Until five years ago, carmakers were hesitant to introduce cybersecurity measures in vehicles despite being aware of their necessity due to cost issues.

However, when the European Union introduced cybersecurity regulations in 2022, it became virtually impossible to enter the European market without meeting the new standards. The change has made cybersecurity an essential element to ensure the survival of carmakers.

The advancements in vehicle software, diversification of vehicles’ functions and increase in communication have made software-defined vehicles (SDVs) a hot topic for the car industry, and cybersecurity is the final element in building SDVs.

The fact that UNECE WP.29 adopted UN Regulation No. 155 (UN R155) in June 2020 to lay the foundations for the cybersecurity ecosystem is widely known.

1. CSMS and ISO/SAE 21434

The core of UN R155 is that carmakers need to obtain a cybersecurity management system (CSMS) and vehicle type approval (VTA). CSMS refers to the process and management system for protecting vehicles from cyberattacks and managing cybersecurity risks. ISO/SAE 21434 is the international engineering standard for vehicle cybersecurity that defines the cybersecurity policies and processes throughout all phases of a vehicle’s development, production and postproduction, and sets the standards for CSMS.

The UN R155 outlines its aims, while the ISO/SAE 21434 provides the requirements and details about assessment standards. In other words, ISO/SAE 21434 is essential to properly implement CSMS.

2. Requirements and Points of Note in CSMS certification

How is CSMS approval obtained? To receive approval, Article 7 Clause 2 sub paragraph 2 of UN R155 must be followed. An automaker must apply the cybersecurity management system to all phases of a vehicle’s lifespan – development, production and postproduction – and demonstrate that security is adequately considered in processes such as cybersecurity management within its organization, threat identification, risk assessment and cybersecurity testing. An automaker also must ensure that threats and vulnerabilities requiring a response from the vehicle manufacturer shall be mitigated within a reasonable timeframe, and that field monitoring for detecting and responding to threats is being carried out continuously. The automaker must also demonstrate how the CSMS will manage dependencies that may exist with contracted suppliers, service providers or manufacturer’s suborganizations.

The above requirements must be validated by a technical service provider, and the final approval is given after an assessment by an approval authority.

An automaker that has yet to establish a CSMS must be aware of the following two elements. The first is to follow Europe and related countries’ time frames for implementing the regulations, and the second is to utilize existing elements as much as possible in order to find ways to meet the requirements in the shortest time span possible.

Building a CSMS requires identifying and analyzing a vehicle’s security vulnerabilities. To do this, a threat analysis and risk assessment should be carried out, and the ECUs need to be categorized into security levels according to their importance.

The trend is to use hardware security module-fitted semiconductors that meet international standards in ECUs categorized into high security levels, as concerned organizations usually provide cyber security solutions compatible to HSMs, and carmakers using different chips need to replace the chips.

This process can lead to significant costs, but there is a case where the issue was solved by analyzing the situation faced by carmakers and ECU developers. In that case, cybersecurity specialist Fescaro developed a software solution that meets HSM security requirements. By doing so, Fescaro assisted in a Korean carmaker meeting all European cybersecurity requirements without replacing over 50 types of chips used in the company’s vehicles. Fescaro’s solution contributed to reducing the development costs and production time. The security solution has since been implemented in producing 150 types of ECUs in seven vehicle types produced by domestic and foreign carmakers.

The most important element in CSMS approval is keeping the timetable. Since July 2022, a new vehicle type can only be introduced in Europe after meeting all cybersecurity requirements. From July 2024, the measure will be applied to all new vehicles produced and sold in relevant markets.

A misstep in obtaining the approval can lead to setbacks in launching new models, or have a detrimental impact on a carmaker’s quality competitiveness. The time required in all processes from suppliers’ sourcing to quality verification must be taken into consideration.

A carmaker has the option of working with a company that provides all-in-one services in meeting CSMS requirements. But the carmaker must assess whether the company has the technological capability to provide the necessary solutions throughout the lifecycle of a vehicle.

Such a partner must be capable of dealing with all related areas, from certification consultation services and Threat Analysis and Risk Assessment (TARA) to cyber security solutions, cyber security tests, cyber security gateway ECU to security management system.

3. Differences between OEM and tier companies’ approval

Do carmakers and tier companies have to respond to the regulations? UN R155 states CSMS approval should be obtained by the carmaker. However, as a carmaker should be able to manage the cybersecurity activities of tier companies, an ECU developer needs to establish a CSMS if required by the carmaker.

If an ECU developer has established a CSMS in accordance with Article 7, "Distributed cybersecurity activities," of ISO/SAE 21434, the ECU developer can obtain ISO/SAE 21434 certification through a technical service provider.

As the ISO/SAE 21434 certification proves an ECU developer’s cybersecurity capabilities, it can aid the company in strengthening its competitiveness in the global market.

In short, CSMS approval is essential for carmakers under UN R155, while ECU developers can obtain ISO/SAE 21434 certification as necessary.

Carmakers and ECU developers across the world are moving quickly to respond to related regulations. Mercedes-Benz was the first carmaker to obtain cybersecurity certification, followed by Volkswagen.

In Korea, Hyundai Motor Group obtained CSMS certification in December 2021, followed by KG Mobility in December 2022.

As for ISO/SAE 21434 certification, Kanavi Mobility obtained it in February 2023 and Hyundai Motor Group’s global software center 42dot was certified in August 2023.

4. Core of CSMS certification

As a cybersecurity expert who has experienced carmakers obtaining CSMS certification and ECU developers receiving ISO/SAE 21434 certification, the vehicle life-cycle is at the core of CSMS.

If in the past, developing a vehicle was the most important phase, in today’s world, the postproduction phase must be considered as software vulnerabilities keep evolving.

In other words, all processes across the life cycle of a vehicle must be optimized and a cybersecurity system that is linked to all phases of the life cycle must be built and operated.

To this end, numerous discussions and negotiations among the concerned departments and outside partners must be carried out. Only then can a company obtain CSMS certification.

[Ku Seong-seo, Fescaro head of global business sales@fescaro.com ]

Fescaro is a vehicle cybersecurity specialist that has gone through all major certification processes (CSMS, ISO/SAE 21434, VTA, SUMS). It is the only company in Korea to have obtained what is referred to in the field as the "grand slam of vehicle cybersecurity certification consulting.” - Ed