UN Regulation No. 155: Cybersecurity for Vehicles – Key Highlights

This document outlines UN Regulation No. 155, which sets uniform provisions concerning the approval of vehicles with regards to cybersecurity and cybersecurity management systems (CSMS). Officially titled “Uniform provisions concerning the approval of vehicles with regards to cybersecurity and cybersecurity management system,” this regulation, identified as [2021/387], came into force on January 22, 2021. It is crucial to refer to the official UN/ECE texts for legal effect, specifically document TRANS/WP.29/343 for the latest status and entry into force details.

This regulation is primarily a documentation tool; the authentic and legally binding texts are found in ECE/TRANS/WP.29/2020/79, ECE/TRANS/WP.29/2020/94, and ECE/TRANS/WP.29/2020/97.

Scope of the Regulation

The regulation applies to vehicles of Categories M and N concerning cybersecurity. It also extends to Category O vehicles if they are equipped with at least one electronic control unit. Furthermore, it includes vehicles in Categories L6 and L7 that possess automated driving functionalities from level 3 onwards, as defined by WP.29 guidelines (ECE/TRANS/WP.29/1140). It’s important to note that this regulation does not override other UN regulations or national laws regarding vehicle access, data, functions, and privacy. It also does not supersede legislation concerning replacement parts and components related to cybersecurity.

Key Definitions

Several important terms are defined within the regulation to ensure clarity and consistent application:

• Vehicle type: Vehicles that do not differ in manufacturer’s designation and essential electric/electronic architecture aspects relevant to cybersecurity.
• Cybersecurity: The state where vehicles and their functions are protected from cyber threats targeting electrical or electronic components.
• Cybersecurity Management System (CSMS): A systematic, risk-based approach defining organizational processes and responsibilities to manage cyber threats and protect vehicles from attacks.
• System: A set of components and/or subsystems performing specific functions.
• Development phase: The period before a vehicle type receives type approval.
• Production phase: The duration of a vehicle type’s production.
• Post-production phase: The period after production ceases until the end-of-life of all vehicles of that type.
• Mitigation: A measure to reduce risk.
• Risk: The potential for a threat to exploit vehicle vulnerabilities and cause harm.
• Risk Assessment: The process of identifying, analyzing, and evaluating risks to determine acceptability.
• Risk Management: Coordinated activities to control an organization concerning risk.
• Threat: A potential cause of an unwanted incident that can harm a system or individual.
• Vulnerability: A weakness in an asset or mitigation that threats can exploit.

Application for Approval and Documentation

Vehicle manufacturers must apply for vehicle type approval regarding cybersecurity. The application requires detailed documentation, including a description of the vehicle type as per Annex 1 and a Certificate of Compliance for CSMS. Confidential information, such as intellectual property, will be treated as such, but sufficient data must be provided for proper checks. Documentation is divided into two parts:

• Formal documentation package: Contains material specified in Annex 1, used as the primary reference for approval, and kept for at least 10 years post-production.
• Additional material: Relevant supporting information, retained by the manufacturer but available for inspection during type approval, and also kept for at least 10 years post-production.

Marking and Approval Process

Approved vehicles must bear an international approval mark. This mark includes a circle with the letter ‘E’ indicating approval and a number denoting the approving country, followed by the regulation number (155 R) and the approval number. The mark must be legible and indelible, usually placed near the vehicle data plate.

Approval Authorities grant type approval only to vehicles meeting the regulation’s cybersecurity requirements. The approval process involves:

• Document checks: Verifying manufacturer measures for supply chain risk management, risk assessments, implemented mitigations, attack detection and response, and data logging.
• Vehicle testing: Sampling-based tests to verify the implementation of documented cybersecurity measures, focusing on high-risk areas.

Approval can be refused if manufacturers fail to meet requirements, such as not conducting thorough risk assessments, not implementing proportionate mitigations, not securing aftermarket software environments, or lacking sufficient testing. Insufficient information provided to Approval Authorities can also lead to refusal.

