In today’s automotive landscape, vehicles are no longer isolated machines. They are increasingly connected, software-driven ecosystems, offering enhanced convenience, safety, and performance. However, this digital evolution introduces significant cybersecurity risks. Recognizing this, the United Nations Economic Commission for Europe (UNECE) developed UN Regulation No. 155 (UNR 155), a landmark regulation aimed at ensuring the cybersecurity of road vehicles. For automotive manufacturers, understanding and achieving compliance with UNR 155 is not just a regulatory hurdle; it’s a fundamental necessity for building safe, secure, and trustworthy vehicles for the future.
The Genesis and Goals of UNR 155
The increasing sophistication and connectivity of vehicles have created new vulnerabilities that malicious actors could exploit. From compromising safety-critical systems to stealing personal data, the potential consequences of automotive cyber-attacks are severe. In response to this growing threat, the UNECE’s World Forum for Harmonization of Vehicle Regulations (WP.29) introduced UNR 155 in January 2021.
The primary goals of UNR 155 are to:
Establish a Cybersecurity Management System (CSMS): Mandate that automotive manufacturers implement a documented and systematic approach to managing cybersecurity risks throughout the lifecycle of their vehicles.
Ensure Cybersecurity by Design: Integrate cybersecurity considerations into the early stages of vehicle development, rather than treating it as an afterthought.
Promote a Culture of Cybersecurity: Foster organizational processes, responsibilities, and governance structures that prioritize cybersecurity.
Facilitate Risk Assessment and Mitigation: Require manufacturers to identify, assess, and mitigate cybersecurity risks relevant to their vehicles.
Enable Incident Response: Establish processes for monitoring, detecting, and responding to cyberattacks and vulnerabilities.
Enhance Supply Chain Security: Address cybersecurity risks associated with the complex network of suppliers involved in vehicle production.
Key Requirements of UNR 155
UNR 155 outlines specific requirements that automotive manufacturers must adhere to achieve compliance. These include:
Establishing a Certified Cybersecurity Management System (CSMS): Manufacturers must demonstrate that they have a CSMS in place that covers the entire vehicle lifecycle (development, production, and post-production). This system needs to be certified by an approval authority. The CSMS should encompass organizational processes, responsibilities, and governance for managing cybersecurity risks.
Risk Assessment and Treatment: Manufacturers are required to conduct thorough risk assessments to identify potential cyber threats and vulnerabilities relevant to their vehicle types. This includes analyzing attack surfaces, potential impacts, and likelihood of occurrence. Based on the risk assessment, appropriate mitigation measures must be implemented and verified. Annex 5 of UNR 155 provides a comprehensive list of attack vectors that manufacturers must consider.
Security by Design: Cybersecurity must be integrated into the design and development phases of the vehicle. This includes implementing secure coding practices, secure communication protocols, and robust authentication and authorization mechanisms.
Detection and Response to Cyberattacks: Manufacturers must establish processes to monitor for, detect, and respond to cyberattacks and security vulnerabilities throughout the vehicle’s lifecycle. This includes having the capability to analyze attempted or successful attacks and implement necessary updates and fixes in a timely manner.
Data Logging and Forensics: The regulation requires manufacturers to log relevant data to support the detection of cyberattacks and enable forensic analysis in case of an incident.
Supply Chain Management: Manufacturers are responsible for managing cybersecurity risks associated with their suppliers and service providers. This includes ensuring that suppliers also have adequate cybersecurity measures in place.
Software Update Management System (SUMS): While UNR 155 primarily focuses on the CSMS, it works in conjunction with UNR 156, which specifically addresses the requirements for Software Update Management Systems. Compliance with both regulations is crucial for ensuring the ongoing security of vehicles through secure over-the-air (OTA) updates.
The Importance of UNR 155 Compliance
Compliance with UNR 155 is becoming increasingly vital for automotive manufacturers for several reasons:
Market Access: For vehicles to be sold in the 64 countries that are signatories to the 1958 Agreement (including EU member states, Japan, and South Korea), manufacturers must demonstrate compliance with UNR 155 for new vehicle types since July 2022, and for all new vehicles produced from July 2024 onwards. Failure to comply can result in the inability to sell vehicles in these significant markets.
Enhanced Security and Safety: By adhering to the requirements of UNR 155, manufacturers can significantly enhance the cybersecurity posture of their vehicles, reducing the risk of cyberattacks that could compromise safety-critical systems and endanger drivers and passengers.
Protection of Brand Reputation and Customer Trust: A successful cyberattack can severely damage a manufacturer’s reputation and erode customer trust. Demonstrating a commitment to cybersecurity through UNR 155 compliance can build confidence among consumers.
Mitigation of Legal and Financial Risks: Non-compliance with regulations can lead to legal penalties, fines, and potential liabilities in the event of a cyber incident. Implementing a robust CSMS as required by UNR 155 helps mitigate these risks.
Alignment with Industry Best Practices: UNR 155 aligns with and often references industry best practices and standards like ISO/SAE 21434, providing a framework for manufacturers to adopt a comprehensive approach to automotive cybersecurity.
The Path to UNR 155 Compliance
Achieving UNR 155 compliance requires a strategic and systematic approach. Manufacturers typically need to:
Conduct a Gap Analysis: Evaluate their existing cybersecurity processes and identify areas that need to be aligned with UNR 155 requirements.
Establish and Implement a CSMS: Develop and implement a comprehensive Cybersecurity Management System that meets the requirements of the regulation.
Perform Thorough Risk Assessments: Identify and analyze potential cybersecurity risks throughout the vehicle lifecycle.
Implement Security Controls: Design and implement appropriate technical and organizational security measures to mitigate identified risks.
Develop Incident Response Plans: Establish procedures for detecting, analyzing, and responding to cybersecurity incidents.
Ensure Supply Chain Security: Implement processes to manage cybersecurity risks associated with suppliers.
Obtain CSMS Certification: Undergo an audit by an accredited approval authority to obtain certification of their CSMS.
Demonstrate Vehicle Type Approval: For each new vehicle type, demonstrate that cybersecurity measures have been implemented according to the requirements of UNR 155.
Maintain Ongoing Compliance: Continuously monitor and improve their CSMS and cybersecurity measures to adapt to the evolving threat landscape.
Conclusion: Securing the Future of Automotive Mobility
UNR 155 represents a significant step forward in ensuring the cybersecurity of connected vehicles. By mandating a comprehensive and lifecycle-oriented approach to cybersecurity management, the regulation drives automotive manufacturers to prioritize security in their design, development, production, and post-production processes. Compliance with UNR 155 is not merely a regulatory obligation; it is a crucial investment in the safety, security, and trustworthiness of the next generation of vehicles, paving the way for a more secure and reliable future of automotive mobility. As the automotive industry continues its digital transformation, embracing and adhering to regulations like UNR 155 will be paramount for building and maintaining consumer confidence and ensuring a secure driving experience for all.
