What are R155/R156 regulations and how & can TEEs help automotive OEMs meet them?

As the Internet of Things [IoT] car space continues to grow at pace, with 2.5 billion connected devices expected in vehicles by 2030 – so too does the threat of cyberattacks committed against them. In fact, a recent study revealed that, in 2022, the number of Application Programming Interface [API] related cyberattacks soared by 286% quarter on quarter, compared with the previous year.

What is R155 and R156?

In response to the challenge, the Global Forum for Harmonization of Vehicle Regulations of the United Nations Economic Commission for Europe [UNECE] published two cybersecurity regulations in 2021. These are the UNECE R155 Cyber Security and Cyber Security Management System [CSMS], and the R156 Software Update and Software Update Management Systems [SUMS].

While R155 and R156 have both been in force for the approval of new vehicle types since July 2022, they are set to be applied to all vehicles produced from July 2024 onwards. As such, vehicle Original Equipment Manufacturers [OEMs] need to comprehend exactly what R155 and R156 requirements are, and what they must do to ensure they are compliant and achieve Type Approval for their new vehicle launches without avoidable delays.

What is the difference between R155 and R156, and what are their key points?

The new UNECE 155 and R156 regulations from the United Nations Economic Commission for Europe stipulate specific requirements for different areas of vehicle cybersecurity.

R155 is focused around providing uniform provisions for vehicle cybersecurity and cybersecurity management systems. Under the regulation, automotive OEMs are required to set up and implement a management system that helps protect the integrity of vehicle cybersecurity. In this way, R155 is designed to ensure cybersecurity at an organizational level, mandating that cybersecurity principles permeate throughout the business as a whole, including its supply chain, as well as its processes.

In essence, it aims to move cybersecurity from simply being an activity within the OEM, to a central philosophy of the company. It is also important to know that R155 covers the entire vehicle life cycle and not just the stages up to the Start of Production [SOP]. However, core elements are also centered around the vehicle itself and Type Approvals, and on ensuring the design of the vehicle architecture, risk assessment, and implementation of adequate security controls.

Meanwhile, R156 covers uniform provisions for vehicle software updates and software update management systems. It requires OEMs to implement, at an organizational level, a range of core processes. These include processes for:

• Configuration control to record the hardware and software versions relevant to a specific vehicle type, including integrity validation data for the software.
• Identifying the software and hardware on a vehicle relevant to a specific UN regulation and tracking if that software changes
• Verifying the software on a vehicle component and validating it is the version that should be there
• Identifying interdependencies of systems, especially with regards to software updates
• Identifying target vehicles and verifying their compatibility with an update
• Assessing if a software update will affect Type Approvals or other legally defined parameters for a given target vehicle
• Assessing whether an update will impact the safety or safe driving of a vehicle
• Informing consumers of updates
• Documenting all of the above, making it available for inspection at an audit
• Ensuring the cybersecurity of software updates before they are implemented into a vehicle

What is the difference between R155 and ISO 21434?

Although R155 and R156 represent significant steps forward for automotive cybersecurity, they aren’t the first pieces of legislation put forward to encourage OEMs to ensure that connected vehicles are secure.

For example, ISO 21424 ‘Road Vehicles – cybersecurity engineering’ was rolled out by the International Organization for Standardization [ISO] alongside the Society of Automotive Engineers [SAE] in 2021. Building on its predecessor – ISO 26262 – this standard aims to tackle the cybersecurity risks that are inherent in the design and development of car electronics.

It gives automakers updated guidelines for security management, the security-related activities they are expected to continue carrying out, as well as risk assessment and mitigation methods.

While both are aimed at bolstering cybersecurity, UN R155 differs significantly from ISO 21434. This is because 21434 doesn’t explicitly specific processes that OEMs should conduct, instead requiring compliance and the establishment of work products to ensure compliance.

R155, meanwhile, requires the establishment and implementation of a management system the focuses on cybersecurity across the vehicle – the CSMS. While R155 explicitly references and overlaps with ISO 21434, it is important to make this distinction between them.

Are automakers required to comply with R155/R156?

While there are many reasons why automakers should comply with R155 and R156, the most obvious is that doing so is essential for securing Type Approval and, therefore, market access in the 64 countries where UNECE regulations are enforced.

In addition, failure to fully embrace the regulations could result in other costly penalties and fines, and badly damage an OEM’s brand reputation – particularly if a cyberattack has a widespread impact on customer data.

OEMs are free to meet the needs of R155 and R156 by any means – but for practical purposes, they need to leverage software platforms and technologies that are already proven to be robust, are amenable, and welcome inspection by regulators.

How TEES facilitate compliance with R155 and R156

As the provider of Kinibi, the industry leading Trusted Execution Environment [TEE], Trustonic has the solution to support OEMs in achieving compliance with R155 and R156. Furthermore, Kinibi provides OEMs with a robust foundation to build a wide range of secure applications and services across the vehicle architecture.

Kinibi has been certified against a Common Criteria protection profile defined by Global Platform to EAL5+, the highest level certification for any Secure Operating System.

Our TEE has been deployed in over 25 million vehicles, sitting at the heart of the next generation of secure vehicles, and provides OEMs with the flexibility they need to protect sensitive data and secret keys.

To learn more about how Kinibi can enable you to remove risk and enhance security for your vehicles contact us now.