Since the 1980s, electronic systems have been rapidly evolving and making their way into motor vehicles. Initially, these electronic systems were needed only for specific functions such as engine control units, airbags, and anti-lock braking systems (ABS). However, today’s cars are equipped with networked safety and infotainment functions that are constantly driving complexity, increasing distributed development, and growing quality requirements.
The evolution of vehicle control units has led to more than 100 bus nodes today, containing software with a total volume of almost 100 million program lines. It is estimated that the contribution of electronics to the value-added of the vehicle today is 30 percent. The rapid development of new drive concepts, innovative assistance functions, cross-system safety functions, and communication with other road users up to autonomous driving vehicles will continue to push the boundaries of what is technically feasible in the future.
However, with the increasing number of individual control units, the complexity has grown, and unfortunately, potential entrances for hackers have grown as well. There have been several hacking attacks on-road vehicles:
To keep pace with the rapid digital evolution and the related risks, the UN/ECE decided that vehicle manufacturers must have a management system for cybersecurity and software updates and that independent third parties must test and confirm the validity of these systems. Therefore, new vehicle cybersecurity regulations were published in mid-2021. Protection against cyberattacks is a mandatory requirement for new EU-type approvals of vehicles issued after July 2022 as a result of Regulation (EU) 2019/2144 (GSR2). Two new UN/ECE regulations provide the future framework for vehicle cybersecurity:
- UN-R 155 requires the operation of a certified cybersecurity management system (CSMS).
- UN-R 156 requires the operation of a software update management system (SUMS).
The UN/ECE Regulations No. 155 and No. 156 apply to passenger cars, vans, trucks, and buses and cover all safety-related aspects of software-based E/E systems, including:
- The management of vehicle-relevant cyber risks
- Securing vehicles “by design” to mitigate risks along the value chain
- Detecting and responding to security incidents across vehicle fleets
- Safe and secure vehicle software updates to ensure the integrity and safety are not compromised
- Introduction of a legal basis for over-the-air (OTA) updates
In addition to the manufacturer’s initial assessment and product testing by the technical service, proof of implemented and effective specific management systems for cybersecurity and software updates is required for type approval to be granted. These requirements apply not only to vehicles under Regulation (EU) 2018/858 but also, by analogy, to vehicles under Regulations (EU) 167/2013 and (EU) 168/2013.
In conclusion, the evolution and trends in automotive E/E systems present both challenges and opportunities. With the increasing complexity and potential for cyberattacks, cybersecurity, and software updates are now essential to vehicle design and operation. However, as the industry moves towards autonomous driving and other innovative functions, there is immense potential for growth and development in the future. Manufacturers must stay ahead of the curve and continuously innovate while keeping safety and security at the forefront.