The mobility of tomorrow enthuses customers and comes with great business opportunities for vehicle manufacturers. Increasing connectivity facilitates upcoming mobility solutions like autonomously driving vehicles or functional upgrades enabled “over-the-air”. Unfortunately, hackers profit, too – increasing connectivity opens up new vectors for cyber-attacks.
The United Nations Economic Commission for Europe is a unique worldwide regulatory forum for harmonization of vehicle regulations (UNECE WP.29).
Resulting from the growing importance of cybersecurity, standards/norms such as the ISO/SAE 21434 or as regulation as UNECE WP.29 such as R155 and R156, on cybersecurity and software updates were published recently.
The UN regulation 155 (R155) is on uniform provisions concerning the approval of vehicles with regards to cybersecurity and a cybersecurity management system (CSMS). The ISO/SAE specifies engineering requirements for cybersecurity risk management system. Besides that the UN regulation 156 (R156) also comes with requirements on security and is focusing on software updates.
To sum the international regulations up: they shall ensure the security of cars and set the framework of automotive cybersecurity. Thus, cybersecurity becomes mandatory for type approval. At least in Europe.
ISO/SAE 21434, UNECE WP.29 R155 and R156
The UN R155 references the industry standard ISO/SAE 21434 “Road vehicles – Cybersecurity Engineering”. This standard specifies engineering requirements for cybersecurity risk management regarding concept, product development, production, operation, maintenance and decommissioning of electrical and electronic (E/E) systems in road vehicles, including their components and interfaces.
R155 as well as R156 require measures to be implemented by the vehicle manufacturer and to passenger cars, vans, trucks and buses, light four-wheeler vehicles if equipped with automated driving functionalities from level 3 onwards; trailers if fitted with at least one electronic control unit.
The regulations require that actions be taken in four different disciplines:
- “Managing vehicle cyber risks
- Securing vehicles by design to mitigate risks along the value chain
- Detecting and responding to security incidents across vehicle fleet
- Providing safe and secure software updates and ensuring vehicle safety is not compromised, introducing a legal basis for so-called “Over-the-Air” (O.T.A.) updates to on-board vehicle software.”*
Furthermore, there are two different perspectives to be considered when referring to the UNECE WP.29 R155 prerequisites for type approval:
First of all processes and organizational structures with respect to cybersecurity management, as well as vehicle requirements to manage cybersecurity risks.