Last January, Tesla's entire IVI (In-Vehicle Infotainment) and Gateway systems were hijacked. The culprit(?) was Synacktiv, a French information security company. They found a significant cybersecurity vulnerability in the first 'Pwn2Own Automotive', a vehicle hacking competition, and took first place, winning a prize of approximately $450,000.

출처 = gettyimagesbank

As Pwn2Own's main sponsor, Tesla proactively takes the lead in uncovering cybersecurity vulnerabilities by providing its vehicles to white-hat hackers. Even though meticulous preparations for cyberattacks are made in the design phase, security vulnerabilities evolve continuously. Therefore, it is essential to discover new vulnerabilities (zero-day vulnerabilities) for which there are no security patches and respond proactively to prevent the spread of subsequent damage. In particular, more software-controlled functions, such as SDVs(Software-Defined Vehicles), mean a proportional rise in hacking risk. Therefore, preemptive and continuous preparation for vehicle safety is necessary.

International regulations also follow the same trajectory. In 2020, the UNECE World Forum for Harmonization of Vehicle Regulations (WP.29) introduced automotive cybersecurity management (UN R155) and software update management (UN R156). Based on international regulations, Korea also established standards optimized for its automotive management laws and regulations, fostering a safer driving environment. That is, the 'Motor Vehicle Management Act Amendment' promulgated last February.

The Motor Vehicle Management Act Amendment

It is a revision of clauses that needed supplementation as vehicles shifted to become software-oriented. The key issues are the Cyber Security Management System (CSMS) and software updates. CSMS refers to managerial, technical, and physical protection to protect vehicles from cyberattacks and threats. Automakers and importers can only sell vehicles in Korea with a CSMS certification. If in cases where certification gets revoked, vehicle sales become prohibited.

Additionally, when automakers update software for functions related to safety standards, they must submit the relevant information in advance to the Ministry of Land, Infrastructure, and Transport. Automakers can request partner companies to submit the impact analysis results on safety standards that may occur due to software updates, and the results can be used as evidence for regulatory compliance.

There is a big difference between the Motor Vehicle Management Act Amendment and the UN regulations. UN regulations require certification for both CSMS and software update management system (SUMS), but the Motor Vehicle Management Act only requires CSMS certification. CSMS certification from UN R155 cannot substituted for the one from the Motor Vehicle Management Act. The Act recognizes certificates issued solely by the Korean Ministry of Land, Infrastructure, and Transport.

However, automakers and importers with CSMS certification from UN R155 will not face great difficulties obtaining CSMS certification from the Korean Ministry of Land, Infrastructure and Transport. This is because the Korean Motor Vehicle Management Act and enforcement ordinance are based on UN R155 and R156. Since the CSMS preparation requirements of UN R155 and the Motor Vehicle Management Act Amendment are rarely different, automakers and importers' primary task is adjusting their existing cybersecurity policies and procedures to comply with Korean regulations.

What and How to Prepare

The preparatory requirements may vary depending on whether the UN R155 certification is obtained. First, it is essential for automakers that have not obtained UN certification to establish a CSMS that adheres to the ISO/SAE 21434. This must encompass not only the development phase but also the production and post-production phases. Additionally, TARA (Threat Analysis and Risk Assessment), cybersecurity testing, and validation procedures are essential, and the necessary resources to execute them must be secured. Lastly, the establishment and operation of procedures for continuous cybersecurity monitoring, incident response, and incident-related data provision are mandatory.

If the CSMS certification for UN R155 is obtained, optimization work, such as reviewing and supplementing the system in accordance with the Korean Motor Vehicle Management Act, is necessary.

The Upcoming Motor Vehicle Management Act Amendment, Taking Effect Next Year, Requires a Practical Breakthrough

According to the Motor Vehicle Management Act Amendment, regulations will be implemented for new vehicles in August 2025 and for existing vehicles in August 2027. Accordingly, Korean automakers and importers need to quickly prepare to respond to the Motor Vehicle Management Act Amendment. If you encounter challenges in independently responding to regulations, you may also consider collaborating with a specialized company that leverages its experience with success cases to recommend efficient response strategies.

In 2023, FESCARO contributed to the early acquisition of automotive cybersecurity certifications (CSMS, SUMS, VTA [UN R155·R156], and ISO/SAE 21434) for automakers and controller developers, hitting a grand slam for the four major international automotive cybersecurity certification consulting. This expertise empowers FESCARO to deliver the most practical response solutions, including an optimized guide for the Motor Vehicle Management Act Amendment.