Buckle Up for Security: A Look at the UN R155 Regulation for Connected Vehicles

The automotive industry is entering an important stage of cybersecurity implementation. This month, UNECE Regulation 155 (UN R155) about vehicle cybersecurity and Cybersecurity Management Systems (CSMS) came into full force. What does that mean for the larger automotive industry and product security teams?

UN Regulation No. 155 (R155) specifically focuses on cybersecurity and cyber security management systems (CSMS) for vehicles. This regulation aims to establish a standardized approach to securing connected vehicles throughout their lifecycle.

UN R155 Explained

UN R155 is a set of regulations developed by the United Nations Economic Commission for Europe (UNECE) pertaining to cybersecurity in vehicles. The regulation establishes cybersecurity requirements for the vehicle manufacturing process and vehicle type approval, aimed at enhancing the security of connected vehicles and increasing resilience against cyber attacks. This applies to a broad range of vehicles, including passenger cars, commercial vehicles, and even certain types of motorcycles, as long as they possess electronic control units (ECUs) or automated driving functionalities. The regulation outlines several key requirements for manufacturers:

• Cybersecurity Management System (CSMS): Manufacturers must implement a robust CSMS to identify, assess, and mitigate cybersecurity risks throughout the entire vehicle development lifecycle, from design and production to post-deployment maintenance.
• Security and the CI/CD Pipeline: Security should begin at build and be a priority over the entire development cycle. Identifying risks at each stage is a critical step. Knowing before you ship helps security teams manage risk and safeguard their customers. Using tools that work together in your pipeline is your best practice.
• Risk Assessment: A thorough risk assessment needs to be conducted to identify potential vulnerabilities and attack vectors that could compromise vehicle security. This involves analyzing the vehicle's software, hardware, and network architecture.
• Security Measures: Based on the risk assessment, manufacturers must implement appropriate security measures to protect the vehicle against cyberattacks. This could include measures like secure coding practices, encryption, access control, and vulnerability management. Continuously monitoring your software for new vulnerabilities is a key step in meeting the demands for cybersecurity from regulators and customers.
• Incident Response: A plan for handling cybersecurity incidents needs to be established. This includes procedures for detecting, investigating, and responding to cyberattacks in a timely and effective manner.
• Type Approval: Manufacturers must obtain type approval from a designated authority to demonstrate compliance with R155 before their vehicles can be placed on the market.

These requirements are holistic in nature and call for vehicle manufacturers to follow cybersecurity-by-design principles. From a grander organizational perspective to granular vehicle attack vector assessments, the CSMS requirements seek appropriate cybersecurity measures that continuously monitor, detect, and respond to cyber threats across the vehicle development lifecycle. According to UN R155, vehicle manufacturers should ensure that their Cybersecurity Management System complies with the following stipulations:

• The vehicle manufacturer shall demonstrate that their CSMS applies to the vehicle development, production, and post-production stages.
• The vehicle manufacturer shall demonstrate that the processes used within their CSMS to ensure security is adequately considered and implemented continuously. This requirement entails cybersecurity management processes, risk identification, assessment, and mitigation.
• OEMs are expected to stay on top of new cyber threats and vulnerabilities, keeping their security measures current.
• Vehicle manufacturers must be able to provide relevant data to support analysis of attempted or successful cyberattacks to their designated Approval Authority.
• OEMs shall demonstrate that the processes used within their CSMS will ensure that cyber threats and vulnerabilities are addressed and mitigated within a reasonable time frame.
• Vehicle manufacturers must be able to demonstrate how their CSMS will manage dependencies that may exist with suppliers, service providers, or manufacturer’s sub-organizations. This means that OEMs are accountable for implementing and verifying cybersecurity practices along their supply chains.

Impacts on Product Security Teams

The R155 regulation directly impacts product security teams in the automotive industry. Here's why:

• Increased Focus on Security: R155 mandates a proactive approach to cybersecurity. Product security teams will need to work closely with engineers and other stakeholders to integrate security best practices throughout the development process.
• Shifting Priorities: The focus may shift from traditional functional testing to a more holistic security posture that encompasses vulnerability assessments, penetration testing, secure coding practices and continuous monitoring of new vulnerabilities as they are identified.
• Compliance Burden: Demonstrating compliance with R155 can be a complex and time-consuming process. Product security teams will likely play a vital role in gathering evidence and documentation to satisfy regulatory requirements.

Staying Ahead of the Curve

The good news is there are proactive steps organizations can take to ensure compliance with R155:

• Invest in Security Expertise: Building a team of skilled security professionals or partnering with external security consultants can help you navigate the complexities of the regulation.
• Integrate Security Early: Embedding security considerations into the design and development phases is crucial. This helps identify and address vulnerabilities early on, minimizing costly rework later.
• Leverage Automation: Utilizing automated tools for vulnerability scanning and secure code analysis can streamline the security process and improve efficiency. Monitoring on a regular basis for new vulnerabilities will reduce the burden on security teams and keep your product compliant over its life.

How Finite State Can Help

Finite State’s tooling is specifically designed to address the unique challenges of securing connected devices, including vehicles. Here's how our platform can help organizations meet compliance with R155:

• Deep Code Analysis: Our advanced binary SAST and source code analysis capabilities have the best compatibility with programming languages commonly used in embedded systems, ensuring thorough security assessments.
• High-Fidelity SBOMs: Our platform auto generates SBOMs in required industry formats (SPDX, CycloneDX), provides software component information including transitive dependencies, along with the related vulnerabilities.
• Streamlined Workflows: Finite State integrates seamlessly with existing development workflows, allowing developers to fix vulnerabilities efficiently without disrupting their development processes. 
• DevSecOps Focus: Our ability to generate SBOMs at any stage of the SDLC, with vulnerability guidance, embeds a security mindset from the start of development.
• Continuous monitoring For New Vulnerabilities: Our continuous monitoring future-proofs your security. We notify you on a daily basis of newly reported vulnerabilities, so you can protect your customers in near real-time. 

By implementing a robust security posture and leveraging tools like Finite State, product security teams in the automotive industry can navigate the evolving regulatory landscape and ensure the development of secure and compliant connected vehicles. As the road to hyper connected vehicles progresses, prioritizing cybersecurity is no longer optional; it's the key to a safe and reliable future for both drivers and manufacturers.