A Crucial Step for Vehicle Manufacturers to Ensure Cybersecurity and Software Update Management Systems

In today’s fast-paced digital world, the automotive industry is evolving rapidly, with new technologies being introduced at an unprecedented rate. This has made cybersecurity and software update management systems a top priority for vehicle manufacturers as they seek to safeguard their customers from potential cyberattacks and ensure the safety and security of their vehicles.

UN/ECE Regulations No. 155 and No. 156 provide a robust framework for cybersecurity and software update management systems, establishing legal requirements for a manufacturer’s cybersecurity management system as a non-negotiable part of the vehicle type approval process.

UN-R 155 requires vehicle manufacturers to consider cybersecurity from the earliest stages of development, with security “by design” to mitigate risks and withstand cyberattacks. It also requires detection and response to security incidents throughout the vehicle’s lifecycle, as well as collaboration with suppliers to ensure vehicle safety in a distributed development environment.

To comply with UN-R 155, vehicle manufacturers must establish a cybersecurity management system (CSMS) for type approval of a new vehicle type and demonstrate that this CSMS is operational. The CSMS defines processes for the vehicle development, so that cyberattack risks are systematically recorded and assessed. This includes risk management implemented within the manufacturer’s organization to identify, assess, and mitigate cyber threats, as well as monitoring for known attacks and secure software distribution. Since the vehicle manufacturer is responsible for the entire supply chain, suppliers are also usually required to set up a CSMS, as is common practice for other product liability risks. 

Annex 5 of UN-R 155 provides numerous examples of attack methods and targets, highlighting the importance of securing wireless communication between the vehicle and its environment, protecting the update process to prevent the import of manipulated software, and ensuring adequate protection of software and data against manipulation and spying.

On the other hand, UN-R 156 establishes a systematic approach to defining organizational processes and procedures for delivering software updates for onboard control systems. This regulation ensures that vehicle manufacturers establish a secure and reliable software update management system (SUMS) with key features such as secure and controlled distribution of software updates, a centralized system for managing and tracking software updates, and mechanisms for verifying the authenticity of software updates to prevent unauthorized or malicious updates from being installed.

By complying with UN Regulation No. 156, vehicle manufacturers can demonstrate that their vehicles meet the required standards for software updates and software update management systems, improving consumer confidence in their products and reducing the risk of legal or regulatory action.

ISO/SAE 21434 and ISO/FDIS 24089 provide guidelines for cybersecurity and software update management systems in the automotive industry, respectively, serving as valuable resources for vehicle manufacturers looking to comply with UN/ECE Regulations No. 155 and No. 156.

Cybersecurity compliance for the vehicle type approval: Once a manufacturer has its CSMS and SUMS compliance certificates, it can develop a control unit and prepare all relevant documentation for type approval. The control units and their documentation are checked by the authorities, who then issue a system approval for those units. The approved control systems are built into a vehicle to be homologated in order to obtain type approval.

Understanding UN/ECE Regulations No. 155 and No. 156 is crucial for vehicle manufacturers looking to keep pace with the rapid digital evolution and protect their customers from potential cyberattacks. By establishing robust cybersecurity and software update management systems, manufacturers can ensure the safety and security of their vehicles and improve consumer confidence in their products.