Certificate of Compliance for Cybersecurity Management System (CSMS)

Contracting Parties appoint an Approval Authority to assess manufacturers’ CSMS and issue a Certificate of Compliance. Manufacturers must apply for this certificate, providing CSMS documentation and a signed declaration. They must demonstrate that their processes comply with all cybersecurity requirements. A Certificate of Compliance for CSMS, as described in Annex 4, is granted upon satisfactory assessment and declaration. This certificate is valid for a maximum of three years and can be verified or withdrawn if requirements are not maintained. Manufacturers must inform the Approval Authority of any changes affecting the CSMS relevance, potentially requiring new checks. Renewal or extension of the certificate requires re-application and assessment before expiry. Expiry or withdrawal of the CSMS certificate is considered a modification of approval and may lead to vehicle type approval withdrawal.

Cybersecurity Management System (CSMS) Requirements

The regulation mandates that vehicle manufacturers have a functioning CSMS covering development, production, and post-production phases. This system must ensure security is adequately considered, including risks and mitigations outlined in Annex 5. Key aspects of the CSMS include processes for:

• Managing cybersecurity within the organization.
• Identifying risks to vehicle types, considering threats in Annex 5 and other relevant threats.
• Assessing, categorizing, and treating identified risks.
• Verifying appropriate risk management.
• Testing vehicle type cybersecurity.
• Keeping risk assessments current.
• Monitoring, detecting, and responding to cyberattacks, threats, and vulnerabilities, and assessing mitigation effectiveness.
• Providing data to support cyberattack analysis.

The CSMS must ensure that cyber threats and vulnerabilities requiring manufacturer response are mitigated within a reasonable timeframe and that monitoring is continuous, including vehicles post-registration. This monitoring should include capabilities to analyze vehicle data and logs for threat detection while respecting privacy rights. Manufacturers must also demonstrate how their CSMS manages dependencies with suppliers and service providers.

Vehicle Type Requirements

Manufacturers must possess a valid CSMS Certificate of Compliance relevant to the vehicle type. They are responsible for identifying and managing supplier-related risks. A comprehensive risk assessment is mandatory for each vehicle type, considering individual elements, interactions, and external systems, as well as threats listed in Annex 5 Part A and other relevant risks. Vehicle types must be protected against identified risks through proportionate mitigations, including those in Annex 5 Parts B and C. If these mitigations are insufficient or irrelevant, manufacturers must implement alternative appropriate measures. Dedicated environments for aftermarket software, services, or data must be secured. Manufacturers must conduct thorough testing to verify the effectiveness of implemented security measures before type approval. Measures must be in place to detect and prevent cyberattacks, support threat monitoring, and provide data forensic capabilities. Cryptographic modules should adhere to consensus standards, or justification must be provided for non-standard modules.

Reporting and Modifications

Manufacturers must report annually (or more frequently if needed) to the Approval Authority on monitoring activities, including new cyberattacks and the ongoing effectiveness of mitigations. Authorities verify this information and can require remedial actions. Insufficient reporting or response can lead to CSMS withdrawal. Modifications affecting cybersecurity performance or documentation must be notified to the Approval Authority. The authority may confirm compliance, require further assessment, or refuse approval. Extensions or refusals are communicated via forms conforming to Annex 2.

Conformity of Production and Penalties

Conformity of Production procedures must align with Schedule 1 of the 1958 Agreement. Manufacturers must maintain records of conformity tests for a period agreed with the Authority, not exceeding 10 years post-production. Approval Authorities can verify conformity control methods, typically every three years. Approvals can be withdrawn for non-compliance or if sample vehicles fail to meet requirements. Authorities must notify Contracting Parties of any approval withdrawals. If production ceases, the manufacturer must inform the granting authority, who then informs other Contracting Parties with a “PRODUCTION DISCONTINUED” annotation on the approval form.

Technical Services and Approval Authorities

Contracting Parties must communicate the names and addresses of Technical Services and Type Approval Authorities to the United Nations Secretariat. This ensures proper communication regarding approvals, extensions, refusals, or withdrawals across different countries applying this regulation.