What are R155 and R156 regulations and how & why they impact the automotive sector?
As the Internet of Things [IoT] car space continues to grow at pace, with 2.5 billion connected devices [including pre and post fit] expected in vehicles by 2030 – so too does the threat of cyberattacks committed against them. In fact, a recent study revealed that, in 2022, the number of Application Programming Interface [API] related cyberattacks soared by 286% quarter on quarter, compared with the previous year.
In response to the challenge, the Global Forum for Harmonization of Vehicle Regulations of the United Nations Economic Commission for Europe [UNECE] published two cybersecurity regulations in 2021. These are the UNECE R155 Cyber Security and Cyber Security Management System [CSMS], and the R156 Software Update and Software Update Management Systems [SUMS].
While R155 and R156 have both been in force for the approval of new vehicle types since July 2022, they are set to be applied to all vehicles produced from July 2024 onwards. As such, vehicle Original Equipment Manufacturers [OEMs] need to comprehend exactly what R155 and R156 requirements are, and what they must do to ensure they are compliant and achieve Type Approval for their new vehicle launches without avoidable delays.
What’s the difference?
Despite their similar names, R155 and R156 are designed to address different areas of vehicle cybersecurity.
R155 is focused around providing uniform provisions for vehicle cybersecurity and cybersecurity management systems. Under the regulation, automotive OEMs are required to set up and implement a management system that helps protect the integrity of vehicle cybersecurity. In this way, R155 is designed to ensure cybersecurity at an organizational level, mandating that cybersecurity principles permeate throughout the business as a whole, including its supply chain, as well as its processes.
In essence, it aims to move cybersecurity from simply being an activity within the OEM, to a central philosophy of the company. It is also important to know that R155 covers the entire vehicle life cycle and not just the stages up to the Start of Production [SOP]. However, core elements are also centered around the vehicle itself and Type Approvals, and on ensuring the design of the vehicle architecture, risk assessment, and implementation of adequate security controls.
Meanwhile, R156 covers uniform provisions for vehicle software updates and software update management systems. It requires OEMs to implement, at an organizational level, a range of core processes. These include processes for:
- Configuration control to record the hardware and software versions relevant to a specific vehicle type, including integrity validation data for the software.
- Identifying the software and hardware on a vehicle relevant to a specific UN regulation and tracking if that software changes
- Verifying the software on a vehicle component and validating it is the version that should be there
- Identifying interdependencies of systems, especially with regards to software updates
- Identifying target vehicles and verifying their compatibility with an update
- Assessing if a software update will affect Type Approvals or other legally defined parameters for a given target vehicle
- Assessing whether an update will impact the safety or safe driving of a vehicle
- Informing consumers of updates
- Documenting all of the above, making it available for inspection at an audit
- Ensuring the cybersecurity of software updates before they are implemented into a vehicle
While there are many reasons why automakers should comply with R155 and R156, the most obvious is that doing so is essential for securing Type Approval and, therefore, market access in the 64 countries where UNECE regulations are enforced. In addition, failure to fully embrace the regulations could result in other costly penalties and fines, and badly damage an OEM’s brand reputation – particularly if a cyberattack has a widespread impact on customer data.
How TEEs fit in
OEMs are free to meet the needs of R155 and R156 by any means – but for practical purposes, they need to leverage software platforms and technologies that are already proven to be robust, are amenable, and welcome inspection by regulators.
As the provider of Kinibi, the industry leading Trusted Execution Environment [TEE], Trustonic has the solution to support OEMs in achieving compliance with R155 and R156. Furthermore, Kinibi provides OEMs with a robust foundation to build a wide range of secure applications and services across the vehicle architecture. Kinibi has been certified against a Common Criteria protection profile defined by Global Platform to EAL5+, the highest level certification for any Secure Operating System.
Our TEE has been deployed in over 25 million vehicles, sitting at the heart of the next generation of secure vehicles, and provides OEMs with the flexibility they need to protect sensitive data and secret keys.
To learn more about how Kinibi can enable you to remove risk and enhance security for your vehicles contact us now and to find out more about R155 and R156 regulations, download our latest whitepaper here.