| layout | css_id |
|---|---|
default |
regulations_and_standards |
This page aims to provide the Uptane community with up-to-date information on the status of regulations and standards that may directly affect the evolution of the Uptane Standard. By keeping abreast of these changes, mandated by both government agencies and industry best practices, we can ensure that Uptane will help the automotive industry achieve compliance, and support continuing improvement of cybersecurity defenses.
EVITA “E-safety Vehicle Intrusion Protected Applications, 2011 According to the source cited above, this standard can be described as “an automotive cybersecurity initiative co-funded by the European Union, intended to improve the resilience of the automotive on-board network to attacks from new V2X applications, as well as the physical attacks made possible by the physical access that attackers can have to vehicles in the public environment. Through a process of identifying E/E use cases, analyzing potential threats, and their associated risk, EVITA developed a series of security requirements for on-board networks. This was then distilled into a standard recommending hardware and software architectures to fulfill the defined security requirements.”
SAE 3061 Cybersecurity Guidebook for Cyber-Physical Vehicle Systems, January 2016 This document was the primary input to the ISO/SAE 21434 joint project.
Massachusetts Right to Repair Law (State Ballot initiative 1, Massachusetts, 2020 Passed in 2020 by 75% of the voters in Massachusetts, this initiative expands an existing law from 2012. According to the actual ballot language, it “would require that motor vehicle owners and independent repair facilities be provided with expanded access to mechanical data related to vehicle maintenance and repair. Starting with model year 2022, the proposed law would require manufacturers of motor vehicles sold in Massachusetts to equip any such vehicles that use telematics systems –- systems that collect and wirelessly transmit mechanical data to a remote server –- with a standardized open access data platform.”
UNECE 29, 2020 The United Nations Economic Commission for Europe (UNECE) World Forum for Harmonization of Vehicle Regulations on Cybersecurity and Cyber Security Management Systems adopted two regulations under this umbrella in June 2020. The regulations mandate:
- managing vehicle cyber risks
- securing vehicles by design to mitigate risks along the value chain
- detecting and responding to security incidents across vehicle fleets
- providing safe and secure software updates and ensuring vehicle safety is not compromised
- introducing a legal basis for so-called “Over-the-Air” (O.T.A.) updates to on-board vehicle software
The regulations, which apply to passenger cars, vans, trucks and buses, went into effect in the European Union, Japan, and Korea in early 2021, and will apply to all new vehicle models by 2022, and all existing vehicle models by 2024.
SAE 3101 Hardware Protected Security for Ground Vehicles, February 2020 This document defines requirements for a hardware protected security environment. It abstracts security components such as TCG TPM, GP SE, GP TEE, HSM, etc.
ISO/DIS 21448 Road vehicles — Safety of the intended functionality (SOTIF),January 2021 This document augments ISO 26262 (Functional Safety).
ISO/CD 24089 Road vehicles - Software update engineering, February 2021 This document augments the ISO Standard 26262 (Functional Safety) and ISO/SAE Standard 21434 (Cybersecurity). It standardizes detailed process requirements for wired and wireless software updates.
ISO TC22/SC32/WG11 ISO 21434 Road Vehicles - Cybersecurity Engineering A joint effort between the International Standards Organization and the SAE International that brings together “more than 100 experts from more than 82 companies based in over 16 countries.” The goal is a “deep and effective global standard for automotive cybersecurity.” The initiative is divided into four main working groups that focus on risk management; product development; production, operation, maintenance, and decommissioning; and process overview.
ISO/AWI PAS 5112 Road vehicles — Guidelines for auditing cybersecurity engineering (Work-in-Progress) This document will provide auditing guidelines for ISO/SAE 21434.