Skip to content

Automotive Cybersecurity and Regulatory Standards

QAC EmTech
QAC Emerging Technologies Quality Assurance

This monthly newsletter will focus on QAC’s activities regarding R&D, Connected Vehicles, Cognitive Autonomous Systems, Artificial Intelligence, Internet of Things, and Blockchain Quality Assurance Services


Leading the way
Welcome to the nineteenth edition of the EmTech newsletter. In this edition, we’ll be sharing more about the state-of-the-art of automotive cybersecurity. We will focus on WP.29 Cybersecurity and Cybersecurity Management System (CSMS) regulation, and ISO/SAE 21434 standard. We will discuss the relationship between them. In addition, we will review QA Consultants’ services in regards to OEM regulation compliance.
Welcome to our 19th edition of our EmTech Quality Assurance Newsletter

Keeping you informed

Our emerging technologies quality assurance workstreams

R&D and Grant Projects
Research and development of new technologies that position QAC to become a world leader in quality assurance services.
Connected Vehicles
Testing and Quality Assurance services exclusively developed to provide integration testing services for highly connected vehicles.
Cognitive Autonomous Systems
Fully automation of testing and quality Assurance services exclusively developed for Cognitive Autonomous Systems.
Cybersecurity, IoT, AI, and Blockchain
Focus on developing new technologies that utilizes AI to address QA challenges on Cybersecurity, IoT, and Blockchain domains.

Need for Automotive Cybersecurity

CAVs are designed with capabilities and sophisticated features to increase safety, optimize traffic management, coordinate mobility, and improve accessibility. However, these enhanced functionalities come along with exposing CAVs to more cybersecurity attacks. Since cyberattacks have become increasingly sophisticated, vendors, original equipment manufacturers (OEMs), Tier 1 suppliers, Tier 2 suppliers, are insufficiently prepared to prevent and manage automotive cyber-attacks.

Worldwide, several efforts have been taken to establish binding regulations and standards for automotive cybersecurity. For example, the United Nations Economic Commission for Europe (UNECE) WP.29 developed automotive cybersecurity regulation that has been deployed in Europe and many other countries. Alongside WP.29, the International Organization for Standardization (ISO) and the Society of AutomotiveEngineering (SAE) have developed ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering standard. This standard guides the automaker to be compliant with WP.29 automotive cybersecurity regulation.

WP.29 Regulation on Automotive Cybersecurity

Currently, WP.29 is a buzzword in the automotive industry. In June 2020, UNECE WP.29 officially rolled out two new regulations focusing on vehicles’ cybersecurity and software updates. These regulations are known as Cybersecurity and Cybersecurity Management Systems (CSMS) and Software Update and Software Update Management Systems (SUMS). This decision garnered attention in the automotive industry.

WP.29 CSMS is the first regulation that outlines cybersecurity requirements for both vehicles and OEMs. According to WP.29 CSMS, OEMs require implementing approaches to:

  • Identify and manage cybersecurity risks in vehicle design
  • Verify that risks are managed
  • Test the cybersecurity of the vehicle
  • Make sure risk assessments are kept current
  • Monitor attacks and respond to them
  • Analyze successful or attempted attacks
  • Review cybersecurity measures in the light of new threats
  • Ensure security lifecycle management (across the development, production, and post-production phases)

Currently, WP.29 only applies to 54 countries that participate in the 1958 UNECE Transportation Agreements and Conventions. Some of these countries include the EU, England, Japan, and South Korea. In the European Union, the new regulation on cybersecurity will be mandatory for all new vehicle types made from July 2022 and will become compulsory for all new vehicles produced from July 2024 onwards.

WP.29 CSMS compliance approval process

WP.29 CSMS brings new challenges and opportunities to OEMs. OEMs that do not comply with the regulations may face trade barriers and other complications. On the other hand, OEMs who are compliant with WP.29 CSMS gain the upper hand and are regarded as being capable, mature, and able to manage cybersecurity risks. The approval process is divided into two very distinct parts – approval for CSMS and Vehicle Type approval.

