Access to data requirementS

Presentation on theme: "Access to data requirementS"— Presentation transcript:

1 Access to data requirementS
OICA comments on UN Regulation on Cybersecurity, with regard to Access to data requirementS Requirements over the Lifetime/Lifecycle

2 Context (1/2) The draft UN Recommendation on Cybersecurity GRVA/2019/2 defines how a vehicle shall be protected against unauthorised access. Recall of definition 2.3. "Access" means obtaining the use of a resource. However, the term “(un)authorised access” is not used in the regulation part Annex A of the draft UN text. At GRVA 3 (3-4 June 2019), FIGIEFA (International Federation of Automotive Aftermarket Distributors) presented document GRVA-03-16: Suggests definitions of authorised parties, services providers, diagnostics and RMI (Repair and Maintenance Information) Suggests an independent approval (non-OEM) of authorised parties Introduces provisions on functions to which authorised parties must have access Proposes to replace vehicle “lifecycle” by vehicle “lifetime” throughout

3 Context (2/2) On the 15th session of the UN Task Force on Cyber Security and OTA issues, CITA, CLEPA, EGEA, ETRMA, FIGIEFA, FIA jointly table document TFCS which: Introduces similar definitions with regard to access to data. Introduces requirements that a vehicle manufacturer has to demonstrate for UN type approval how he has implemented national and regional legal requirements to ensure unmonitored and independent access read and write data on the vehicle implement new routines from third parties, etc. Does not any more include the former proposals with regard to vehicle “lifecycle” and vehicle “lifetime”.

4 ACCESS to DATA

5 = competition & consumer choice
3 fundamentally different domains Cybersecurity = end-to-end security Threat analysis Mitigation Development, Production and Post-production Phase Data access = competition & consumer choice Access rights for service providers Security, safety & liability Post-production Phase only Data protection = privacy Rights of data subjects Conditions for lawful processing Security & confidentiality Development, Production and Post-production Phase

6 Contracting Parties have separate laws for each of these issues
Example of European Union Data access Repair & Maintenance Information Regulation (part of whole vehicle type approval legislation) No regulation on data access at present Cybersecurity Delegated act under type approval legislation planned (reference to UN Regulation) Cybersecurity Act Data protection General Data Protection Regulation (GDPR)

7 Scope of UN Regulation on Cybersecurity
The UN Regulation should only address Cybersecurity It should not modify the legal situation for data access and data protection Do not pre-judge how Contracting Parties may regulate data access! Regulation or not? On-board, off-board or technology-neutral? Access to which data? For which users? For which purpose? Access to “resources” or “functions”? Access to HMI? Right to install third-party software & applications?

8 Proposal TFCS-15-23 by CITA, CLEPA, EGEA, ETRMA, FIGIEFA, FIA
The proposal TFCS does introduce new requirements for access to data but does not solve the related security and safety problems. Who would be responsible for Security implications? Safety implications? Type approval compliance? Compatibility? Vehicle resource conflicts? Liability? It is a policy choice that should be left to each Contracting Party => Is out of the scope of the UN Regulation on Cybersecurity

9 What happens in the field (1/2)
Some aftermarket suppliers propose additional cameras which can be connected to the OBD port in order to brake or steer the vehicle. See: Questions: Is this “authorized access” to the vehicle? Who is responsible for the safety of this vehicle during and after the use of the device? How to ensure cybersecurity?

10 What happens in the field (2/2)
A vehicle owner loads his vehicle in a way that it is not in the scope of the vehicle user instructions . A professional workshop adds new services and functions to a vehicle. A professional workshop writes new SW in the engine ECU adding power to the engine. Questions: Is this “authorized”? Who is responsible for the safety of this vehicle during the specific use/modification or when the modification has been withdrawn?

11 OICA Proposal If the UN Contracting Parties insist to add a definition for “authorised acces” in the UN text on Cybersecurity, OICA recommends to add the following definition in the recommendation part (core of the text, not the annex): “Authorised access means access defined by applicable law; in the absence of applicable law, authorised access is given by the vehicle manufacturer.” Justification: Contractual freedom for vehicle manufacturers In specific cases, the law of the Contracting Parties can define access rights for any third party The proposed definition is neutral for third parties No limitation of existing rights No creation of new rights

12 Lifetime vs Lifecycle

13 Lifecycle of a vehicle type* vs. Lifetime of a vehicle
*Vehicle type regarding Cybersecurity (System Type Approval) = E/E Architecture Note: Certificate of CSMS may still be valid Lifecycle of a vehicle type* Vehicle Type Approval (first vehicle of this vehicle type manufactured) Production definitively discontinued (last vehicle of this vehicle type manufactured) Article 4 of 1958 Agreement applies link National law applies to registered vehicles Development Phase Production Phase Post Production Phase Lifetime of Vehicle 1 Use Phase Post Use Phase Registration End of Registration Scrappage Lifetime of Vehicle 3 Use Phase Post Use Phase Registration End of Registration Scrappage Lifetime of Vehicle 2 Use Phase Post Use Phase Registration End of Registration Scrappage Vehicles 1 & 2 & 3 can be of different carlines Day of Manufacture The UN Regulation requires: A comprehensive management system over the entire lifecycle of the vehicle type including Risk management Inclusion of suppliers Field Monitoring Incident response OICA proposal For clarification, replace systematically: Lifetime by “lifetime of the vehicle” Lifecycle by “lifecycle of the vehicle type” Only “lifecycle” covers the development phase

14 How is cybersecurity covered over the lifetime of a vehicle?
Post production is addressed in Annex A, § 7.2 of the UN requirements: Vehicle manufacturers have to show the processes they implement to ensure cybersecurity during the development, production and post-production phase. The manufacturer has to demonstrate how he identifies new and evolving cyber threats and vulnerabilities and how he will appropriately react. A UN Regulation (under the Geneva 1958 Agreement) is probably not appropriate to go further than this. According to the applicable Whole Vehicle Type Approval Regulations, e.g. Framework Regulation EU 2018/858, where a vehicle presents a serious risk, the manufacturer shall immediately inform the authorities and launch the appropriate recall procedure. Following a cybersecurity risk assessment, this recall procedure applies also to cyber threats and vulnerabilities and is even valid when the warranty period of the specific vehicle has expired. The UN Regulation on Cybersecurity should be neutral with regard to the way how vehicles that present a serious risk shall be recalled (not in scope of 1958 Agreement). Those recall procedures are already defined in regional / national laws.