Product Security Glossary

WP 29

What is WP 29?

WP 29, also written as WP.29, is a set of regulations for the manufacture of automobiles. It was created by the Sustainable Transport Division of the United Nations Economic Council for Europe.  The goal of WP 29 is to make motor vehicles safer and more environmentally friendly.  The full name for WP 29 is the “World Forum for Harmonization of Vehicle Regulations”.  Its first iteration came out in 1958, and it’s been updated several times since.  A total of 54 countries have signed it.  The countries that haven’t signed it still have to consider it if they want to sell automobiles in countries that have signed it.

What does WP 29 have to do with IoT security?

Modern automobiles are connected to the IoT for several reasons.  They send telemetry data to the manufacturers, can activate automatic emergency alert systems, and are connected to satellite entertainment systems.  Many newer vehicles can be started remotely via a smartphone app, and some manufacturers have begun to incorporate autonomous driving features.  Security breaches could result in injury or death to the vehicles’ owners, and could also result in vehicle theft.   

In June 2020, WP 29 was updated to include regulations for vehicle cybersecurity. 

What cybersecurity regulations are in WP 29?

WP 29 requires vehicle manufacturers to manage cybersecurity risks when designing vehicles, and to perform testing to ensure that the risks have been properly managed.  Manufacturers must also maintain a current risk assessment, so that they can monitor cybersecurity attacks.  When a cybersecurity attack happens, whether or not it’s successful, the manufacturers must analyze it and respond effectively.  They then must assess whether cybersecurity measures will protect the vehicles against new attacks.

How will automakers comply with WP 29?

Automakers will have to implement a cybersecurity management system and ensure that their vehicles can connect to it.  They must have teams of personnel who can perform forensics analysis of cybersecurity attacks, and who can implement mitigation methods against those attacks.  Also, they need to consider the security of their communications channels, back-end servers, software update procedures, and IoT components that could be exploited without sufficient hardening.  Unintended human actions could also cause problems, so even they must be considered. Therefore, it is recommended that developers in the automotive industry use automated tools to detect insecure components and practices, suggest security measures, and alert on newly discovered vulnerabilities.    

WP 29 also regulates the design and deployment of automotive software.  Secure coding practices must be used, and updates need to be deployed in a secure manner.  All software updates must be thoroughly tested to ensure that they work properly on the vehicles for which they’re intended, and to ensure that they actually fix problems without introducing new ones.  Security updates must be done in a timely manner and performed over-the-air as much as possible. 

WP 29 provides a framework for automobile safety standards.  Recently, requirements were added for automotive cybersecurity.  If you work in the automotive field, or if you own a recent model vehicle, it might pay to be familiar with WP 29.