UN Regulations R 155 & R 156 : Steps For Improving Cybersecurity in Cars

1. Introduction. UN Regulation No. 155 (UN R155) is a directive designed to address cybersecurity in the automotive industry. It mandates the implementation of a Cybersecurity Management System (CSMS) and is legally binding for type approval and market access. The UN R155 requirements are closely related to the ISO/SAE 21434 standard, which provides a framework for developing cybersecure products in the automotive industry. UN R155 came into force at the beginning of 2021, with mandatory requirements for new vehicle types from July 2022 and for all vehicles from July 2024 within UNECE member countries. The regulation is not only relevant for original equipment manufacturers (OEMs) but also extends to suppliers at various tiers in the automotive value chain. Compliance with UN R155 involves defining scope, analyzing current cybersecurity processes, carrying out gap analysis, implementing the CSMS framework, piloting, and ongoing alignment, leading to certification and type approval. ISO/SAE 21434 acts as a reference point for industry standards while UN R155 provides legally binding directives. Both are essential for ensuring cybersecurity in the automotive industry.

2. Key Components for ensuring implementation. The key components of UN Regulation No. 155 (UN R155) which are a must know include the following :-

a. Cybersecurity Management System (CSMS). UN R155 mandates the implementation of a comprehensive Cybersecurity Management System throughout the automotive industry to ensure cybersecurity along the vehicle.

b. ISO/SAE 21434 Relationship. UN R155 is closely related to the ISO/SAE 21434 standard, which provides guidance for developing cybersecure products in the automotive sector.

c. Requirements Implementation. The regulation requires organizations to define scope, conduct gap analysis, implement the CSMS framework, conduct piloting, ensure ongoing alignment, and attain certification for compliance.

d. Type Approval Timing. UN R155 came into effect in 2021 with mandatory requirements for new vehicle types from July 2022 and for all vehicles from July 2024 within UNECE member countries.

e. Applicability Beyond OEMs. The regulation impacts not only original equipment manufacturers (OEMs) but also suppliers at various tiers in the automotive value chain, ensuring cybersecurity principles are implemented across organizations.

f. Audit and Certification: UN R155 necessitates auditing for compliance with the regulation, involvement of approval authorities, as well as obtaining a Certificate of Compliance for CSMS at least every three years.

g. Global Impact: While initially applicable to UNECE member countries, UN R155 is seen as a potential global standard due to its impact on market access and cybersecurity requirements, despite regions like the USA and China not being UNECE members.

h. Involvement of Suppliers: Both OEMs and suppliers are accountable for meeting UN R155 requirements, emphasizing the need for compliance with the CSMS principles along the entire automotive value chain.

i. Process Implementation: Emphasis is placed on creating awareness, assessing existing processes, initiating pilot phases, aligning with UN R155 requirements, and obtaining necessary certifications to ensure type approval before Start of Production (SOP).

3. Influence on EU Auto Cybersecurity Policy. EU's new cybersecurity regulations inspired from R 155 and R 156 are impacting the automotive industry, leading to the discontinuation of older models by several automakers due to the high cost of upgrading electronics to comply with the new standards. Concerns over data privacy and surveillance are arising due to the increasing use of cameras and sensors in modern cars, with implications for cybersecurity and potential surveillance by foreign governments.

4. Prevention of Cyber Attacks on Cars. To prevent cyber attacks on cars and ensure the cybersecurity of vehicles, several measures can be implemented:-

a. Encryption and Secure Communication. Implement robust encryption mechanisms to secure communication between different vehicle components to prevent unauthorized access and tampering with data.

b. Secure Software Updates. Ensure that software updates for vehicle systems are securely delivered and authenticated to prevent malicious software from being introduced into the vehicle's onboard systems.

c. Intrusion Detection Systems. Employ intrusion detection systems that can monitor and flag any suspicious activity within the vehicle's network, enabling quick responses to potential cyber threats.

d. Access Control and Authentication. Implement strong access control mechanisms and multi-factor authentication to restrict access to critical vehicle systems and prevent unauthorized users from gaining control.

e. Firewalls and Secure Gateways. Deploy firewalls and secure gateways to filter incoming and outgoing network traffic, effectively blocking unauthorized access and malicious data packets.

f. Secure Vehicle-to-Everything (V2X) Communication. Ensure that communication protocols for V2X communications are secure and encrypted to prevent eavesdropping and tampering with vehicle-to-vehicle or vehicle-to-infrastructure communications.

g. Cybersecurity Training and Awareness: Provide cybersecurity training to vehicle manufacturers, suppliers, and users to increase awareness of potential cyber threats and best practices for cybersecurity in the automotive industry.

h. Regulatory Compliance: Adhere to cybersecurity regulations such as the United Nations regulations R155 and R156 or regional regulations to ensure that vehicles meet cybersecurity standards and guidelines.

By implementing a combination of these measures and continuously updating cybersecurity practices in line with R 155 and R 156, automakers can enhance the resilience of vehicles against cyber attacks and protect the privacy and security of vehicle systems and data.