The UNECE WP.29 Regulations for Cyber Security

New rules regarding software updates for connected vehicles have been in force since the beginning of 2022. These requirements put cyber security in a new light for the automotive industry as well.

WP.29: The World Forum for Harmonization of Vehicle Regulations

WP29 is a working group of the World Forum for Harmonization of Vehicle Regulations. In this context, the Inland Transport Committee (ITC) and the United Nations Economic Commission for Europe (UNECE) pursue different tasks. One of the aims of UNECE WP 29 is to simplify international trade by establishing a uniform regulatory system for vehicle construction. At the same time, regulations such as UNECE R155 aim to harmonize and further develop technical regulations. The legal framework of WP 29 from 1958, 1997 and 1998 forms the basis for this. An important task of UNECE WP 29 is also to regulate innovative vehicle technologies in order to continuously improve vehicle safety. The UNECE R155 regulation, for example, is used to meet these requirements. In addition to Automotive Cyber Security, other important aspects such as energy consumption and environmental protection are in the foreground. Nevertheless, the focus of the new regulations is primarily on the subarea of cyber security. Thus, the intention is to address deficiencies in current security standards in order to protect drivers and manufacturers alike from cyber criminals.

The WP.29 Regulation in Detail: R155, R156 and R157

The UNECE working group addresses numerous issues: From vehicle safety to environmental protection to energy efficiency. In this context, regulations such as UNECE R155 also refer to security mechanisms designed to ensure improved cyber security.

• R155: UNECE R155 focuses on the implementation of a cyber security management system. Such systems are crucial for incident response management throughout the vehicle lifecycle. Therefore, the various KPIs in Information Security, such as Mean Time to Contain, make up a key part of this regulation. Additional measures such as a Continuous Vulnerability Scan or pentests are also part of the R155 regulation.
• R156: While UNECE R155 focuses on cyber security, R156 focuses on software updates. The directive requires a dedicated software update management system and regular security assessments. This should make it possible to keep track of the continuous compatibility of updates.
• R157: The focus here is on the security of advanced driver assistance systems. These include, for example, the Advanced Driver Assistance System (ADAS) and the Automated Lane Keeping System (ALKS). Both systems require a high level of cyber security and innovative technology. For this reason, UNECE R155 in particular plays an important role here. To ensure the desired Safety of the Intended Functionality (SOTIF), a so-called black box is required. SOTIF is a subarea of technical product safety that deals with the hazards of technical systems.

Almost all innovations in the automotive industry have their origins in increasing digitalization. Modern car IT systems are particularly convenient, but at the same time represent tempting targets for cybercriminals. While most companies already rely on high-quality security concepts, modern cars lack the cybersecurity they need. UNECE R155 is intended to counter this, for example, through formal regulatory requirements. Thanks to it, cyber security is no longer negotiable, but an important criterion for market access of new vehicles. Therefore, it is necessary to understand these regulations as a common approach to a higher level of security. After all, remotely performed software updates are always associated with a certain level of risk - not only in the automotive industry.

The UNECE WP.29 Regulation R115 for CSMS and its Relevance for Automotive Cyber Security

A particular challenge in implementing UNECE R155 and the other regulations is vehicle type certification. Just like R156 and R157, UNECE R155 relies on good management systems. In this context, manufacturers must implement the cyber security measures required by UNECE R155 on a mandatory basis by July 2024. The automotive industry is therefore faced with numerous changes within a very short period of time. One bright spot for many manufacturers, however, is that the new UNECE R155 regulations only apply to new vehicles. Models already delivered and sold are not affected. But despite these challenges, the implementation of UNECE R155 also brings advantages: because it takes into account the entire service life of the vehicle. The combination of individual software solutions and the possibility of data mining allow technical innovations to be driven forward more quickly. At the same time, regulations such as UNECE R155 eliminate safety concerns. Conversely, this means that vehicle manufacturers can also secure a competitive advantage by implementing the regulations. After all, a high level of cyber security is an important criterion for the trust of potential buyers.

Security in the Automotive Industry: Get Support

UNECE R155, like the other regulations, is of key importance to the automotive industry. Because the requirements of UNECE R155 are extensive, it pays to work with professionals. With our many years of expertise in the field of vehicle safety, we at Turingpoint are happy to assist you in this regard.