What is UNECE R155, and why is it so important in 2023?

At a time when the world of the automotive industry is being turned upside down by the rapid emergence of autonomous vehicles and advanced vehicle technology, UNECE Guideline R155 has taken on a crucial role. This regulation, introduced by the United Nations Economic Commission for Europe(UNECE), aims to ensure the safety and integrity of vehicle systems. In doing so, it is creating significant new demands in an industry that has traditionally made rather leisurely progress, requiring rapid development and implementation of solutions, some of which are still in their infancy.

UNECE R155 also sets out extremely specific requirements for car manufacturers. This includes risk management, establishing an effective cybersecurity management system, and controlling software updates. All of these elements are critical to meeting the challenges of cybersecurity in an increasingly connected automotive world.

Through its comprehensive requirements, UNECE R155 actively contributes to the improvement of vehicle safety and strengthens customer confidence in the car as a product. This is becoming increasingly important as cars become more and more "connected cars," which offer myriad new opportunities but also bring new cybersecurity risks. Through UNECE R155, manufacturers are encouraged to address these risks and take proactive measures to ensure vehicle safety. Of course, this also has its price, brings new challenges and strengthens the learning process of all stakeholders involved. Let's take a closer look at some aspects of this new directive.

Marc

Marketing Professional

28.06.23

Ca. 18 min

Sharing is caring!

The challenges of adhesion over the life of a vehicle and how UNECE R155 deals with them.

Liability for the safety of a vehicle throughout its lifetime is one of the greatest challenges facing the automotive industry. However, a possible solution has emerged in the form of UNECE R155. The directive requires manufacturers to take responsibility for the cyber security of their vehicles – from design to disposal. They also need to introduce systematic measures to prevent cyber attacks, throughout the entire lifecycle of the vehicle.

For example, specific measures required by UNECE R155 include conducting regular risk assessments and penetration tests to identify and address potential vulnerabilities. In addition, the directive requires that manufacturers implement mechanisms to detect and respond to security incidents and establish a robust software update management system to ensure that vehicles are always equipped with the latest and safest software.

The potential cyber-attacks to which vehicles could be exposed are many and can have serious consequences. A well-known example is the “Grand Cherokee Hack,” in which hackers demonstrated how they could remotely take control of a vehicle at the 2015 Black Hat conference. However, there are other types of attacks, such as intrusion into vehicle communication systems or tampering with software updates, that the UNECE R155 requirements are designed to prevent.

There have been a number of recent incidents that underscore the importance of UNECE R155. For example, several reports of successful cyber attacks on vehicles have highlighted the urgency of an effective cyber security strategy in the automotive industry.

The comprehensive requirements of UNECE R155 encourage manufacturers to address these risks and take proactive measures to ensure vehicle safety – and this benefits the most important stakeholders in the process line: the customers to whom an industry not only wants to sell vehicles that are fun and usable for a long time, but that are also safe in the long term.

The role of Software Update Management Systems (SUMS) in the implementation of UNECE R155/156.

Software Update Management Systems (SUMS) are more than just a technical necessity in the age of connected vehicles – they are a critical tool for ensuring safety and implementing – to be precise – UNECE 156, and are also required to implement Directive R155. But how do they work?

In their basic function, SUMS enable vehicle manufacturers to manage and deliver software updates. They can be used to close security gaps, improve performance or add new features. This is achieved through the use of technologies such as Over-The-Air (OTA) updates, which allow software updates to be installed wirelessly without physical access to the vehicle. This ensures that all vehicles are up to date and meet the latest safety standards.

unece-r155-software-update-management-system_over-the-air-update_times-of-workshop-are-gone_2023
The times when visits to the car repair shop were necessary to read out error codes in the control units or software updates are largely over. The vast majority of relevant updates take place “over-the-air”.

They therefore not only help to improve vehicle safety by ensuring that potential security gaps can be closed quickly. They also enable improved customer support by providing new features and optimizing vehicle performance. One example is the management of entire vehicle fleets, where individual errors or attack patterns can be detected and corrected – in the course of an over-the-air update, not only an entire fleet can subsequently be updated and secured by the fleet manager. It is the entire vehicle type that can be centrally provided with new updates and safety measures, if necessary even on a manufacturer-wide basis.

