UNECE R155: A Guide for OEMs - Part 1

With vehicle “smartphonization,” cars are more connected, and therefore ‌bigger targets for hackers. Features that are now standard in most cars - such as GPS, Wi-Fi, Bluetooth, V2V, keyless entry, etc. - are all attractive targets for cybercriminals looking for a quick win without needing physical access to the vehicle’s computers. In response, regulatory bodies are taking action to require OEMs to put safeguards in place in an effort to prevent cyberattacks.

One such regulation is UNECE R155 of the United Nations Economic Commission for Europe. This commission (known as the UNECE) is a regulatory body tasked with developing vehicle regulations that are applicable to the 62 member countries of the UNECE 1958 agreement. UNECE R155 lays out certain requirements that OEMs must fulfill related to vehicle cybersecurity.

UNECE R155 is a welcome step towards stricter cybersecurity standards in the automotive industry, especially as it’s not as simple as each OEM (automotive manufacturer) making sure their own operations are fully compliant. While UNECE R155 only applies to OEMs, each one is fully responsible for collecting evidence from their suppliers to prove that the OEM is fully compliant with the regulation.

UNECE R155 Basics

OEMs are obligated to first obtain a certificate of compliance with Cybersecurity Management System (CSMS) requirements and then need to seek approval for each new vehicle type they produce. Following is an overview of the UNECE R155 regulations:

Cybersecurity Management System Requirements

A Cybersecurity Management System must be implemented by OEMs to incorporate cybersecurity elements into the development and production of all vehicles. In order to receive the necessary certificate of compliance, OEMs must prove that they have set up the following:

• Security Management and Governance - assigned roles and responsibilities to employees with the appropriate skills and competencies to manage the process.
• Risk Management - a clear procedure for identifying automotive cybersecurity risks (both at the OEM and supplier levels) and then analyzing, rating, and prioritizing the identified risks. Security controls should also be designed and tested.
• Incidents and Vulnerabilities - guidelines for reacting to security incidents or discovered vulnerabilities both during development and post-production.
• Supply Chain Interaction - OEMs are fully responsible for all components delivered by suppliers all along the supply chain. OEMs must sign contractual agreements with suppliers and provide evidence of supplier compliance with cybersecurity protections.  

Vehicle Type Requirements

Once the CSMS is in place and certified, OEMs are required to also prove that each new type of vehicle that they produce follows the processes that are approved as part of the CSMS.

As of July 2022, UNECE R155 was mandatory for all new vehicle types manufactured in the EU, but starting in July 2024 it will be applicable to all new vehicles in the EU. OEMs have some time to prepare, but not much when discussing the timetables for developing and manufacturing new vehicles. Of course, the more they plan in advance and get accustomed to new procedures, the smoother the process will be as well.

So What’s Next?

OEMs will need to integrate Tier 1, Tier 2, etc. even more tightly into their design, development, and manufacturing processes. They will need to receive from each of their suppliers the necessary evidence to stay compliant with UNECE R155. Specifically, they have to ensure that any supplier they work with can provide their own risk assessment results, security testing proof, and evidence of any newly discovered vulnerabilities.

While the process may sound onerous, it is ultimately for the benefit of the OEMs and their customers who expect the cars they purchase are secure and protected from cybersecurity breaches. Fortunately, it’s possible for OEMs to ensure full compliance with UNECE R155, including making sure suppliers are able to provide the evidence OEMs need to be compliant, without reinventing the wheel and adding significant time to their production process.

Read Part 2 of this blog series to learn how OEMs can easily comply with UNECE R155.