GENERAL REQUIREMENT FOR CSMS
The vehicle manufacturer shall demonstrate that the processes used within their Cyber Security Management System ensure security is adequately considered, including risks and mitigations listed in Annex 5. Their CSMS should apply to development phases, production phases, and post-production phases.
The processes/documents/records resulting from a cybersecurity management system established based on ISO/SAE 21434 will be considered sufficient evidence that the system demonstrates compliance with the following requirements.
CSMS ESTABLISHED SHOULD INCLUDE
The processes used within the manufacturer’s organization to manage
The following could be used to show the range of activities performed by the manufacturer to manage CSMS
(a) Organizational structure used to address cyber security;
(b) Roles and Responsibilities regarding cybersecurity management incl. accountability.
The processes used for the identification of risks to vehicle types. Within these processes, the threats in Annex 5, Part A, and other relevant threats shall be considered
Processes implemented should consider all probable sources of risk. This shall include risks identified Annex 5. Sources for risk identification may be stated. These may include:
(a) Vulnerability/ Threats sharing platforms;
(b) Lessons learned regarding risks and vulnerabilities.
The processes used for the assessment, categorization and treatment of
the risks identified
Manufacturers need to demonstrate rules for assessing, classifying and addressing identified cybersecurity risks. The process can include assessing the impact and potential attack paths associated with the identified risks, confirming the feasibility and attack potential of the potential attack paths, clarifying the basis for classifying the identified risks, and addressing the identified and classified risks.
The processes in place to verify that the risks identified are appropriately managed
Manufactures need to respond to the mitigation measures listed in UN R155 Appendix 5, the manufacturer needs to demonstrate its rules and processes for decision-making risk management, focusing on risk and treatment after assessment, and the residual risk after treatment should be within the manufacturer's declared acceptable range
The processes used for testing the cyber security of a vehicle type
The aim of this requirement is to ensure the manufacturer has appropriate capabilities and
processes for testing the vehicle type throughout its development and production phases.
Testing processes in the production phase may be different to the ones used during the
The processes used for ensuring that the risk assessment is kept current
The aim of this requirement is to ensure the risk assessment is kept current. This should
include processes to identify if the risks to a vehicle type have changed and how this will be considered within the risk assessment.
The processes used to monitor for, detect and respond to cyber-attacks, cyber threats and vulnerabilities on vehicle types and the processes used to assess whether the cyber security measures implemented are still effective in the light of new cyber threats and vulnerabilities that have been identified
The aim of this requirement is to ensure that the manufacturer has processes to monitor for
cyber-attacks, threats or vulnerability to vehicles that the manufacturer has had type
approved, i.e. are in the post-production or production phase, and that they have established processes that would permit them to respond in an appropriate and timely manner.
*Reporting: The vehicle manufacturer shall report at least once a year, or more frequently if relevant, to the Approval Authority or the Technical Service the outcome of their monitoring activities, this shall include relevant information on new cyber-attacks.
The processes used to provide relevant data to support analysis of attempted or successful cyber-attacks
Procedure for implementing Security Incident Response Team activities(incidents);Field monitoring (obtaining information on incidents and vulnerabilities);Procedure when an incident occurs (including an overview of what information is passed to the analyst in what steps) could be used for evidence for data handling and analysis
The manufacturer is required to have obtained a CSMS certificate when the vehicle is applying for UN R155 type approval
The vehicle manufacturer shall identify and manage, for the vehicle type being approved, supplier-related risks.
The vehicle manufacturer shall identify the critical elements of the vehicle type and perform an exhaustive risk assessment for the vehicle type and shall treat/manage the identified risks appropriately.
The risk assessment shall consider the individual elements of the vehicle type and their interactions. The risk assessment shall further consider interactions with any external systems.
While assessing the risks, the vehicle manufacturer shall consider the risks related to all the threats referred to in Annex 5, Part A, as well as any other relevant risk.
The vehicle manufacturer shall protect the vehicle type against risks identified in the vehicle manufacturer’s risk assessment. Proportionate mitigations shall be implemented to protect the vehicle type. The mitigations implemented shall include all mitigations referred to in Annex 5, Part B and C which are relevant for the risks identified. However, if a mitigation referred to in Annex 5, Part B or C, is not relevant or not sufficient for the risk identified, the vehicle manufacturer shall ensure that another appropriate mitigation is implemented.
The vehicle manufacturer shall put in place appropriate and proportionate measures to secure dedicated environments on the vehicle type (if provided) for the storage and execution of aftermarket software, services, applications or data.
The vehicle manufacturer shall perform, prior to type approval, appropriate and sufficient testing to verify the effectiveness of the security measures implemented
Detect and Analysis
The vehicle manufacturer shall implement measures for the vehicle type to:
(a) Detect and prevent cyber-attacks against vehicles of the vehicle type;
(b) Support the monitoring capability of the vehicle manufacturer with regards to detecting threats, vulnerabilities and cyber-attacks relevant to the vehicle type;
(c) Provide data forensic capability to enable analysis of attempted or successful cyber-attacks.
Cryptographic modules used for the purpose of this Regulation shall be in line with consensus standards
ATIC PROVIDES SERVICES
ATIC provides a full range of automotive cybersecurity services, which include
System implementation: Provide gap analysis, professional training, process and document construction and other system implementation services based on UN R155, ISO/SAE 21434.
System certification: provide UN R155 CSMS certification, ISO/SAE 21434 certification services.
Vehicle testing: Based on the identified risks, provide comprehensive automotive cybersecurity testing, including penetration testing, regression testing, etc.
Type approval: provide UN R155 vehicle type approval service
We are a young technical service company from China, established in 2015. We have a professional and passionate team, we strive to create the best environment to attract the best experts, returnees and outstanding graduates to join us. We are committed to integrate domestic and international regulations, testing and certification resources with a global perspective in the context of globalization, and establish a new, specialized regulation research, testing and certification platform. We have established authorized or cooperative partnership with governmental departments, authorities, certification bodies and laboratories in more than 30 countries including Germany, Czech Republic, Lithuania, Turkey, United Arab Emirates, South Korea, United States, Brazil, India, Indonesia, Thailand, and Vietnam etc. With our innovative Digital Reporting System (DRS), Customer Service Platform (CSP) and self-developed Global Vehicle Regulation Database (GVRD), our compliance service covers more than 54 countires/regions globally, our testing and certification service covers more than 30 countries/regions worldwide. We serve more than 3,300 manufactures each year.