There is always a lot of movement in the complex world of automotive industry. However, it seems that there is currently a particularly strong pioneering sentiment for everything that has to do with automotive cybersecurity. New resources are being allocated to the subject, new responsibilities are being assigned, and specialists are desperately needed everywhere. Their main job in general is to pave the way for truly reliable statements to be made. For example, with regard to the given level of compliance.
- I. A short overview: Background knowledge on UN Regulation No. 155
- II. Good to know: The area of application of UN R155
- III. UN R155, USA, China, “Self-Declaration” and GTRs
- IV. To put it in a nutshell: Application of UN R155, that’s only a topic for OEMs, isn’t it?
- V. Achieve compliance with UN R155: How to implement a Cyber Security Management System?
- VI. Do the processes given in the status quo comply with UN Regulation No 155? Facing an impact assessment
- VII. A lot of groundwork for one purpose: Ensuring type approval before SOP
In order to achieve this, two main objectives often have the highest priority:
- Create awareness of the fundamental principles of automotive cybersecurity at the executive and management levels, as well as within ongoing project activities.
- Initiate a valid assessment at an early stage between the regulatory requirements and the procedures in place in the organization, the application in practice and the efficient reuse in the projects.
Not only does ISO/SAE 21434 (see also our latest blog on official publication of ISO/SAE 21434:2021) set specific requirements, but UNECE WP.29 GRVA also specifies requirements in UN Regulation No. 155 (short UN R155) for cybersecurity and cybersecurity management systems (CSMS).
A short overview: Background knowledge on UN Regulation No. 155
The UNECE WP.29 deals with the harmonization of vehicle regulations for vehicles and vehicle equipment. Within the WP.29 there are six permanent working parties, which deal with specific topics around the vehicle. The GRVA is one of these working parties and deals with automated and connected vehicles. This working party is also the starting point for the UN R155 as well as for the UN Regulation No. 156 (for more information see our topic page UN Regulation No 156 & SUMS).
Different than ISO/SAE 21434, which does not explicitly specify particular processes (but requires compliance and the establishment of work products to ensure compliance), UN R155 requires the setup and implementation of a management system that focuses on cybersecurity along the vehicle (the so called Cybersecurity Management System or short CSMS).
What is demanded by UN R155 is strongly based on the requirements of ISO/SAE 21434, which is why ISO/SAE 21434 helps in the creation of processes for the CSMS, as well as for ensuring type approval.
Good to know: The area of application of UN R155
UN Regulation No. 155 came into force at the beginning of 2021, and two dates are binding: from July 2022, the requirements within the UNECE member countries (from the 1958 Agreement) will apply to all new vehicle types for type approval, and from July 2024 they will apply to all vehicles.
It is important to note that UN R155 is mandatory for type approval in the 54 member countries. These 54 member countries are based on the 1958 agreement of the UNECE member states (see also here).
Although the USA and China, for example, do not belong to the UNECE’s area of application, experts believe that UN Regulation No. 155 will develop into a “de facto global standard”.
The main reason for this is that vehicle approval in the USA is not synonymous with approval in the member countries. This means that vehicles authorized for use in the USA cannot be brought onto the global market or the market of the UNECE member countries on the basis of this approval.
UN R155, USA, China, “Self-Declaration” and GTRs
For this reason, there is the possibility of a so-called “self-declaration” for non-UNECE member countries. This is already being realized in the USA and Canada. Requirements on the basis of UN R155 are defined by the local authorities; for the USA, for example, this is the U.S. Fedaral Motor Vehicle Safety Standards (FMVSS).
The OEM must meet these requirements accordingly and declare its conformity.
In general, market entry is possible without a type approval along a certain regulation, such as the UN R155. After market entry, however, the Approval Authority of the respective country reserves the right to carry out compliance tests in order to recall the vehicle in the event of possible non-compliance.
China is also officially outside the area of application of UN R155. However, OEMs here must ensure similar requirements for type approval (the so-called CCC “China Compulsory Certificate”) and even cover local-specific aspects from the China Cybersecurity Law.
For countries that do not belong to the scope of the 1958 Agreement (see above), such as countries included in the 1998 Agreement, it might become possible to implement the requirements specified in the scope of the 1958 Agreement through so-called GTRs (global technical regulations).
Since 1998, several GTRs have already been published (e.g. for pedestrian safety as well as regulations concerning hydrogen and fuel cell vehicles). Therefore, it is thinkable that the UN R155 will be treated accordingly, which could simplify a homogenization with countries which do not belong to the UNECE Member Countries along the 1958 Agreement. However, type approval requirements are not in scope of the 1998 Agreements and its GTRs.
To put it in a nutshell: Application of UN R155, that’s only a topic for OEMs, isn’t it?
