UN-ECE-WP.29 Cybersecurity Management System Requirements and Karamba Security Product & Services Supports According to ISO/SAE-21434
UN-ECE-WP.29 defines principles to address key cyber threats and vulnerabilities identified in order to assure vehicle safety in case of cyber-attacks. It further defines detailed guidance or measures for how to adhere to these principles. Currently, The European Union (EU) has adopted UN-ECE-WP.29 cybersecurity regulations affective July 2022 for all new vehicle types, and July 20241 for registration of existing vehicles. In addition, Japan has adopted it, affective April 2020, for all autonomous vehicles level 3 and higher. The adoption of UN-ECE-WP.29 defines that a manufacturer should provide a Cybersecurity Management System (CSMS) certificate for approval of a new vehicle model. The CSMS is “a systematic risk-based approach defining organizational processes, responsibilities and governance to mitigate cyber threats and protect vehicles from cyber-attacks.” The CSMS is an ongoing process, and the manufacturer should maintain it through the device lifecycle: it should cover the ECU Development phase, Production phase and Post-production phase. Using the CSMS, the vehicle manufacturer shall demonstrate the processes ensure that cybersecurity is adequately considered:
(A) The processes used within the manufacturer’s organization to manage cybersecurity;
(B) The processes used for the identification of risks to vehicle types;
(C) The processes used for the assessment, categorization and treatment of the risks identified;
(D) The processes in place to verify that the risks identified are appropriately managed;
(E) The processes used for testing the security of the system throughout its development and
production phases;
(F) The processes used for ensuring that the risk assessment is kept current;
(G) The processes used to monitor for, detect and respond to cyber-attacks on vehicle types; (H) The
processes used to identify new and evolving cyber threats and vulnerabilities to vehicle types;
(I) The processes used to appropriately react to new and evolving cyber threats and vulnerabilities.
UN-ECE-WP.29 identifies ISO/SAE 21434 , “Road vehicles — Cybersecurity engineering” as “A key
standard that may be used for implementing CSMS processes”. Defining, training and establishing CSMS
in the organization and the adoption of ISO/SAE-21434 requires an intensive effort. In this paper we
present how Karamba Security supports establishing the CSMS processes, according to ISO/SAE 21434,
speeding up the adoption and certification phases.
