Economic and Social Council

Similar documents
Information technology Security techniques Information security controls for the energy utility industry

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles

THE CYBER SECURITY ENVIRONMENT IN LITHUANIA

TURKISH STANDARDS INSTITUTION

This document is a preview generated by EVS

Directive on security of network and information systems (NIS): State of Play

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

ISO/IEC Information technology Security techniques Code of practice for information security controls

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

ISO/IEC TR TECHNICAL REPORT

ISO/IEC TS Conformity assessment Guidelines for determining the duration of management system certification audits

Data Security Standards

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

ISO INTERNATIONAL STANDARD

European Directives and reglements for Information security

DATA PROTECTION POLICY THE HOLST GROUP

Electronic Commerce Working Group report

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration

DATA PROTECTION POLICY

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

Data Protection Policy

Information technology - Security techniques - Privacy framework

Committee on the Internal Market and Consumer Protection

European Transport Policy: ITS in action ITS Action Plan Directive 2010/40/EU

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

Status report of TF-CS/OTA

ISO/IEC Information technology Security techniques Code of practice for information security management

Internet of Things, A European Outlook Antonis Tzortzakakis, Treasurer ECTA

How the European Commission is supporting innovation in mobile health technologies Nordic Mobile Healthcare Technology Congress 2015

ENISA s Position on the NIS Directive

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

ISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management

This document is a preview generated by EVS

Information technology Security techniques Information security controls for the energy utility industry

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

ITU activities on secure vehicle software updates

Digital Security Risks to Transport Infrastructure: Automated Vehicles February, 2018

Information technology Security techniques Code of practice for personally identifiable information protection

The Global Research Council

UWTSD Group Data Protection Policy

ISO/IEC Information technology Security techniques Network security. Part 5:

European Union Agency for Network and Information Security

Google Cloud & the General Data Protection Regulation (GDPR)

Conformity Assessment Schemes and Interoperability Testing (1) Keith Mainwaring ITU Telecommunication Standardization Bureau (TSB) Consultant

ISO INTERNATIONAL STANDARD. Road vehicles FlexRay communications system Part 1: General information and use case definition

ENISA EU Threat Landscape

RESOLUTION 130 (REV. BUSAN, 2014)

Australian/New Zealand Standard

OBTAINING CONSENT IN PREPARATION FOR GDPR

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

UWC International Data Protection Policy

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

The NIS Directive and Cybersecurity in

ISO/IEC INTERNATIONAL STANDARD

Security and Privacy in Car2Car Adhoc Networks

Version 1/2018. GDPR Processor Security Controls

T-CY Guidance Note #8 Obtaining subscriber information for an IP address used in a specific communication within a criminal investigation

ISO/IEC TR Information technology Security techniques Guidelines for the use and management of Trusted Third Party services

Roche Directive on the Use of Roche Electronic Communication Tools

INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD. Conformity assessment Requirements for bodies certifying products, processes and services

Provläsningsexemplar / Preview TECHNICAL REPORT ISO/TR First edition

Mutual Recognition Agreement/Arrangement: General Introduction, Framework and Benefits

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Entity authentication assurance framework

BKK CENTRE FOR BUDAPEST TRANSPORT PRIVATE LIMITED COMPANY. PRIVACY POLICY on the BKK Online Shop sales

Data Processing Clauses

CHAPTER 13 ELECTRONIC COMMERCE

Procedure for Network and Network-related devices

Final Report of TF-CS/OTA

EXAM PREPARATION GUIDE

Cybersecurity eit. Software. Certification. Industrial Security Embedded System

Element Finance Solutions Ltd Data Protection Policy

Embedding GDPR into the SDLC

General Framework for Secure IoT Systems

ARTICLE 29 DATA PROTECTION WORKING PARTY

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

Mutual Recognition Agreement/Arrangement: General Introduction, Framework and Benefits

Minimum Requirements For The Operation of Management System Certification Bodies

DATA PROCESSING TERMS

Conformity assessment Requirements for bodies providing audit and certification of management systems. Part 6:

ISO/IEC INTERNATIONAL STANDARD

ETSI TR V1.1.1 ( )

PTSPAS Product Assessment HAPAS Equivalent in accordance with MCHW SHW Volume 1 Clause and

Innovation policy for Industry 4.0

How the GDPR will impact your software delivery processes

EUROPEAN COMMISSION ENTERPRISE AND INDUSTRY DIRECTORATE-GENERAL

Global cybersecurity and international standards

GDPR Update and ENISA guidelines

ISO/IEC INTERNATIONAL STANDARD

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

MYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414

INTERNATIONAL STANDARD

ARBOR DDoS PRODUCTS IN A GDPR COMPLIANT ENVIRONMENT. Guidelines and Frequently Asked Questions

