Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Keys to implementing the new vehicle cybersecurity regulations R155 and R156

Posted date 28/11/2024
Author
INCIBE (INCIBE)
Claves para aplicar las nuevas normativas de ciberseguridad para vehículos

The intention of this article is to present compliance tips and to help understand the new regulation  issued by the United Nations Economic Commission for Europe (UNECE) regarding cybersecurity in vehicles.

This regulation consists of two regulations, R155 and R156, which stipulate the cybersecurity requirements that manufacturers must meet in order to qualify for type-approval of vehicles to be circulated in European Union countries.

In this article we present a theoretical use case to describe what the application of these standards would imply for a generic manufacturer throughout its production process.
 

Design stage

Due to the stiff competition in the industry and the costs of operating competitive vehicle factories, most of the manufacturers in business today are large multinational companies. It is common for these types of companies to have an advanced level of cybersecurity maturity as a starting point for addressing the new regulation. 

Regulations R155 and R156 establish two vehicle cybersecurity approvals, one for the cybersecurity management system and one for the update distribution and application system.

The new regulation stipulates that cybersecurity decisions must be based on proper risk management. The scope of this management must extend from the vehicle to the external servers that interact with it for its operation. 
For example, assuming a theoretical case where the following elements are identified as being within the scope of approval:
 

System

Criticaly

Dependencies

Connections

Development and manufacturing

Central control

Critical

N/A

Own server

Internal

Speed and brakes

Critical

Central control

Central control

Internal, with parts from suppliers

Engine cooling

High

Central control

Central control

Provided by third parties

Passenger cooling

Medium

Central control

Central control

Provided by third parties

Radio and multimedia

Low

Central control and external server

External server

Provied by third parties

- Example of riks analysis conclusions (simplified) -

During the risk analysis, the possible effect of the threats listed in Annex 5 of R155 on these systems is studied. Especially on those identified as critical for the vehicle functionality. 

Threat

Impact

Probability

Back-end servers used as a vehicle attack vector
  • High.
  • With access to the manufacturer's own server, an attacker could gain full access to the vehicle's central control system.
  • Medium.
  • Attacks on this type of equipment are quite common.
  • Internal servers can be located in safe and secure environments.
Manipulation of vehicle data or code
  • High.
  • By altering the vehicle's software, an attacker could gain full control of the system.
  • Medium.
  • Depends on monitoring and access control systems.
Breach of data security during transmission
  • Medium.
  • An attacker could gain access to sensitive vehicle user and manufacturer proprietary information.
  • High.
  • Information transmitted over external wireless networks by user devices and third-party applications.
Physical manipulation of systems to facilitate an attack 
  • High.
  • An attacker could modify legitimate parts of the vehicle or replace them with arbitrarily manipulated elements.
  • Medium.
  • Requires physical access to the vehicle and specialized equipment for the attack.

- Example of a Threat Impact Study (simplified) - 

Regulation R155 also requires defining the mitigation measures applied for these threats. To this end, it provides relevant measures to minimize the impact of a potential incident. However, the mitigation measures of the regulation are quite general, leaving their interpretation in the hands of each manufacturer.

Threat

Mitigation measures

Possible applications

Back-end servers used as a vehicle attack vector.

M1: Controls to minimize internal attack risks.
  • Collection and analysis of user activity logs.
  • Implement role and privilege control.
M2: Controls on back-end servers to minimize unauthorized access.
  • Disable unneeded connections to servers.
  • Monitor servers for vulnerabilities and suspicious connections.
M8: Restrict access to critical data to unauthorized personnel.
  • Grant access to critical information only to specific users.
  • Establish a system for labeling and encrypting critical data, in transit and at rest.

Manipulation of vehicle data or code.

M7: Access control designs and techniques.
  • Separate systems running code from those accessible by the general user.
M14: Measures to protect systems against viruses or malicious software.
  • Software verification during the boot process.
  • Malware detection software.
M18: The principle of least privilege access shall be applied.
  • Elevated credentials or physical connections by specialized personnel will be required to switch to “configuration” mode.

Breach of data security during transmission.

M8: System design and access control will protect against unauthorized access to critical system data.
  • Verify the integrity and authenticity of communications prior to the transmission of critical data.
  • Value the collection of critical information only when the vehicle is to be serviced.
M12: Confidential data shall be protected during transmission.
  • Use of encrypted communication protocols.
  • Encryption keys will be stored outside the vehicle in secure repositories.
  • Communications with central servers will be monitored.
  • Confidential user data shall not be transmitted at any time without explicit authorization.

Physical manipulation of systems to facilitate an attack.

M9: Measures shall be employed to prevent and detect unauthorized access.
  • Elements inaccessible from outside the vehicle when the vehicle is locked.
  • Authentication of systems during the start-up process.
  • Warranty labels and locks.

- Example of a mitigation measures study (simplified) -

In order to obtain approval, it is also necessary for the manufacturer to provide information on the security procedures to be followed during post-production:

Process

Keys to be defined in the procedure

Incident monitoring and management in the vehicle

  • Will they be integrated into the manufacturer's safety alert management and analysis system?
  • How often will safety information be received from vehicles and how will it be securely transmitted?
  • What actions should incident response personnel be able to take on vehicles?

Secure software execution

  • How will the different environments be isolated for each program?
  • How will access to secure environments be protected?
  • Who will have access to the software configuration?

Secure vehicle update

  • Where and how will upgrades be tested before they are delivered?
  • How will a record of vehicles to be upgraded and versions installed be maintained? Will transmission from vehicles be required to submit logs? 
  • How will the updates be delivered, in-shop or wirelessly?
  • For wireless updates:
    • How will the update transmission be secured?
    • How will the vehicle verify that it is a genuine update?
    • How will users be notified of the process?

