UNECE R155: A Guide for OEMs - Part 2June 14, 2023
CRO - Chief Revenue and Investor Relations Officer
In a recent blog, we summarized the key elements of UNECE R155, a new regulation that requires OEMs to implement cybersecurity processes throughout the entire lifecycle of vehicle development. This regulation comes into effect in response to the growing “smartphonization” of vehicles and the recognition that the security and safety of today’s drivers and passengers is dependent on much more than the physical components like brakes or airbags.
With the increasing amount of software and cloud connectivity in vehicles, the threats of hackers and cyberattacks are greater than ever. UNECE R155 is a step in the right direction to ensure that security weaknesses and vulnerabilities are identified and mitigated as early as possible to prevent disasters.
All in all, this is good news for OEMs. It is in their best interest to ensure that the vehicles they produce are protected against cyberattacks. The challenge, however, is that the onus of compliance with UNECE R155 is only on the OEMs. It is their responsibility to prove compliance meaning that they need to collect from their many suppliers the required evidence.
To attain compliance with UNECE R155, there are two approaches that OEMs can take: they can define, implement, and follow a proprietary cybersecurity method that makes sure they meet the specific UNECE R155 requirements. Or, they can adopt ISO/SAE 21434 which covers all the processes required by the OEM to comply to UNECE R155. ISO/SAE 21434 also covers what the supply chain needs to provide as evidence to the OEM - a critial portion of UNECE R155.
Proprietary Approach: Closing the Gaps
This approach makes sense for those OEMs that have already begun taking cybersecurity into account and have some processes in place. For them, complying with UNECE R155 is a matter of locating the gaps and building on their existing processes to ensure full compliance.
For example, the average OEM is well-aware of the need to incorporate a certain level of cybersecurity elements in the development stage of new vehicles. Current production processes are likely to include security testing and steps to take to address potential security flaws. To ensure full compliance, OEMs can compare their existing protocols to the UNECE R155 requirements, identify the gaps, and create a plan for addressing the missing parts.
At the end of the day, the actual details of the Cybersecurity Management Systems (CSMS) that OEMs need to put in place are at the discretion of the OEM, provided that it meets certain minimum requirements. As long as they can show that they have a process for identifying, managing, and mitigating cybersecurity risks throughout the vehicle lifecycle, they will receive their CSMS certificate of compliance.
Evidence of the process running successfully with full risk results is only required once they are applying for vehicle type approvals.
Standards Approach: ISO/SAE 21434 to the Rescue
In parallel to UNECE R155, the International Organization for Standardization created ISO/SAE 21434, which provides OEMs and suppliers with recommended cybersecurity guidelines. The implementation of ISO/SAE 21434 by definition will help manufacturers comply with UNECE R155.
Many OEMs and suppliers are well-versed in ISO 26262, a standard focusing on vehicle safety. ISO/SAE 21434 was developed using the same structure and includes everything that OEMs need to fulfill the CSMS and vehicle type requirements of UNECE R155. If a supplier is already compliant with ISO/SAE 21434, the OEM can be confident that they will not have any issues in complying with UNECE R155 from their work with that supplier.
ISO/SAE 21434 is a process-oriented standard that can be used as a method for UNECE R155 by obtaining a set of deliverables for CSMS and vehicle type approval. Its scope allows OEMs to define Interfaces and security requirements for its suppliers (CID – Cybersecurity Interface Document) and ensure that every link in the supply chain is compliant.
The major benefits of ISO/SAE 21434 include:
- Common language - OEMs and suppliers will be speaking the same language related to vehicle cybersecurity, making it easier for suppliers to understand OEM needs when it comes to UNECE R155 compliance.
- Evidence - the suppliers’ proof of meeting ISO/SAE 21434 standards can be used as evidence for receiving vehicle type approval under UNECE R155.
- Safety - more vehicles will be meeting at least the minimum criteria for cybersecurity, protecting drivers and passengers.
The Road to Cybersecurity is Paved by UNECE R155
Given the huge number of cars on the road, the expected proliferation of software-defined vehicles and the resulting vulnerabilities to cyberattacks, it is clear that automotive cybersecurity needs to be a priority for OEMs and industry regulators. UNECE R155 is only the beginning, and it’s important to remember that it only applies to participating countries.
But other countries are bound to follow suit, and OEMs around the world can prepare by planning ahead and ensuring that their supply chains are fully compliant. An easy way to do this is to vet suppliers by whether or not they are implementing ISO/SAE 21434. Suppliers that are up to that standard are the ones that will be the perfect partners for UNECE R155 compliance.
We have developed a fully configurable, and reliable secure automotive gateway which provides the flexibility to control communication parameters while maintaining high bandwidth and secure connectivity across all ECUs in the vehicle. It supports J1939 in harsh automotive environments and is developed in accordance with ISO/SAE 21434 to support the OEM's cybersecurity requirements for UNECE R155.