A Comprehensive Guide to UNECE R155/R156 Compliance

In an exclusive discussion with Automotive IQ, Darren Shelcusky, Senior Consultant for Vehicle and Mobility Cybersecurity at Ford Motor Company, explores the essential aspects of complying with UNECE R155/R156 regulations.

This insightful conversation highlights the industry's progress in meeting these rigorous standards. Darren offers a thorough overview, from clarifying the distinctions between cybersecurity standards and regulations to outlining their impact on OEMs and the wider automotive cybersecurity landscape.

Dive into this interview to grasp the primary obstacles, essential procedures, metrics, and broader ramifications of achieving compliance amidst the rapid evolution of automotive cybersecurity. 

Q: What insights can you share into how the industry can prepare for the deadlines for UNECE R155/R156 compliance?

Darren

First, the difference between cybersecurity standards and regulations needs to be understood. Standards are reference documents typically designed by members of an industry under the control of an authority such as the SAE. For vehicles, the cybersecurity standard ISO/SAE 21434 proposes a framework for engineering cybersecurity into a vehicle. Regulations, on the other hand, are legally binding directives issued by a governmental body.

The United Nations Economic Commission for Europe (UNECE) published the WP.29 R155 regulation which was strongly influenced by the ISO/SAE 21434 standard. R155 requires OEMs to prove to an authorized third-party auditor that their vehicle software and connected ecosystem have gone through rigorous cybersecurity measures during development and after production. A failure to prove good cybersecurity posture would impact an OEM as they would not be able to sell their vehicles in UNECE-regulated markets until they remediate cybersecurity gaps.

Note that the ISO/SAE 21434 standard focuses on a vehicle’s electrical and electronic systems and only addresses in-vehicle software and systems. Other relevant standards apply for off-board systems such as cloud and telematics. OEMs should also reference ISO 27001 as a foundation to establish cybersecurity management practices to meet UNECE R155 requirements for cyber-relevant off-board systems that a vehicle may rely on. In short, UNECE R155 provides the regulatory framework, and standards can help organizations implement and meet the cybersecurity requirements outlined in the regulation.

Q: What insights can you share into how the industry can prepare for the deadlines for UNECE R155/R156 compliance?

Darren

It’s essential to clearly define what is cyber-relevant for your CSMS and type approval. R155 requires the implementation of a Cyber Security Management Systems (CSMS) to manage cybersecurity risks. This encompasses policies, processes, and practices to identify, assess, and mitigate risks throughout the vehicle lifecycle including the vehicle and connected services. This not only includes the in-vehicle software but anything that can remotely change or query the state of a vehicle. Cyber-relevant off-board things include but are not limited to manufacturing provisioning, service tools, OTA software updates, backend-end services and APIs, EV charging infrastructure, customer-brought-in devices (e.g. mobile/cell phone), and digital assistants.

Q: Can you share with us how UNECE R155 compliance has affected OEMs and provide insights into the measures that need to be taken to comply with it?

Darren

The shift from moving from best practices and engineering practices to documented and auditable processes and evidence to demonstrate compliance can introduce additional work products for engineering teams.

1. An OEM must document and provide auditable evidence of their vehicles and connected ecosystem cybersecurity posture and adherence to their documented CSMS throughout the vehicle lifecycle.

2. An OEM must track vulnerabilities throughout the vehicle lifecycle and be responsible for patching vehicles in a timely manner against newly discovered critical vulnerabilities.

3. An OEM must institute, install, and maintain cybersecurity governance and a cybersecurity culture, including awareness management, competence management, and continuous improvement.

4. An OEM must Identify and assess the cybersecurity risks associated with connected services and implement appropriate security measures to mitigate those risks.

5. An OEM must institute capabilities to monitor, detect, and respond to cyber threats for post-production vehicles, commonly referred to as a VSOC. This includes but is not limited to:

a. Cybersecurity monitoring

b. Cybersecurity event evaluation

c. Vulnerability analysis

d. Vulnerability management

Q: What metrics should be established around the implementation of R155 as an OEM?

