This article is the fourth and last episode of a blog series covering cyber security trends and best practices to be addressed by automotive stakeholders for implementing State-of-the-Art technics and meeting required compliance levels.
EP.1 of that blog series introduced new cyber security requirements (especially regarding impact on suppliers) vehicle manufacturers have to fulfill for claiming for new type approvals since June 2022, while EP.2 described approval procedures with road vehicle authorities. EP.3 develops the concept of Cyber Security Management Systems (CSMS) which is representing key process foundations for handling cyber risks related to Road Vehicles. This last episode is focusing on requirements related to specific vehicle types.
Vehicle Type Approval: before June 2024 vs after June 2024
As introduced within previous episodes, since June 2022 a CSMS certificate is required from manufacturers as a prerequisite for any Vehicle Type Approval (VTA) request. It sounds obvious that CSMS-related processes recently established by manufacturers cannot be demonstrated for new vehicle programs (typically spread over 4-5 years) initiated earlier than 2020 (official release of new cyber security rules)
For coping with that transition period, authorities comprehensively defined a 2-years period until June 2024 during which manufacturers have a certain room for demonstrating partial enforcement of their CSMS practices, by delivering argumentation about their way of handling UN ECE R155 – Annex 5 threats, as well as potential irrelevance of any of them against the specific vehicle type to be approved.
Vehicle Type Approval: Security-related requirements & information document
Based on a valid CSMS Certificate of Compliance (CSMS-CoC), manufacturers have to deliver for each new vehicle type to be approved a set of evidence demonstrating the security of it.
Following elements should be reflected during this phase:
- Identification and management of supplier-related risks, typically based on Statement-of-Work (SoW), interface agreements and/or any other way of contractually aligning security activities and security-critical vehicle capabilities along the supply chain, and covering entire vehicle lifetime
- Identification and evaluation of cyber threats related to vehicle’s critical elements, including its interactions with external systems (e.g. backend servers for OTA update, manufacturer’s cloud, mobile applications…). The minimal list of threats to be considered is documented within UN ECE R155 – Annex 5 [Part A], but shall be extended to any other relevant risks
- Identification, evaluation and testing of security mitigations (=security controls) in place to protect the vehicle against threats previously identified. A high-level list of mitigations is documented within UN ECE R155 – Annex 5 [Part B & Part C], respectively for threats intended to vehicles and threats considered as coming outside world (e.g. backend servers for OTA update…)
- Documentation related to measures for maintaining the vehicle security on the field, including following capabilities:
- Monitoring & detection of threats, vulnerabilities and cyber-attacks against the vehicle type
- Prevention & incident-response for addressing potential security-related issues on the field
- Data forensics for enabling analysis of attempted of successful cyber-attacks
Those elements have to be shared with authorities as evidence of compliance, based on following nomenclature:
Last but not least, specific considerations are made on cryptographic modules. Those implemented within vehicle scope should be in line with consensus standards, or be subject to justifications throughout information document if don’t.
After having delivered information documents to authorities, those will initiate their assessment and audit phases for evaluating the relevance of the vehicle documentation against regulation requirements, and for challenging vehicle’s security mitigations. in case all findings are positive, authorities would register the vehicle as a new vehicle type under the name specified by the manufacturer during application phase.
As mentioned several times throughout this blog series, world of cyber security is strongly dynamic and threat landscape will continuously evolve in parallel of vehicles’ technologies. In that context, one-ever evaluation of vehicles’ capabilities and protection levels would not be reasonable for maintaining the supervision of secure vehicles on public roads. To cope with that considerations, manufacturers have to regularly report security-related information to authorities for maintaining their CSMS and related vehicle types
Provisions reporting: How to keep an active VTA ?
The vehicle manufacturer shall report at least once a year, or more frequently if relevant, to the authorities the outcome of their monitoring activities. This shall mainly include relevant information on new cyber-attacks. The vehicle manufacturer shall also report and confirm to the authorities that the cyber security mitigations implemented for their vehicle types are still effective and any additional actions taken.
The authorities keep the rights to potentially withdraw manufacturer’s CSMS certificate in the case such reporting phases might not be performed in a reasonable way by the organization, or if specific request (e.g. remedy to a detected ineffectiveness) from the authorities would not be answered with sufficient argument within an acceptable timeframe.
That part closes this blog series about UN ECE R155 scope, requirements and procedures. More publications about automotive security, threats and trends will come soon, stay tuned !
CertX是您满足联合国ECE R155和/或ISO 21434标准的合作伙伴。
If you have any questions about the new regulatory situations around cyber security for the automotive industry, or any other open points about how the application of relevant standards and certification might be used for compliance, please do not hesitate to contact our cyber security experts: