This article is the first episode of a new series covering hot topics of cyber security to be addressed by automotive stakeholders for meeting required compliance levels and implementing best security practices.
As introduced in one of our previous articles (see UNECE WP.29 / R155 – How Cyber Security will impact the automotive market as of June 2022), new UN ECE R155 regulation for addressing cyber security concerns of road vehicles entered into force in June 2021, and will become partly mandatory from July 2022 for all vehicle manufacturers (requirement for full compliance scheduled for July 2024).
As stated by the regulation itself, those new rules are imposed by homologation authorities to the Vehicle Manufacturers only. However, some parts of those are addressing security aspects across full supply chain, and therefore will also impact each and every supplier of security-critical elements. It is then up to the responsibility of vehicle type approval applicants to derive relevant requirements for their own suppliers, to collect a sufficient amount of evidence for proving their capabilities to develop, operate and maintain the security of supplied elements throughout the entire vehicle lifecycle (see figure below).
The figure above introduced the two sides of cooperation that vehicle manufacturers have to consider, as well as the two dimensions of requirements:
OEM to Approval Authorities
-
- OEMs have to demonstrate evidence of Cyber Security Management System (CSMS = process framework for handling vehicle related cyber risks throughout entire vehicle lifecycles)
- Based on established and approved CSMS, OEM have to demonstrate vehicle type specific evidence proving reasonable mitigation measures for cyber risks related to their products (e.g. consistent risk assessment, pertinent mitigation measures etc.)
OEM to its suppliers
-
- OEMs have to define relevant cyber security requirements to be spread to their suppliers for ensuring end-to-end security across the supply chain
- OEMs are responsible for qualifying / approving their suppliers for providing security compliant products and services
- OEMs are responsible for securing the alignment of shared activities with suppliers, typically through interface agreements
Vehicle manufacturers shall therefore be aware that the relative flexibility they have with their way of handling suppliers might ultimately have a strong impact for their vehicle type approval processes. State-of-the-Art methods and best practices for complying with UN ECE R155, mainly through the application of ISO/SAE 21434 as guidance will be deeply described through future episodes of that series
Further scheduled episodes:
-
- Cyber Security for Road Vehicles – EP.2 – A management system story
- Cyber Security for Road Vehicles – EP.3 – From organizational compliance to vehicle type approval
- Cyber Security for Road Vehicles – EP.4 – How certifications might support homologations
- And even more to come…
How CertX can support your roadmap for compliance
As a recognized certification body across the automotive industry, CertX can support your organization in several ways, depending on your maturity and position across supply chains. Below a brief summary of the services which are provided by our Cyber Security Team:
Educational support for engineers and managers
-
- Awareness training: tailored sessions / workshops on cyber security related activities and technics for getting a strong understanding of the State-of-the-Art
- Certifiable training: ISO/SAE 21434 Automotive Cyber Security Red Belt (A-CSRB)
Gap Analysis and pre-assessment for identifying weak spots
-
- Evaluation of your current compliance with ISO/SAE 21434 and/or UN ECE R155 requirements on either organizational level (CSMS) or product level (product-specific artefacts)
- For OEM to prepare compliance audit with homologation authorities
- For suppliers readiness with upcoming requirements from OEM
Supporting services for CSMS design & implementation, and product security compliance
-
- Support for implementing new way of working, integrating cyber security practices based on new processes, documents and tools
- Usually based on initial gap analysis results / findings
ISO/SAE 21434 – CSMS, process or product certifications
-
- Independent and recognized evaluation of your management system, process framework or product-specific artefacts for getting official ISO/SAE 21434 certifications
- Scope is up to your position in the supply chain and your strategic objectives
If you have any questions about the new regulatory situations around cyber security for the automotive industry, or any other open points about how the application of relevant standards and certification could be used for compliance, please do not hesitate to contact our cyber security experts