New vehicle technology brings with it rising security threats, which must be addressed by integrating cybersecurity best practices into the vehicle lifecycle from design, to production and maintenance, through to decommissioning
In order to protect road vehicles and their passengers from security threats, the United Nations Economic Commission for Europe (UNECE) has introduced baseline requirements for vehicle cybersecurity practices.
By July 2024, this regulation will become fully applicable and will require all carmakers to implement and apply a CSMS to their product lifecycle, including the components supplied from third parties, and to provide proof of such implementation during the homologation phase. This will have a significant effect on the entire automotive ecosystem and its stakeholders, since failure to meet the regulatory requirements could affect the ability to market the vehicles.
This is the standard referred to in the UN-R155 Regulations, which represents an approved "guideline" to ensure R155 compliance and thus to obtain approval for vehicle homologation, and elaborates on the concept of a Cybersecurity Management System.
This standard was released in 2022, in order to provide guidelines for managing an automotive cybersecurity audit program, providing specific criteria for auditing ISO/IEC 21434-based CSMS.
The Cybersecurity Management System (CSMS) is “a systematic risk-based approach defining organizational processes, responsibilities, and governance to treat risk associated with cyber threats to vehicles and protect them from cyber-attacks.” To guarantee proper cybersecurity risk management through the entire product lifecycle, the CSMS follows the Automotive V-Model, ensuring appropriate consideration of cybersecurity from the concept phase all the way through to the decommissioning phase of electrical and electronic systems in road vehicles, including their components and interfaces.
Reply’s approach to CSMS implementation uses our extensive experience in the automotive cybersecurity sector to execute strategies which are custom-made and tailored to the needs of our unique customers. Due to our skills related to security advisory topics, system integration, and security operations, our automotive security offering provides both consultancy services and integrated solutions implementation.
Assess and evaluate the current cybersecurity posture to meet UN-R155 and UN-R156 compliance
Evaluate the compliance against other applicable regulations (e.s. IATF, TISAX)
Provide a detailed Gap Analysis
Define the strategies and remediation activities to meet regulatory requirements
Vehicle cybersecurity engineering according to ISO/SAE 21434 and Regulation UNECE/WP R155.
Management of the suppliers related risks through the contract lifecycle (suppliers evaluation, monitoring,..)
Security services related to backend application used by Connected Vehicles (e.g. Service Delivery Platform, Authenticated Diagnostic, ...)
Secure development and execution of penetration testing for vehicle components or networks
Implementation, integration and management of V-PKI (SW Sign, ECU Identify, ADA)
V-SOC and PSIRT implementation and management