What is UN R155?

UN Regulation No. 155 (UN R155) is a regulatory framework created by the World Forum for Harmonization of Vehicle Regulations (WP.29), a working party within the Sustainable Transport Division of the United Nations Economic Commission for Europe (UNECE). WP.29 integrates technological advancements into regulatory frameworks so that safer and environmentally viable vehicles are manufactured moving forward. As part of its work, it implemented UN R155 in January 2021.

UN R155 requires the presence of a cybersecurity management system (CSMS) in vehicles. In a nutshell, a CSMS ensures that cybersecurity practices and measures are adequately applied across the development process and life cycle of vehicles.

What is its impact?

UNECE WP.29’s regulatory frameworks apply to its 54 member countries, including the European Union, the UK, Japan, and South Korea. In addition, certain regions and countries might require manufacturers (OEMs) to comply with UN R155 and other WP.29 regulations before allowing them to enter their markets.

While targeted toward manufacturers, UN R155 cascades to the rest of the supply chain, as it requires a CSMS from the development, production, and post-production phases of a vehicle.

UN R155 can be taken as a positive step forward as it helps OEMs and other stakeholders to create a safer connected car ecosystem that leaves room for further development and potential detours.

How do you comply with UN R155?

UN R155 gives general and goal-based requirements to assess if a CSMS is present and cybersecurity is adequately achieved. The key challenges presented by this regulation to companies are the need to conduct a thorough risk assessment and the need to identify and respond to cyberattacks throughout a vehicle’s life cycle.

To these ends, UN R155 includes Annex 5, which lists 69 attack vectors or risks and defines the focus areas that manufacturers must consider to secure their vehicles. These focus areas include:

  • Back-end servers. Examples of threats that involve back-end servers include abuse of privilege by staff and unauthorized internet access to servers.
  • Communication channels. Threats that involve the internal communication channels of a car include spoofing messages, code injection, and interception of information.
  • Update procedures. Risks that root from or involve a vehicle’s update procedures include the manipulation of software before an update process and denial-of-service (DoS) attacks that could prevent update rollouts.
  • Human error. This focus area draws attention to risks brought about by human action, such as not following defined security procedures and falling for tricks that enable cyberattacks.
  • External connectivity. External connectivity risks relate to how a vehicle interacts and communicates with its external environment. These typically entail attacks on a vehicle’s sensors, external interfaces, and remote functions.
  • Data or code. Data- or code-related threats affect the data and information stored, collected, and used by a vehicle. Examples include unauthorized access to an owner’s personal information, falsification of vehicle data, and introduction of malicious software.
  • Vulnerability hardening sufficiency. This focus area pertains to vulnerabilities that could be exploited should protective measures prove insufficient to defend a system against them. Such risks involve the compromise of cryptographic technologies, hardware, and software.

How can VicOne help you comply with UN R155?

With the ever-evolving state of automotive cybersecurity and the pressure of complying with relatively new regulations, it might be difficult to decide on the best solutions for your architecture. For you to be CSMS-certified and adaptive to cyberthreats, you must put in place measures that can identify, analyze, and defend connected cars against risks throughout the vehicles’ life cycle.

VicOne offers comprehensive and flexible solutions to assist you in complying with UN R155 and developing secure vehicles. By leveraging automotive threat intelligence and providing end-to-end vehicle cybersecurity protection, VicOne’s solutions ensure your compliance with UN R155 while keeping you on top of the latest automotive cybersecurity incidents.

Explore Solutions   Request a Demo

Learn More

Know More From Our Resources

Gain Insights Into Automotive Cybersecurity

View More

Accelerate Your Automotive Cybersecurity Journey Today

Request a Demo