/WP.29/2020/94). GRVA endorsed it, in principle, as a draft guidance for the Authorities on the way to use DETA, hosted by Germany, in line with the relevant provisions in UN Regulation No. [155]. GRVA noted that the document would be finalized prior to WP.29 in November 2020, so that it can be adopted together with the document above.

29. GRVA requested the secretariat to provide a specific place on its website for all cyber security and software updates related documents.

Proposal agreed by interested Contracting Parties to resolve concerns regarding “peer review” of cybersecurity type approvals.

27. The expert from the Russian Federation presented GRVA-07-08, proposing a clarification of para. 5.3.5. of UN Regulation No. [155]. The expert from Japan explained that the proposed clarification should be carefully reviewed as it could lead to restrictions to the rights of Contracting Parties according to the 1958 Agreement. The author agreed and mentioned that ECE/TRANS/WP.29/2020/97 already provided some clarifications.