It may seem odd to those without much experience in the automotive industry that international bodies like the UN Economic Commission for Europe influence car companies’ market and safety regulations.
Here I am referring to two guidelines already known from our blog and labelled R155 and R156. My role as a Certified Ethical Hacker is to facilitate companies’ compliance with these regulations. So, today I’ll share a few pointers as to who can support your business in adapting to these regulations.
Regulation R155 introduces and imposes mandatory changes on automotive manufacturers. All parts of the supply chain are affected, and requirements emphasize cybersecurity and the effort required to achieve it. Cybersecurity is not a commodity we walk to the store and buy by the piece; it is usually (though not exclusively) driven by a well-run machine – a process that is not blindsided.
Even the use of the word process can get across as a bit misleading since these activities require a substantial amount of work. The trick is to approach them from an industry perspective, lege artis. A telling fact about the regulation is that the organizations subject to it have until the end of 2023 to implement it, which in reality means as soon as today, if not yesterday.
There is a strong connection between the R155 regulation and the ISO/SAE 21434:2021 standard that was already mentioned. As the standard specifies, cybersecurity is required for electrical and electronic systems in vehicles. Yet, no specific technology is outlined, nor are detailed cybersecurity solutions for automotive.
In terms of ISO/SAE 21434:2021, though, guidance is provided on how to implement – both organizationally and project-wide – a cybersecurity management system, policies for addressing vehicle safety concerns, as well as continuous activities to demonstrate the effort being put into ensuring IT security.
A cybersecurity incident response protocol or a market-proven secure software development approach could be included in such activities. As far as automotive cybersecurity is concerned, ISO SAE 21434 doesn’t directly address the issue; rather, it concentrates on securing the computer systems inside vehicles. A focus is placed on managing cyber risks, though.
Regulation R156, on the other hand, elaborates on issues related to the vehicles themselves (e.g., homologation) and, more specifically, the software, and formulates requirements for its update and management. Regulation R156 is addressed in the ISO 24089:2023 standard.
It’s not shocking to say that today’s car is more like a moving computer than a gasoline-powered vehicle. What competencies do you need in your team to handle cybersecurity in automotive industry?
It is worth noting that the engineering department itself, which develops vehicle systems, is a rather specialized area, and its scope includes proficiency in safety-critical systems, hence, knowledge of microcontrollers and assembly-based mnemonic implementations is absolutely vital.
It can be dizzying to keep track of all the functions and needs, especially as the IT market is experiencing staff shortages. It’s not easy to deal with cybersecurity in automotive industry, but taking care of it sooner rather than later is worth the effort. Neglect will have severe consequences and will be far more costly to fix than preparing your organization for the upcoming R155 and R156 regulations with an experienced team.