Regulation UN R155 – Cybersecurity becomes relevant for approval in automotive development
In January of this year, the new regulation UN R155 came into effect, making cybersecurity relevant for approval in the automotive industry for the first time.
In an interview with our Head of Cybersecurity, Jana Karina von Wedel, the cybersecurity expert talks about why this regulation is relevant and what it changes for various stakeholders.
September 27th, 2021 – Reading time: 10 minutes
INVENSITY: Ms. von Wedel, with the new regulation UN R155 coming into effect, the topic of cybersecurity is receiving a new level of attention within the automotive industry. How does this manifest itself in concrete terms in your eyes?
Jana Karina von Wedel: What is really new is that cybersecurity in automotive development will be required to gain approval in many countries for the first time with this regulation. In concrete terms, this means that the development of a vehicle must be demonstrably compliant with the new regulation if you want to obtain type approval for it.
It will now be exciting to see how the manufacturers implement the new regulation. And when I say manufacturers, I don’t just mean the OEMs (the major car manufacturers). The regulation also indirectly places an obligation on all suppliers, because the OEMs must ultimately prove that their suppliers have also worked in accordance with the requirements of R155.
INVENSITY: Will there be a real obligation to provide proof of certification?
Jana Karina von Wedel: Yes, OEMs will have to be certified according to UN R155. This means they will have to undergo a certification through a corresponding approval authority.
For suppliers, the current situation is that OEMs are demanding proof that they are meeting the requirements of the ISO/SAE 21434, which was released in August of this year. ISO/SAE 21434 covers almost all aspects of R155 relevant to suppliers.
INVENSITY: One would think that in times of increasing connectivity of vehicles up to automated driving cars, the topic of cybersecurity in the automotive industry would already be an important matter. Now we are learning that this is not the case. However, none of this can really be new. So what exactly is making OEMs and their suppliers so nervous?
Jana Karina von Wedel: For many, it is simply still unclear to what level they are affected by this regulation and what exactly they need to do to reach approval. If you are an OEM, it is quite clear what you have to do for approval depending on your target market. If you are a supplier, the situation is a bit more complicated, because it is not always clear what the OEM expects in the end or what exactly is required. Especially since the final version of the ISO/SAE was just published on August 31st, and many are not yet familiar with it, it is understandable that there is still a lot of uncertainty circulating the market.
Especially those for whom this is completely new may get scared that the first milestone that makes the regulation relevant for new type approvals is coming up in less than one year, in July 2022. Two years later UN R155 will be applicable for all newly produced vehicles. These customers have the feeling that they are standing at zero. How are they supposed to get there in the first place? And that’s when it becomes interesting to show them that even if they haven’t yet dealt with cybersecurity in detail, perhaps they still have other things they can build on, such as processes, structures, and roles from the area of functional safety or from the company’s own IT.
INVENSITY: How can we ensure clarity for our customers in this regard?
Jana Karina von Wedel: The first step is to build understanding so that OEMs and their suppliers can understand what is expected of them.
In the second step, companies that had nothing to do with security in the past must be addressed, because they were not classified as particularly critical, for example, because their products have no safety relevance or external wireless interfaces. However, these companies also have to follow up because UN R155 and ISO/SAE 21434 clearly prescribe that you must complete a detailed threat analysis and risk assessment, a TARA, to understand what cybersecurity risks there are for your product.
Once you have a good technical understanding of those risks, having processes in place that ensure that they are suitably handled and tracked helps a lot. As mentioned before, areas like functional safety or IT can be built upon to define such processes. In terms of technical content, functional safety and cybersecurity are of course worlds apart. One protects the environment from the system, the other protects the system from the environment, so the scope is completely different. But purely in terms of the steps that are needed, the processes and interfaces that exist within the development, and the roles and structures that are needed, there are many similarities. If those are well defined for functional safety, you can build from a solid foundation.
Topics such as incident response management or continuous cybersecurity monitoring are fields that are quite normal for IT. This was not invented by the automotive or embedded world. ISO 27001 also discusses these topics,and every larger company has an IT department that is ISO 27001 certified, or lately TISAX certified for the automotive industry, which also builds upon ISO 27001. This means that even though IT is an area with which development usually does not have much to do, you can perhaps learn and carry over a couple of things from there.
We help our customers find out what precisely they can reuse and build upon from these and other areas so the definition of cybersecurity processes doesn’t have to start from scratch.
INVENSITY: How can INVENSITY help in a concrete, next step?
Jana Karina von Wedel: As mentioned, it is crucial to understand the risks inherent to your product in order to define appropriate measures, be they technical or of a process nature. Many customers who have received cybersecurity requirements for the first time after UN R155 went into effect have asked us to perform a TARA for or with them and to propose suitable measures based on the results.
When it comes to processes, we have conducted a small series of workshops with many of our primary customers in order to understand what can be built upon, what needs to be done and to be able to propose measures accordingly. In advance, we receive information on development processes and specifications, templates, etc. from the areas of R&D and IT, which we review and discuss together in an initial workshop.
Based on the common understanding gained in this way, we develop proposals for concrete measures that build on what is already in place in order to quickly reach a good level with reasonable effort. In defining these proposed measures, we not only draw on our experience in the field of cybersecurity, but also on that of related development areas. We then discuss them in a further workshop with the relevant stakeholders and a plan is agreed upon.
INVENSITY: Has INVENSITY done anything similar in the past?
Jana Karina von Wedel: We have had a lot of similar projects in the area of safety. Especially when the second edition of ISO 26262 came out, which no longer only affected just passenger cars, but also trucks, buses, etc. We worked with several customers to set up corresponding processes and structures and explain the procedure to them. We also worked with some of our customers who consider cybersecurity to be a central topic for them when the first draft of ISO/SAE 21434 was published. We supported in aligning their processes and structures accordingly and in implementing them in concrete projects.
So, we don’t just say what could be done, we also define the processes together and then take the next step. We implement the whole thing together in a pilot project so that we can test the practicality of the measures and determine if everything works the way we thought it would, so that we can make further adjustments if necessary.
INVENSITY: Thank you very much for taking the time for the interview and for the interesting insights into the new regulation UN R155.