UNECE WP. 29

Learn more about the United Nations Regulation No. 155 (UN R155)

What isUNECE WP.29/UN R155?

WP.29 is short for the World Forum for Harmonization of Vehicle Regulations, a working party within the Sustainable Transport Division of the United Nations Economic Commission for Europe (UNECE). WP.29 integrates technological advancements into regulatory frameworks so that safer and environmentally viable vehicles are manufactured moving forward. As part of its work, it implemented UN Regulation 155 (UN R155) in January 2021.

UN R155 requires the presence of a cyber security management system (CSMS) In-Vehicles. In a nutshell, CSMS ensures that cybersecurity practices and measures are adequately applied across the development process and life cycle of vehicles.

What is its impact?

UNECE WP.29’s regulatory frameworks apply to its 54-member countries, including the European Union, the UK, Japan, and South Korea. In addition, certain regions and countries might require manufacturers to comply with UN R155 and other WP.29 regulations before allowing them to enter their markets.

While targeted toward manufacturers, one can see how the UN R155 regulations cascade to the rest of the supply chain, as it requires CSMS from the development, production, and post-production phases of a vehicle.

WP.29’s UN R155 can be taken as a positive step forward as it helps vehicle manufacturers, OEMs, and other stakeholders create a safer connected car ecosystem that leaves room for further development and potential detours.

How do you comply with UN R155 regulations?

The UN R155 gives general and goal-based requirements to assess if CSMS is present and cybersecurity is adequately achieved. The key challenges presented by this regulation to companies is the need to conduct a thorough assessment of risks and identify and respond to cyberattacks throughout vehicle’s lifecycle.

To this end, UN R155 includes Annex 5, which lists 69 attack vectors or risks and defines the focus areas that manufacturers must consider to secure their vehicles. These focus areas include the following:

Backend servers.Examples of threats that involve backend servers include abuse of privilege by staff and unauthorized internet access to the server.
Communication channels.These threats involve the internal communication channels of the car, which include spoofing messages, code injection, and interception of information.
Update procedures.Risks that root from or involve a vehicle’s update procedures include the manipulation of software before an update process and denial of service (DoS) attacks that can prevent update rollouts.
Human error.This focus area leads attention to risks brought about by human action, such as not following defined security procedures and falling for tricks that enable cyberattacks.
External connectivity.External connectivity risks relate to how a vehicle interacts and communicates with its external environment. These typically entail attacks on vehicle’s sensors, external interfaces, and remote functions.
Data/Code.Data or code-related threats affect the data and information stored, collected, and used by vehicles. Examples include unauthorized access to an owner’s personal information, falsification of vehicle data, and introduction of malicious software.
Vulnerability hardening sufficiency.This focus area pertains to vulnerabilities that can be exploited should protective measures prove insufficient to defend a system against them. Such risks involve the compromise of cryptographic technologies, hardware, and software.

How can VicOne help you comply with UNECE WP.29/R155?

With the ever-evolving state of automotive cybersecurity and the pressure of complying with new relatively new regulations, it might be difficult to decide the best solution for your architecture. For organizations to be CSMS-certified and adaptive to cyberthreats, they must put in place measures that can identify, analyze, and defend connected cars against risks throughout a vehicle’s life cycle.

VicOne offers a comprehensive and flexible solution to assist OEMs in complying with the WP.29 regulation and developing secure vehicles. It is a cloud-based vehicle security operation center (VSOC) that provides multilayered visibility of connected vehicles. By leveraging automotive threat intelligence, smart sensors, and OEM data, xNexus ensures compliance with UNECE WP.29/R155 while staying abreast of the latest automotive cybersecurity incidents.

Learn more about how VicOne can support your compliance journey to the UNECE WP.29/R155 regulation.