Darren

TARAs risk completion rates: Vehicles and their components that are cyber-relevant must have a threat analysis and risk assessment (TARA) completed as a part of the engineering process. A set of risks are documented and tracked which govern the cybersecurity design and testing of the vehicle and connected ecosystem.

Cybersecurity testing completion rates: Testing is used to verify that vehicles, components, and connected ecosystems meet cybersecurity requirements. Third-party testing (e.g. Pen Testing) may be involved.

Incident response completion time: Tracking incident response actions to cybersecurity events and mitigation of the consequences of cybersecurity incidents. Timely reporting to relevant authorities may also be required based on the criticality of an incident.

Q: Are there any specific processes that should be adopted to achieve compliance with R155/R156 regulations, if so, what are they?

Darren

The R155/R156 regulations require OEM competence in four different disciplines:

1. Managing vehicle and connected ecosystem cybersecurity risks.

2. Securing vehicle design and processes to mitigate risks throughout the vehicle lifecycle.

3. Detecting and responding to security incidents across the vehicle fleet.

4. Providing safe and secure software updates.

Some of the processes that OEMs must establish as part of their CSMS include but are not limited to:

• Assigned roles and responsibilities to employees with the appropriate skills and competencies.

• Process for identifying, analyzing, rating, and prioritizing automotive cybersecurity risks.

• Process for responding to security incidents and vulnerabilities discovered both during vehicle development and post-production launch.

• Process to manage and collect evidence of supplier compliance with cybersecurity requirements.

• Process to report the outcome of monitoring activities, information related to new cyberattacks, and potential incidents that might require adjustment of security protections to regulators.

• Process to ensure that risk assessments are kept current.

Q: How should an OEM demonstrate and prove that they are indeed compliant with R155 requirements?

Darren

OEMs must demonstrate that they have a process and corresponding evidence for identifying, managing, and mitigating cybersecurity risks throughout the vehicle lifecycle and for a particular vehicle type. Cybersecurity testing such as functional testing, interface testing, penetration testing, fuzz testing, and vulnerability scanning are used to provide evidence of a product’s compliance. Evidence of malicious activity detection by the VSOC provides evidence of the ability to detect cyber events in the vehicle and connected ecosystem. A Vehicle Security Operations Center (VSOC) can provide real-time visibility and insights into anomalous vehicles and connected ecosystem behaviors, security incidents, events and conditions, and responses to mitigate any threats that are detected.

Q: In navigating the road to R155/ R156 compliance, what are some of the key challenges facing the automotive industry? What measures should be adopted to solve these challenges?

Darren

R155/R156 is a complex regulation, and it can be difficult to understand all the requirements. This can lead to the creation of processes and evidence that may not meet the requirements of the regulation. Documenting processes

is a time-consuming and difficult task. Once processes have been documented, they need to be implemented, which may require changes to existing workflows and practices. You also need to write procedures for employees to follow and train them so that they understand and follow them correctly. You also need to monitor your processes and ensure that they are effective and audit them to ensure that they are compliant with your CSMS and R155 regulations.

Q: How has achieving R155 compliance impacted the industry’s approach to vehicle and mobility cybersecurity on a broader scale?

Darren

Automotive cybersecurity is constantly evolving and is not a static condition. OEMs must now address cybersecurity throughout the vehicle’s life cycle, and not focus only on the development portion of a vehicle’s lifecycle. Vehicle cybersecurity encompasses multiple dimensions including the connected ecosystem, suppliers, and the vehicle lifecycle as vulnerabilities can be introduced from many different parts of the automotive ecosystem. This becomes increasingly important as the industry moves towards more production of software-defined vehicles and autonomous vehicles.

Want more Cybersecurity content? We have industry reports, articles and leadership insights in the form of interviews. See A Road Map to Automotive Cybersecurity Compliance