)
Cybersecurity Management Systems for the Automotive Market
New vehicle technology brings with it rising security threats, which must be addressed by integrating cybersecurity best practices into the vehicle lifecycle from design, to production and maintenance, through to decommissioning
The Regulatory Context
In order to protect road vehicles and their passengers from security threats, the United Nations Economic Commission for Europe (UNECE) has introduced baseline requirements for vehicle cybersecurity practices.
UN-R155 Regulation
By July 2024, this regulation will become fully applicable and will require all carmakers to implement and apply a CSMS to their product lifecycle, including the components supplied from third parties, and to provide proof of such implementation during the homologation phase. This will have a significant effect on the entire automotive ecosystem and its stakeholders, since failure to meet the regulatory requirements could affect the ability to market the vehicles.
ISO/SAE 21434
This is the standard referred to in the UN-R155 Regulations, which represents an approved "guideline" to ensure R155 compliance and thus to obtain approval for vehicle homologation, and elaborates on the concept of a Cybersecurity Management System.
ISO/PAS 5112
This standard was released in 2022, in order to provide guidelines for managing an automotive cybersecurity audit program, providing specific criteria for auditing ISO/IEC 21434-based CSMS.
CSMS Key Elements
The Cybersecurity Management System (CSMS) is “a systematic risk-based approach defining organizational processes, responsibilities, and governance to treat risk associated with cyber threats to vehicles and protect them from cyber-attacks.” To guarantee proper cybersecurity risk management through the entire product lifecycle, the CSMS follows the Automotive V-Model, ensuring appropriate consideration of cybersecurity from the concept phase all the way through to the decommissioning phase of electrical and electronic systems in road vehicles, including their components and interfaces.
How We Can Help
Reply’s approach to CSMS implementation uses our extensive experience in the automotive cybersecurity sector to execute strategies which are custom-made and tailored to the needs of our unique customers. Due to our skills related to security advisory topics, system integration, and security operations, our automotive security offering provides both consultancy services and integrated solutions implementation.
Reply’s services
Assessment & Strategy definition
Assess and evaluate the current cybersecurity posture to meet UN-R155 and UN-R156 compliance
Evaluate the compliance against other applicable regulations (e.s. IATF, TISAX)
Provide a detailed Gap Analysis
Define the strategies and remediation activities to meet regulatory requirements
Cybersecurity Engineering
& Security by Design
Vehicle cybersecurity engineering according to ISO/SAE 21434 and Regulation UNECE/WP R155.
Third Party Risk Management
Management of the suppliers related risks through the contract lifecycle (suppliers evaluation, monitoring,..)
Connected Vehicle ICT Security
Security services related to backend application used by Connected Vehicles (e.g. Service Delivery Platform, Authenticated Diagnostic, ...)
Secure develpment & tests
Secure development and execution of penetration testing for vehicle components or networks
Manufacturing Security
Implementation, integration and management of V-PKI (SW Sign, ECU Identify, ADA)
CSMS operation & Threat Intelligence
V-SOC and PSIRT implementation and management
Vulnerabilities management