In the continuous pursuit of striving for a safer and more secure automotive industry, the UN Regulation No. R155 (UN R155) has just been fully enforced in July 2022. Moving forward, all new vehicle types must meet all of UN R155’s new regulatory requirements before obtaining type approval. The requirements will become mandatory for all vehicles from July 2024 onwards.
Only automotive manufacturers (OEMs) who receive such type approvals are allowed to sell vehicles in 64 UNECE member countries. This means that vehicles authorized for use in the US, China, or other countries that do not belong to the UNECE, may not be brought into the markets of member countries such as the EU, the UK, Japan, and South Korea.
CSMS is now mandatory
With UN R155 in full swing, OEMs must demonstrate that a cybersecurity management system (CSMS) is present in their vehicles through general and goal-based risk assessments. While compliance to UN R155 is required for car manufacturers, it also has implications for the entire connected car supply chain, as Tier 1 suppliers must prove to manufacturers that they too have implemented all cybersecurity requirements from their end.
One noteworthy section of UN R155 is Annex 5, which details 69 potential attack vectors that directly affect vehicle cybersecurity. This helps manufacturers identify focus areas in securing vehicles, such as back-end servers, communication channels, update procedures, human error, external connectivity, data/code, and vulnerability hardening sufficiency.
Still, Annex 5 is not meant to be a definitive risk assessment checklist. Rather, it serves as a mere guide for car manufacturers in adequately securing vehicles throughout their full life cycle from development to post-production.
For OEMs, creating a cybersecurity strategy from scratch could be difficult and costly. To be fully compliant with UN R155, they must identify as many risks as possible and then place robust measures to mitigate them.
More importantly, the challenge for both OEMs and suppliers goes beyond basic compliance with regulations such as UN R155 and similar regulatory initiatives. As the world of mobility continues evolving, a comprehensive and future-oriented cybersecurity strategy is the best way to enable connected car stakeholders to always stay ahead of imminent cybersecurity threats.
VicOne, a prospective subsidiary of Trend Micro, leverages the cybersecurity leader’s 30+ years of leading industry expertise and offers the following cybersecurity solutions to help both OEMs and Tier 1 suppliers comply with the latest regulations, including UN R155:
- xZETA allows OEMs to scan vendors' firmware by using static and dynamic analysis to figure out vulnerabilities and potential malicious behaviors. It also effectively reduces the attack surface from the beginning.
- xCarbon (intrusion detection and prevention system or IDPS for electronic control units or ECUs) provides superior detection protection in vehicles, allowing vehicle security operations centers (VSOCs) to quickly understand the nature of a potential attack.
- xNexus, a detection and response (DR) platform for VSOCs, can help build awareness mechanisms and early warning for incoming attacks.
- xScope is a penetration-testing service that conducts a deep assessment of an entire vehicle to identify vulnerabilities and provide recommendations.
Learn more about relevant guidelines for the automotive industry in our FAQ page.