  • CSMS approval: To obtain approval for CSMS, OEMs need to submit test reports and threat modeling to the approval authority. Such documents prove due diligence on behalf of the company to ensure cybersecurity throughout the vehicle’s lifecycle.
  • Vehicle Type approval: With the Vehicle Type approval process, the Approval Authority or the Technical Service tests specific type of vehicles. By focusing on the vehicle, the test can certify that the vehicle design, risk assessment procedures, and cybersecurity controls were implemented as OEMs intended. It is important to note that CSMS approval is the prerequisite to receive Vehicle Type approval. This regulation states that the Vehicle Type approval must be maintained throughout the potential modification of vehicles and the extension of the approval if it impacts its technical performance concerning cybersecurity.

ISO/SAE 21434 – Road Vehicle – Cybersecurity Engineering

ISO/SAE 21434 standard for road vehicle – cybersecurity engineering aims to manage cybersecurity threats specifically for vehicle subsystems, components, software, and external connections. To accomplish this goal, ISO/SAE 21434 provides a standardized cybersecurity framework. Risk management is an integral element of cybersecurity engineering throughout the lifecycle of a vehicle from the conceptual phase through decommissioning. More specially, this standard pursues several objectives including:

  1. It proposed a common cybersecurity terminology to avoid confusion within the automotive industry. In the past, different terms have been used to provide clarity, explain risks, and how to mitigate these risks. Cybersecurity Assurance Level (CAL) has been introduced in this standard, so OEMs can rest assured that certain levels of expectation have been met regarding the development of hardware and software components.
  2. It defines minimum requirements for processes and activities to enable cyber control in all aspects of the vehicle life cycle.
  3. It promotes cooperation between all parties involved in the value chain of automotive industries.

Relationship between WP.29 and ISO/SAE 21434

The WP.29 CSMS regulation and the ISO/SAE 21434 standard are complementary and both aim to secure the vehicle throughout its life cycle. However, in many cases, the regulation only states what to do but not how. In such cases, ISO/SAE 21434 can be used as a baseline standard.

  • Set cybersecurity management system: CSMS approval is the first step to be compliant with WP.29 CSMS regulation. OEMs are required to have a CSMS to monitor security incidents, threats, and vulnerabilities. However, it does not describe how to set up a CSMS. ISO 21434 clearly defines how to set up cybersecurity policies and organization-specific rules, assign the responsibilities and corresponding authorities, maintain management systems to support the cybersecurity activities.
  • Risk identification and management: WP.29 CSMS requires risk assessment and management throughout the vehicle life cycle. However, it does not provide detailed technical measures for risk assessment. In contrast, the ISO/SAE 21434 standard thoroughly describes risk assessment, risk analysis, and organization cybersecurity management.
  • Secure the vehicle supply chain: WP.29 clearly states that OEMs are responsible for cybersecurity management in the supply chain. However, it does not indicate how an OEM must verify the cybersecurity of the components supplied by Tier 1 and Tier 2 suppliers. ISO/SAE 21434 defines the interactions, dependencies, and responsibilities between OEM and Tier 1 and Tier 2 suppliers for cybersecurity activities. It specifies some of the strategies that the OEMs can apply to manage the supplier-related risk, such as evaluating the supplier’s capability by considering supplier cybersecurity activity records and making a contractual agreement with suppliers to maintain and conduct cybersecurity activities throughout the vehicle lifecycle of the vehicles.

QA Consultants’ Role in Testing with Automotive Cybersecurity

WP.29 enforces extensive testing to safeguard the automotive system from cyber-attacks. It provides a comprehensive list of threats and corresponding mitigation techniques to help OEMs and automotive suppliers understand and assess the risks associated with connected vehicles. Some of these listed threats need to be mitigated in Tier 1 and Tier 2 component levels.

QA Consultants provides extensive testing solutions that will prepare OEMs to be compliant with the regulation. Our testing solutions help Tier 1 and Tier 2 suppliers to test their product at the component level. Currently, QA Consultants is developing a testing solution to identify the vulnerability of autonomous vehicles against various cybersecurity attacks. Our testing framework is incorporated with vulnerability scanning, Fuzz testing, and Penetration testing. We incorporate WP.29 CSMS threats and conduct rigorous analysis to identify vulnerable entry points and perform the appropriate testing.



Coming next month
To learn more please visit our EmTech page at More topics to come soon! Stay tuned to our next newsletter.

Our partners:


Recent thought leadership