A key aspect of UN Regulation No. 155 is the introduction of a certified Cybersecurity Management System (CSMS) as part of the consideration of cybersecurity aspects in the type approval process.
Does this mean that the corresponding responsibility only lies with the original equipment manufacturers (OEMs)?
Yes and no. Yes, insofar as OEMs are indeed held accountable here, no, insofar as the main objective is to ensure compliance with cybersecurity requirements along the entire value chain, i.e., across the entire supply chain.
Since a considerable proportion of cybersecurity-relevant components of the vehicle still come via suppliers, it becomes obvious very quickly that they are widely involved in the multidimensional requirements of UN R155.
On the one hand, because it is necessary purely in terms of a vehicle’s structure, and on the other hand, because OEMs are also obliged to efficiently address this resource-intensive complexity.
For example, consideration of the UN R155 requirements is already today part of the Statements of Work of well-known OEMs.
Achieve compliance with UN R155: How to implement a Cyber Security Management System?
What sounds like a simple question to which Google could provide a quick answer is a multidimensional and far-reaching undertaking that involves the entire organization as well as technical details of the product along the entire lifecycle at several levels.
At the same time, the question doesn’t really arise like this, because – fortunately – in terms of cybersecurity requirements, an organization usually doesn’t start completely from scratch.
It is therefore a matter of reviewing the organization’s own status and its own processes in order to be able to determine the correct consideration of the requirements in a holistic manner.
The CSMS is the benchmark and starting point for type approval. Accordingly, in practice, this is where the main attention is paid. Without the corresponding Certificate of Compliance for the CSMS, the actual type approval cannot even be initiated.
Do the processes given in the status quo comply with UN Regulation No 155? Facing an impact assessment
In order to develop valid answers to the above question, the following procedure is recommended in practice:
1. Define scope, analyze and define action plan
It is important to understand the current cybersecurity processes as comprehensively as possible. For this, it is helpful to perform a gap analysis (see our ISO/SAE 21434 Gap Analysis). Especially if ISO/SAE 21434 principles are already established in the organization.
Based on these gaps, action items can be derived and topics or processes that are necessary for a CSMS can be broken down in a structured manner. Creating an overview is elementary.
2. Implementation of the framework
During implementation, it is important that there is a general understanding and awareness of automotive cybersecurity within the organization.
This ensures that processes are rolled out holistically and that a continuous improvement process is in place.
Also, any deviation from the state of the art should be recognized at an early stage by each process participant in order to initiate measures early enough to ensure a direct counteraction.
This is an essential prerequisite for piloting the CSMS.
3. Piloting, ongoing alignment + certification
Once the processes have been implemented, the pilot phase follows. Lessons learned and sanity checks are essential. Continuous monitoring of the processes is also directly required by UN R155.
Internal audits are helpful in preparing for the actual certification by Technical Services.
It is important here to consistently follow the relevant timeline. Type approval should be available at the start of production (SOP). Type approval can take up to three months. Before the actual type approval, the CoC for the CSMS must be available. You should also plan a processing time (incl. audit) of three months for this in any case.
Simple mathematics: This means that a CSMS must be in place six months before the actual SOP.
The implementation of the CSMS is strongly based on the given processes around cybersecurity as well as the already given compliance with the ISO/SAE 21434 standard.
A lot of groundwork for one purpose: Ensuring type approval before SOP
As mentioned, without CSMS (and the associated Certificate of Compliance), type approval is not possible.
The result of this is an inability to enter the market, leading to a significant competitive disadvantage for OEMs.
It is important to mention here again that UN R155 is nevertheless not a subject purely for the OEM. Tier-N suppliers also need to ensure that cybersecurity principles are systematically embedded in their organizations.
In our consulting experience, we see that the associated requirements are already pretty much part of the daily business and therefore already represent an important Supplier Selection Criteria.
To sum it up: The sooner OEMs and especially Tier-N suppliers (who are always at risk of approaching this too late) address the issue of CSMS the better. Cybersecurity requirements are to be seen here as a pure time issue: The earlier a systematic approach is taken, the fewer issues will occur later in the rollout or audit.
Felix Roth is Senior Consultant at CYRES Consulting. After his master’s degree in Management and Technology from the TU Munich and with several stops in different companies and fields including digitalization and industry 4.0, he joined CYRES Consulting back in 2019. At CYRES Consulting he is co-responsible for the CYRES Academy and is involved in different Cybersecurity projects. He is also member of the DIN NA 052-00-32-11 AK “Cybersecurity” and thus also of the ISO/TC 022/SC 32/WG 11 “Cybersecurity” covering the development of the ISO/SAE 21434 and ISO PAS 5112.