What is cloud computing? The enterprise is liable as data controller. Various forms of cloud computing. Data controller

ISO Information and documentation Digital records conversion and migration process

Transcription:

United Nations Economic and Social Council ECE/TRANS/WP.29/2017/46 Distr.: General 23 December 2016 Original: English Economic Commission for Europe Inland Transport Committee World Forum for Harmonization of Vehicle Regulations 171st session Geneva, 14-17 March 2017 Item 4.14 of the provisional agenda 1958 Agreement: Proposal for amendments to the Consolidated Resolution on the Construction of Vehicles (R.E.3) submitted by the Working Parties to the World Forum for consideration Proposal for draft guidelines on cyber security and data protection Submitted by the Informal Working Group on Intelligent Transport Systems / Automated Driving* The text reproduced below was prepared by the expert from Informal Working Group (IWG) on Intelligent Transport Systems / Automated Driving (ITS/AD). It is based on Working Paper ITS/AD-10-11-Rev.1, distributed during the tenth session of Informal Working group on ITS/AD. The IWG on ITS/AD is proposing the adoption of this Guideline on Cybersecurity and data protection by the World Forum for Harmonization of Vehicles Regulations (WP.29) at its March 2017 session. * In accordance with the programme of work of the Inland Transport Committee for 2016 2017 (ECE/TRANS/254, para. 159 and ECE/TRANS/2016/28/Add.1, cluster 3.1), the World Forum will develop, harmonize and update Regulations in order to enhance the performance of vehicles. The present document is submitted in conformity with that mandate.

I. Proposal "Guideline on cybersecurity and data protection Guideline on measures ensuring cybersecurity and data protection of connected vehicles and vehicles with Automated Driving Technologies 1. Preamble 1.1. The digitalisation of mobility and the associated increase in the amount of data are creating new requirements to be met by vehicle safety and infrastructure and the protection of the rights and freedoms of data subjects. 1.2. As the automation and interconnectivity of driving functions increases, the issues of data encryption and cybersecurity will become more important. 1.3. Connected vehicles and vehicles with Automated Driving Technologies (ADT) thus require clear cybersecurity and data protection rules. It has to be ensured that vehicles are protected from external interference and manipulation. 1.4. This guideline is intended to present requirements to automotive manufacturers, component/system suppliers and service providers for systems to be installed in vehicles to provide a high level of cybersecurity and to ensure data protection. They can use alternative approaches where at least an equivalent level of security can be demonstrated. 1.5. This guideline is intended as interim guidance until the completion of ongoing research and collaboration activities and the development of more detailed globally harmonized requirements on cybersecurity and data protection. 1.6. This guideline shall serve as a basis for the development of prescriptions in UN Regulations to ensure cybersecurity and data protection. 1.7. This guideline does not affect existing data protection legislation. This guideline is not aimed at falling short of or going beyond legal data protection regulations. 2. Scope 2.1. This guideline addresses the measures for connected vehicles and vehicles with ADT with regard to cybersecurity and data protection. 3. Definitions 3.1. (reserved) 3.2. "Connected vehicle" means a vehicle with a device installed designed to allow a wireless connection or communication possibly relating to automated driving technologies with external devices, cars, networks or services. 3.3. "Cybersecurity" means preservation of confidentiality, integrity and availability of information in the cyberspace, i.e. the complex environment 2

resulting from the interaction of people, software and services (e.g. on the Internet) by means of technology devices and networks connected to it, which does not exist in any physical form. 3.4. "Data protection" means a natural person s right to respect for his or her private and family life, home and communications with regard to the processing of personal data. 3.5. "Data subject" means an individual who is the subject of personal data (e.g. vehicle owners or drivers). 3.6. "Data protection by default" means a controller s obligation to implement technical and organizational measures which ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. 3.7. "Data protection by design" means a controller s obligation to implement technical and organizational measures appropriate to the controller s processing activity which are designed to implement data protection principles with the aim of protecting the rights of data subjects by reducing the likelihood and severity of the risk to his or her private and family life, home and communications. 4. The guideline's requirements 4.1. General: Connected vehicles and vehicles with ADT are intended to be fitted with measures ensuring cybersecurity and data protection and shall fulfil the requirements set forth below. (d) (e) (f) 4.2. Data protection. Everyone s right to his or her privacy and communications has to be respected. Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. Automotive manufacturer, component/system supplier and service providers shall respect the principles of data protection by default and data protection by design (see definitions 3.6 and 3.7). Automotive manufacturers, component/system suppliers and service providers must ensure that there is adequate protection against manipulation and misuse both of the technical structure and of the data and processes. To prevent non-authorized access to vehicles via the cyberspace automotive manufacturers, component/system suppliers and service providers shall ensure the secure encryption of data and communications. The system shall be accessible for verifying the measures implemented by automotive manufacturers, component/system suppliers and service providers to ensure cybersecurity and data protection by independent authorised audit. 4.2.1. The principle of lawful, fair and transparent processing of personal data means in particular: 3