- Keys to be addressed in the new vehicle safety procedures (simplified) -

The risk analysis can also be used to define the security requirements to be met by suppliers. In general, manufacturers rely on several suppliers for different vehicle systems, mainly taking care of the assembly, engine, chassis and model-specific elements and parts too specialized or expensive to be produced externally. Although the new regulation does not stipulate specific requirements for suppliers, it does hold manufacturers responsible for cybersecurity in their supply chain.

Therefore, it is recommended to use the conclusions of the risk analysis as a source of information when defining general cybersecurity requirements for your suppliers and specific requirements for specific equipment and services. 

As can be seen, performing systematic cybersecurity management from the beginning of the project allows you to meet regulatory requirements organically. Therefore, close collaboration between the design and cybersecurity teams is recommended since all compatibility issues and configuration failures that are solved at the design stage will facilitate the following stages of the process.
 

Production phase

First, during the production phase, the manufacturer should follow general industrial cybersecurity procedures and good practices for medium and large companies (monitoring procedures, access management, resilience, etc.).

At the level of specific actions for the R155 regulation, the need to add verification tests of the mitigation measures in the production process stands out. 

The performance of all mitigation measures should be verified through technical tests, the results should be recorded and provided at the time of application for approval.

It is also the right time to collect the other information necessary for the approval process:

  • For R155:
    • Systems included in the vehicle, their components and how they interact with each other.
    • Interfaces and external connections of the vehicle systems.
    • Results of the risk assessment and the risks identified.
    • Mitigation measures implemented.
    • Specific safe environments for running software on the vehicle.
    • Documentation of the technical tests performed to verify the operation of the mitigation measures and their outcome.
    • Cybersecurity considerations with respect to the supply chain.
  • For R156:
    • Drawings of the vehicle and its systems.
    • Safe update procedures to be followed. To be included, how the user will be notified of the update, and the progress of the update process, in case of wireless updates.
    • Security measures for the protection of vehicle systems and RXSWIN identifiers.

For this purpose, it is advisable to use centralization and information management tools. 

It is also advisable to centralize cybersecurity communications in a specific person or team. Having a defined point of contact for the teams to go to in order to resolve doubts during the design and production phases is a very useful tool to reduce the resources spent on communications or duplication of work.

It is also important to establish collaborative relationships with suppliers. In such specialized industrial environments, it is common to have a high technical dependence on suppliers. Establishing collaborative relationships with them and defining cybersecurity responsibilities reduces the workload for both parties while increasing the effectiveness of the relationship and the cybersecurity of the systems.

Post-production phase

There are two different stages in the vehicle post-production phase:

  • Vehicle lifetime: the manufacturer maintains cybersecurity responsibilities during the lifetime of the vehicle. During this stage, two main objectives must be met:
    • Maintain the cybersecurity of the monitored vehicle without compromising user confidentiality.
      The manufacturer must keep its vehicles identified during their useful life. Not only at a statistical level, but also to know the specific vehicles and, at least, which software and hardware version each one has.
      In addition, vehicle security measures should collect and analyze reports of system activity to enable detection of possible attacks. 
      The regulation stresses the importance of ensuring user privacy. New cybersecurity monitoring measures that are introduced should not conflict with this objective. They must also help to ensure that the information that needs to be collected is handled securely, and that the confidentiality of the data is ensured.
    • Monitor and manage cybersecurity vulnerabilities and provide security updates.
      The regulation does not explicitly require local in-vehicle vulnerability detection and management services. Therefore, it would be advisable to implement the procedure externally at the supplier's facilities, relying on the in-use vehicle inventory.
      Special attention should be devoted to the verification and delivery of updates. In particular, the distribution of vulnerabilities in vehicles in use represents a new challenge for many manufacturers, with new risks, such as rendering a vehicle unusable when it is to be used or already in operation. 
      The simplest option, and used so far in some models, is to update only in specialized workshops. But this model is too expensive for regular security updates. However, before providing updates directly to vehicles or users, without going through a workshop, integrity verification, source authentication, update testing and rollback capability should be in place. And all this with processes that inform and can be used by the average user.
    • Retirement and reuse: Given the longevity of cars, it is important that manufacturers define a process for users to follow when ownership of the car changes hands. Unlike regular ICS equipment, it is common for a vehicle to change user or owner several times during its lifetime, either through the second-hand market or through vehicle leasing.
      In these cases, it is necessary to delete, or separate, the data of different users to maintain their privacy. Also, it should be possible to inform new users of the use of the vehicle's cybersecurity measures and process.
      A similar process should be in place when the vehicle is to be decommissioned. The manufacturer must know if the vehicle's local equipment stores sensitive user information and, if so, ensure its destruction when the vehicle is retired. 
       

Conclusions

The new regulations R155, relating to the vehicle cybersecurity management system, and R156, relating to the vehicle software update system, introduce a vehicle cybersecurity approval system for manufacturers.

These new requirements do not differ too much from the usual requirements to be met by industrial control systems as they include vulnerability management, risk management and verification of security measures, among others. However, the characteristics of working with mobile consumer goods make their application considerably more difficult.

It is considered necessary for the manufacturer to adopt an overall vision of its production and maintenance process in order to achieve both approvals correctly. If the homologation process is approached from the beginning of the design and is worked in a systematic, coordinated and collaborative way with the interested parties, the manufacturer will be able to take advantage of opportunities to make the process more effective and efficient.

inally, although mentioned throughout the article, it is worth noting that a high cybersecurity maturity level is considered a good foundation (if not an essential requirement) to be able to address the new R155 and R156 requirements. Not having the necessary cybersecurity procedures and measures in place for the organization can significantly hinder compliance with the new requirements and, in the worst case, introduce unknown cybersecurity vulnerabilities during the process.

Etiquetas