However, there are challenges associated with implementing and using SUMS. They require significant upfront investment from the automotive and supplier industries, both in the development of the systems themselves and in the infrastructure needed to deploy and maintain them. Added to this is the pressure of increasing competition, especially from the entry of Chinese automakers into the European market, which is intensifying the price war.

Despite these challenges, it is clear that the benefits of SUMS and their role in implementing UNECE R155 make them an indispensable component in the modern automotive industry. Investments in these technologies are investments in safety – a priority that should always be at the forefront, despite the cost.

However, it is important to note that not all parts of a vehicle can be brought up to UNECE R155 standards through a SUMS. There are simply always cases where an over-the-air software update is not the optimal solution, for example when hardware components are affected. This may require hardware changes or updates that need to be performed in a workshop.

Also, compliance with some aspects of UNECE R155, such as physical security and tamper resistance, may require specialized hardware or additional physical security measures. This is an important aspect of the policy that serves to provide an additional layer of security and further minimize the risk of cyberattacks.

Overall, UNECE R155 ensures that both vehicle software and hardware meet the highest possible safety standards. And while SUMS play a critical role in the implementation of this directive, it is imperative to understand that they are only one part of the larger picture.

The positive influence of UNECE R155

The far-reaching impact of UNECE R155 on vehicle safety is undeniable, despite the lack of specific statistics. The directive has undoubtedly raised new awareness of the importance of cybersecurity in the automotive industry. Given the ever-increasing level of connectivity and the growing number of software components in modern vehicles, the risk profile has changed dramatically. This has increased vulnerability to cyberattacks and makes the requirements of UNECE R155 all the more relevant.

Although there is as yet no, or very marginal, data demonstrating a direct reduction in cyberattacks due to UNECE R155, there is a growing body of evidence that the policy is having a positive impact. For example, the introduction of UNECE R155 has prompted the automotive industry to assess cybersecurity risks more seriously and invest more resources in protecting their vehicles. Rethinking and updating the existing mindset of an industry whose beginnings were far removed from cybersecurity risks, hacker attacks and perpetual software maintenance – that’s worth quite a bit. Above all, it benefits the most important point of all: the safety of motorists.

In short, although the specific impact of UNECE R155 has yet to be fully captured, it is undeniable that the directive is having a profound impact on the automotive industry and helping to improve the safety and reliability of modern vehicles.

unece-r155-r156_cognizant-mobility-rockstars_2023_cliché-of-carefree-driving
It is significant that the image of carefree drivers is almost cliché: free from worry about dangerous intrusions into the vehicle’s cybersecurity, simply enjoying driving. UNECE R155 is intended to make this possible again.

The advantages and disadvantages of UNECE Directive R155 from the point of view of the automotive industry

UNECE R155 brings both advantages and disadvantages for the automotive industry. It creates uniform safety standards and strengthens consumer confidence in vehicle safety. This is demonstrated, for example, by the Nuuk Cargopro electric motorcycle, which was the first vehicle ever to receive the “cyber safe” seal after passing the EUROCYBCAR test. Although UNECE R155 does not currently cover motorcycles, this move is groundbreaking and points to the increasing importance of cybersecurity in all classes of vehicles.

UNECE R155 also promotes a proactive approach to cybersecurity. It is forcing the automotive and supplier industry to act with foresight and find future-oriented solutions. Such a proactive attitude is demonstrated, for example, by compliance with the ISO 21434 standard, which serves as the preliminary work for UNECE R155 – even though this is definitely “outsourcing” in a sense, since the responsibility for compliance with the regulations is transferred to the supply chain. Not all suppliers will be able to offer this, and companies previously outside the industry will have to deal with new criteria and requirements of the UNECE directive.

Despite what can be considered positive aspects overall, compliance with UNECE R155 also brings challenges. For example, automakers must invest significant resources in developing and maintaining cybersecurity measures and SUMS. This includes financial expenditures as well as the deployment of specialists and know-how.

