What is UN R155?
UN Regulation No. 155 (UN R155) is a regulatory framework created by the World Forum for Harmonization of Vehicle Regulations (WP.29), a working party within the Sustainable Transport Division of the United Nations Economic Commission for Europe (UNECE). WP.29 integrates technological advancements into regulatory frameworks so that safer and environmentally viable vehicles are manufactured moving forward. As part of its work, it implemented UN R155 in January 2021.
UN R155 requires the presence of a cybersecurity management system (CSMS) in vehicles. In a nutshell, a CSMS ensures that cybersecurity practices and measures are adequately applied across the development process and life cycle of vehicles.
What is its impact?
UNECE WP.29’s regulatory frameworks apply to its 54 member countries, including the European Union, the UK, Japan, and South Korea. In addition, certain regions and countries might require manufacturers (OEMs) to comply with UN R155 and other WP.29 regulations before allowing them to enter their markets.
While targeted toward manufacturers, UN R155 cascades to the rest of the supply chain, as it requires a CSMS from the development, production, and post-production phases of a vehicle.
UN R155 can be taken as a positive step forward as it helps OEMs and other stakeholders to create a safer connected car ecosystem that leaves room for further development and potential detours.
How do you comply with UN R155?
UN R155 gives general and goal-based requirements to assess if a CSMS is present and cybersecurity is adequately achieved. The key challenges presented by this regulation to companies are the need to conduct a thorough risk assessment and the need to identify and respond to cyberattacks throughout a vehicle’s life cycle.
To these ends, UN R155 includes Annex 5, which lists 69 attack vectors or risks and defines the focus areas that manufacturers must consider to secure their vehicles. These focus areas include:
- Back-end servers. Examples of threats that involve back-end servers include abuse of privilege by staff and unauthorized internet access to servers.
- Communication channels. Threats that involve the internal communication channels of a car include spoofing messages, code injection, and interception of information.
- Update procedures. Risks that root from or involve a vehicle’s update procedures include the manipulation of software before an update process and denial-of-service (DoS) attacks that could prevent update rollouts.
- Human error. This focus area draws attention to risks brought about by human action, such as not following defined security procedures and falling for tricks that enable cyberattacks.
- External connectivity. External connectivity risks relate to how a vehicle interacts and communicates with its external environment. These typically entail attacks on a vehicle’s sensors, external interfaces, and remote functions.
- Data or code. Data- or code-related threats affect the data and information stored, collected, and used by a vehicle. Examples include unauthorized access to an owner’s personal information, falsification of vehicle data, and introduction of malicious software.
- Vulnerability hardening sufficiency. This focus area pertains to vulnerabilities that could be exploited should protective measures prove insufficient to defend a system against them. Such risks involve the compromise of cryptographic technologies, hardware, and software.
How can VicOne help you comply with UN R155?
With the ever-evolving state of automotive cybersecurity and the pressure of complying with relatively new regulations, it might be difficult to decide on the best solutions for your architecture. For you to be CSMS-certified and adaptive to cyberthreats, you must put in place measures that can identify, analyze, and defend connected cars against risks throughout the vehicles’ life cycle.
VicOne offers comprehensive and flexible solutions to assist you in complying with UN R155 and developing secure vehicles. By leveraging automotive threat intelligence and providing end-to-end vehicle cybersecurity protection, VicOne’s solutions ensure your compliance with UN R155 while keeping you on top of the latest automotive cybersecurity incidents.
Explore Solutions Request a DemoLearn More
What vehicle types should comply with UN R155?
UN R155 applies to the following UNECE categories and conditions, covering passenger cars, vans, trucks, buses, and certain light four-wheelers:
- Category M/N: vehicles having at least four wheels
- Category O: trailers fitted with at least one electronic control unit (ECU)
- Category L6/L7: Light four-wheelers equipped with at least Level 3 of driving automation
Which countries does UN R155 apply to?
UN R155 applies to the 54 member countries of the 1958 UNECE Transportation Agreements and Conventions, including the EU, the UK, Japan, and South Korea. But countries that are not among the 54 should still consider the implications of this regulation if they intend to sell to these member countries.
What are the implications of UN R155 for manufacturers and their suppliers?
According to the regulation, manufacturers must demonstrate that cybersecurity methods and processes are in place throughout a vehicle’s life cycle, including development, production, and postproduction. Manufacturers that meet the regulatory requirements will receive type approvals, be able to sell their vehicles in countries that have adopted the regulation, and be able to brand their companies as reliable to their customers. Although Tier 1 and Tier 2 suppliers do not need to obtain their own compliance approvals, they must demonstrate to their manufacturers that the cybersecurity requirements have been implemented.
What are the automotive cybersecurity requirements of UN R155?
UN R155 primarily discusses the requirements for obtaining the CSMS and vehicle type approvals. Manufacturers should adopt a certified CSMS to protect the entire life cycle of their vehicles against cyberthreats and vulnerabilities. In terms of vehicle type approvals, manufacturers should demonstrate that they have implemented cybersecurity measures in the design architecture, risk assessments, and cybersecurity controls.
How does UN R155 affect vehicles already on the road?
Existing vehicles and type approvals issued before the enforcement of UN R155 are not affected.
What is the relationship of UN R155 to the ISO/SAE 21434 standard?
UN R155 and ISO/SAE 21434 both include requirements of cybersecurity risk management throughout a vehicle’s life cycle. If manufacturers and their suppliers can meet the ISO/SAE 21434 standard, then they should also be able to comply with UN R155.
Know More From Our Resources
Gain Insights Into Automotive Cybersecurity
