April 19, 2022
Over 400 million connected cars are estimated to be on our roads worldwide by 2025, according to Statista. On top of Bluetooth and Wi-Fi connectivity ports, connected cars contain telematics and electronic control units (ECUs) that deliver services via the internet, such as remote unlock and start, traffic monitoring and infotainment. These vehicles are digitally complex, fed by about 100 million lines of software code. That’s tens of millions more lines of code than are necessary for a jumbo passenger plane or fighter jet.
Digital complexity will multiply as the technology for electric and self-driving vehicles progresses and Internet of Things (IoT) connectivity increases. The potential for bad actors to exploit software vulnerabilities in connected cars or hack into a vehicle network is mounting, making cybersecurity a top priority for vehicle manufacturers and their suppliers.
Cybersecurity boils down to risk management. Emerging regulations in the automotive industry underscore the need for manufacturers to proactively manage and mitigate security risks from vehicle design through decommissioning.
UNECE R155 and R156
In 2020, the United Nations Economic Commission for Europe (UNECE) World Forum for Harmonization of Vehicle Regulations (WP.29) adopted two new regulations that specify performance and audit requirements for managing a vehicle’s cyber risk and software updates. UN R155 requires manufacturers to set up and implement a certified cybersecurity management system (CSMS) to receive type approval in UNECE member countries. UN R156 requires manufacturers to implement a software update management system (SUMS) to help prevent vehicle safety from being compromised due to a software update, including over-the-air updates.
For both CSMS and SUMS, “system” refers to risk-based organizational processes, responsibilities and governance that manufacturers must implement to help mitigate threats and protect against cyberattacks on their vehicles. To handle these types of issues, manufacturers need to have documented processes and people] in place.
Vehicle compliance with R155 and R156 applies to the 64 UNECE member countries, including all 27 European Union countries, the United Kingdom, Australia, Japan, South Korea and others. The regulations cover passenger cars, vans, trucks and buses.
Vehicle manufacturers are not only accountable for adhering to the UNECE regulations themselves but will also have to prove that their suppliers comply as well. They’ll need to collect and verify information from suppliers to demonstrate that risks have been identified and managed. The CSMS certification requirement to release cars in UNECE countries puts additional pressure on vehicle manufacturers and the entire automotive supply chain.
Since January 2021, R155 and R156 will become binding in UNECE countries for all new vehicle types beginning July 2022 and will be mandatory for all new vehicles produced from July 2024 onward. Legacy vehicles with type approval already in UNECE markets have until July 2024 to meet the R155 and R156 requirements.
The ISO/SAE 21434 industry standard, published in August 2021, complements the UNECE regulations. Generally, R155 and R156 define what needs to be done, and 21434 provides a blueprint for how. Manufacturers can use the risk management framework described in ISO/SAE 21434 to set up a CSMS for certification.
In the United States, which is not a UNECE member country, vehicle manufacturers are required by statute to self-certify that their products conform to National Highway Traffic Safety Administration (NHTSA) standards before they can be offered for sale. As vehicles become more connected and automated, cybersecurity-specific safety standards may be released, but presently there is only the non-binding NHTSA-issued Cybersecurity Best Practices for the Safety of Modern Vehicles. This recommendation has significant content overlap with the UNECE R155 and R156 regulations and ISO/SAE 21434.
Certification and testing required
The criteria for CSMS and SUMS are extensive. No part of a vehicle can be left out of the system. Certification and testing requirements specified in R155 and R156 can be assessed by the Type Approval Authority or by its designated technical service, such as UL. For instance, manufacturers may want a gap analysis performed on their CSMS to evaluate compliance with the UNECE regulations and ISO/SAE 21434 requirements for type approval. Hardware and software testing on automotive components and systems, such as functional and penetration tests, can help manufacturers understand exploitation risks and vulnerabilities and validate their cybersecurity measures.
In addition to obtaining a certificate of compliance, manufacturers must have processes in place to ensure that their suppliers also comply with the UNECE regulations. While Tier-N suppliers do not need compliance certificates, a third-party audit conducted by a designated technical service would be a powerful way for them to demonstrate compliance with the CSMS requirements.
The automotive industry is poised to be one of the most connected industries globally. A manufacturer’s ability to help preserve safety and provide cybersecurity throughout the life of a vehicle has not only become mandatory but is vital to securing customers’ trust.