Another critical issue is the extensive documentation and traceability required by the directive. This can involve additional administrative tasks and requires detailed knowledge and skills in the areas of IT security and compliance. The aim is not only to ensure the current safety of the vehicle, but also to keep an eye on future developments. In the larger context, however, this is by no means to be seen as a disadvantage: it would be extremely negligent to bring vehicles with a total weight of in some cases several tons into road traffic without efficient safeguarding in all relevant aspects. So the new directives do a good job here and increase safety in the vehicle, for users and for traffic as a whole. Nevertheless, this means additional work for suppliers and OEMs that cannot be dismissed out of hand and is not yet clear in all respects.

This can be seen, for example, in the acquisition of knowledge to date: there are simply no vehicles yet built to UNECE R155 requirements that have already reached the end of their life cycle. Therefore, there is also no experience of how these vehicles can be safeguarded over the entire period of use: Who will still know in 20 years’ time which technology, which algorithm, which programming language was used, and be able to operate it? Can such old technology even stand up to new achievements? How long can such a vehicle be in operation, keyword classic car? And how does the industry dispose of the vehicles in accordance with the directive? Finally, even a decommissioned vehicle may have interfaces that lead directly to manufacturer portals and could be an entry point for malicious activity?

In addition, the question remains open as to what the future of vehicle safety will look like in technological terms. With the inevitable approach of the advent of quantum computers and increasingly sophisticated hacking programs, it is necessary to constantly develop innovative solutions to ensure vehicle security. For example, hardware-based keys with a true random number generator or post-quantum algorithms could be used, which are already in use today. But whether these can be a final answer to these future-tech questions is at least uncertain.

UNECE R155 is thus an admittedly important step towards a safer and more responsible automotive industry. But it also places high demands on the industry and leaves some questions unanswered that only the future can answer. Nevertheless, the road to greater cybersecurity in vehicles is inevitable and UNECE R155 makes a significant contribution to this goal. Particularly in the context of growing networking and digitalization, cybersecurity measures are proving indispensable, and: The standard forces the automotive industry to deal intensively with the topic of cybersecurity and to continuously stay at the cutting edge of technology.

Future developments and challenges of UNECE Directive R155

UNECE R155 is an important step towards safer vehicles. But technology is evolving rapidly, and with it the associated security risks. In the future, stricter or expanded guidelines may be needed to keep up with these developments – although it’s hard to say it out loud, so obviously the industry is still struggling for air at the moment when it comes to UNECE R155.

In addition, the automotive industry must find ways to make compliance with UNECE R155 efficient and cost-effective. This could be achieved by using artificial intelligence and machine learning to detect and defend against cyber attacks. Topics such as predictive maintenance and generative A.I. are becoming increasingly important in order to ideally detect problems before they occur, prevent them and eliminate them via updates.

unece-r155_cognizant-mobility-rockstars_2023_predictive-analytics
Predictive analytics and generative A.I. are still more of a buzzword than actual technology, but are nevertheless on the rise.

In addition to technical skills, it will be particularly important to develop new business models that enable recurring revenue. Put simply, this could mean: The industry is moving away from the pure accumulation of physical composites, away from the pure “metal construct car”, towards a continuously maintained value proposition that is realized with state-of-the-art software and can (also) run on a car.

Cognizant Mobility has also positioned itself accordingly in some of these relevant fields concerning UNECE R155 in order to address these industry-wide common challenges. The Nuremberg site, headed by security specialist Martin Böhner, already offers services both in the area of risk assessment (and penetration testing, if required) prescribed by UNECE R155 and in the creation of future-proof cybersecurity concepts. The general safeguarding of vehicle systems also includes, for example, E/E system safeguarding as part of vehicle development – a prominent example of this is currently the Holon People Mover, a fully autonomous minibus that works in tandem with high-end A.I. assists such as VERA (very enhanced road assist), and will be unveiled to the general public at IAA Mobility 2023. ISO SAE 21434, which is relevant for suppliers, is also well known to the company, which has traditionally worked primarily for well-known OEMs and Tier 1 suppliers, but has always distinguished itself by its ability to think outside the box and a high degree of flexibility.

Ultimately, it is this potential flexibility for industry to adapt to and implement the requirements of UNECE R155 that will be critical to ensuring consumer confidence in the safety of their vehicles. New players will re-emerge, especially in 2023, and others will struggle to keep pace: The UNECE R155 is more groundbreaking than often assumed, and from the supplier to the traditional OEM, the Darwinian concept of evolution will once again set the course for this already now, who develops tomorrow’s security today.