In November 2020, Walmart became one of the latest retailers to announce a plan to test deliveries via self-driving cars. Its pilot program will use General Motors’ Cruise electric self-driving cars. As advancements continue in autonomous driving, safety requirements will become more pressing and prevalent. ISO 26262 Road vehicles – Functional safety provides an international standard that mandates a functional safety development process from specification through production release for automotive OEMs and suppliers to follow and document. In the near future, there may be more discussion or even an amendment to ISO 26262 to address the interaction of safety and security.
Speaking of security, ISO/SAE 21434 will provide the automotive industry with the first standard to address cybersecurity in vehicles. Building upon SAE J3061, ISO/SAE 21434 provides a cyber security framework for the entire lifecycle of road vehicles, addressing:
- Risk management
- Security management
- Continuous cyber security activities
- Incident response
- Cyber security within the concept, product development, and post-development stages of road vehicles
- Vehicle software vulnerability lifecycle management
With ISO/SAE 21434 comes a more consistent way for automotive suppliers and OEMs to manage security requirements from different vendors, freeing up time and resources to focus on what their customers want versus normalizing risk and data from multiple vendors.
Building upon ISO/SAE 21434 is the UNECE WP.29 Cybersecurity Regulation (UNR 155), the United Nations’ regulation on automotive cybersecurity. By 2023, 775 million consumer vehicles are expected to be connected by telematics or in-vehicle apps, according to Juniper Research. By 2030, cars are expected to have around 300 million lines of software code. Both the growing vehicle connectivity as well as increased software content in cars opens the door for increased risk of cyber attacks. UNR 155 explains what needs to be done in terms of processes to address security threats. It provides examples of threats and mitigations, as well as perspectives from process and governance, IT, and product and operating technology standpoints. There is also a new UN regulation (UNR 156) around software updates that provides guidance for safe and secure software updates and introduces a legal basis for over-the-air (OTA) updates to on-board vehicle software. Both of these regulations enter into force this month in EU markets.
It is also worth mentioning that due to the increased usage of open-source software components in automotive systems, there is a need for automotive organizations to be aware of and manage the included open-source licenses. The recently released ISO/IEC 5230:2020, which provides requirements for establishing an open-source license compliance program, would serve to build trust between organizations exchanging software. ISO 5230 will play an important role for the automotive industry to help manage the supply chain risks from an open-source license compliance point of view.