(d) (e) (f) Respecting the identity and privacy of the data subject; Not discriminating against data subjects based on their personal data; Paying attention to the reasonable expectations of the data subjects with regard to the transparency and context of the data processing; Maintaining the integrity and trustworthiness of information technology systems and in particular not secretly manipulating data processing; Taking into account the benefit of data processing depending on the free flow of data, communication and innovation, as far as data subjects have to respect the processing of personal data with regard to the overriding general public interest; Ensuring the preservation of individual mobility data according to necessity and purpose. 4.2.2. The means of anonymization and pseudonymization techniques shall be used. Data subjects shall be provided with comprehensive information as to what data is collected and processed in the deployment of connected vehicles and vehicles with ADT, for what purposes and by whom. Data subjects shall give their consent to the collection and processing of their data on an informed and voluntary basis. 4.2.3. The collection and processing of personal data shall be limited to data that is relevant in the context of collection. If applicable, the data subject shall have the right to withdraw his or her consent if it involves functions that are not necessary for the operation of their vehicle or for road safety. 4.2.4. In addition, appropriate technical and organizational measures and procedures to ensure that the data subject s privacy is respected shall be implemented both at the time of the determination of the means for processing and at the time of the processing. The design of data processing systems installed in vehicles shall be data protection friendly, i.e. taking data protection and cybersecurity aspects into account when planning the components ("privacy by design") as well as designing the basic factory settings accordingly ("privacy by default"). 4.3. Safety. 4.3.1. Standards for the functional safety of critical electric and electronic components or systems in vehicles such as ISO 26262 shall be applied in the light of security-related requirements for connected vehicles and vehicles with ADT. 4.3.2. The connection and communication of connected vehicles and vehicles with ADT: Shall not influence internal devices and systems generating internal information necessary for the control of the vehicle without appropriate measures; Shall be designed to avoid fraudulent manipulation to the software of connected vehicles and vehicles with ADT as well as fraudulent access of the board information caused by cyber-attacks through: (i) (ii) Wireless connection; Wired connection via the diagnosis port, etc. 4

Shall be equipped with measures to ensure a safe mode in case of system malfunction, e.g. by redundancy in the system. 4.3.3. When connected vehicles and vehicles with ADT detect fraudulent manipulation by a cyber-attack, the system shall warn the driver and, if appropriate, control the vehicle safely according to the above requirements. 4.4. Security. 4.4.1. The protection of connected vehicles and vehicles with ADT requires verifiable security measures according security standards (e.g. ISO 27000 series, ISO/IEC 15408). 4.4.2. Connected vehicles and vehicles with ADT shall be equipped with: Integrity protection measures assuring e.g. secure software updates; Appropriate measures to manage cryptographic keys. 4.4.3. The integrity of internal communications between controllers within connected vehicles and vehicles with ADT should be protected e.g. by authentication. 4.4.4. Online Services for remote access into connected vehicles and vehicles with ADT should have a strong mutual authentication and assure secure communication (confidential and integrity protected) between the involved entities." II. Background information and administrative proposal A. Background information 1. This guideline focuses on connected vehicles and vehicles with ADT. 2. The digitalization of mobility and the associated increase in the amount of data are creating new requirements to be met by vehicle safety and infrastructure and the protection of personal rights. Connected vehicles and vehicles with ADT thus require clear cybersecurity and data protection requirements. 3. Connected vehicles and vehicles with ADT are under the obligation to perform their functions safely and reliably across national borders. The rights to individual mobility data have to be regulated clearly. 4. The objective is to ensure that vehicles are protected from external interference and manipulation. The principles of global data privacy law apply to data protection. 5. For cybersecurity and data protection required steps shall be checked, e.g. system checks by external organisations. B. Administrative proposal 6. This Guideline aims at the Construction of Vehicles and provides information on the legal texts applicable in the vehicle design, aiming the improvement of safety and the protection of the environment. The aim of this guideline is same as the aim of the Consolidated Resolution on the Construction of Vehicles (R.E.3). It is proposed to introduced the text of this guideline (Section I) as a newannex 6 to R.E.3. 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback