UN-ECE-WP.29 Cybersecurity Management System Requirements

Guy Sagy | June 30, 2020

UN-ECE-WP.29 Cybersecurity Management System Requirements and Karamba Security Product & Services Supports According to ISO/SAE-21434

UN-ECE-WP.29 defines principles to address key cyber threats and vulnerabilities identified in order to assure vehicle safety in case of cyber-attacks. It further defines detailed guidance or measures for how to adhere to these principles. Currently, The European Union (EU) has adopted UN-ECE-WP.29 cybersecurity regulations affective July 2022 for all new vehicle types, and July 20241 for registration of existing vehicles. In addition, Japan has adopted it, affective April 2020, for all autonomous vehicles level 3 and higher. The adoption of UN-ECE-WP.29 defines that a manufacturer should provide a Cybersecurity Management System (CSMS) certificate for approval of a new vehicle model. The CSMS is “a systematic risk-based approach defining organizational processes, responsibilities and governance to mitigate cyber threats and protect vehicles from cyber-attacks.” The CSMS is an ongoing process, and the manufacturer should maintain it through the device lifecycle: it should cover the ECU Development phase, Production phase and Post-production phase. Using the CSMS, the vehicle manufacturer shall demonstrate the processes ensure that cybersecurity is adequately considered:

(A) The processes used within the manufacturer’s organization to manage cybersecurity;
(B) The processes used for the identification of risks to vehicle types;
(C) The processes used for the assessment, categorization and treatment of the risks identified;
(D) The processes in place to verify that the risks identified are appropriately managed;
(E) The processes used for testing the security of the system throughout its development and production phases;
(F) The processes used for ensuring that the risk assessment is kept current;
(G) The processes used to monitor for, detect and respond to cyber-attacks on vehicle types; (H) The processes used to identify new and evolving cyber threats and vulnerabilities to vehicle types;
(I) The processes used to appropriately react to new and evolving cyber threats and vulnerabilities. UN-ECE-WP.29 identifies ISO/SAE 21434 , “Road vehicles — Cybersecurity engineering” as “A key standard that may be used for implementing CSMS processes”. Defining, training and establishing CSMS in the organization and the adoption of ISO/SAE-21434 requires an intensive effort. In this paper we present how Karamba Security supports establishing the CSMS processes, according to ISO/SAE 21434, speeding up the adoption and certification phases.

Download PDF

Read more

Continue the conversation!

Want to learn more?

Contact Us


24 HaNagar Street
Hod Hasharon
Tel: +972 9 88 66 113



41000 Woodward Ave
Building East, Suite 350
Bloomfield Hills, MI 48304
Tel: +1 833 4KARAMBA



Landstr. 264, Munich
Tel: +49 892 1547 7583