The processes used within the manufacturer’s organization to manage
The following could be used to show the range of activities performed by the manufacturer to manage CSMS
(a) Organizational structure used to address cyber security;
(b) Roles and Responsibilities regarding cybersecurity management incl. accountability.
The processes used for the identification of risks to vehicle types. Within these processes, the threats in Annex 5, Part A, and other relevant threats shall be considered
Processes implemented should consider all probable sources of risk. This shall include risks identified Annex 5. Sources for risk identification may be stated. These may include:
(a) Vulnerability/ Threats sharing platforms;
(b) Lessons learned regarding risks and vulnerabilities.
The processes used for the assessment, categorization and treatment of
the risks identified
Manufacturers need to demonstrate rules for assessing, classifying and addressing identified cybersecurity risks. The process can include assessing the impact and potential attack paths associated with the identified risks, confirming the feasibility and attack potential of the potential attack paths, clarifying the basis for classifying the identified risks, and addressing the identified and classified risks.
The processes in place to verify that the risks identified are appropriately managed
Manufactures need to respond to the mitigation measures listed in UN R155 Appendix 5, the manufacturer needs to demonstrate its rules and processes for decision-making risk management, focusing on risk and treatment after assessment, and the residual risk after treatment should be within the manufacturer's declared acceptable range
The processes used for testing the cyber security of a vehicle type
The aim of this requirement is to ensure the manufacturer has appropriate capabilities and
processes for testing the vehicle type throughout its development and production phases.
Testing processes in the production phase may be different to the ones used during the
The processes used for ensuring that the risk assessment is kept current
The aim of this requirement is to ensure the risk assessment is kept current. This should
include processes to identify if the risks to a vehicle type have changed and how this will be considered within the risk assessment.
The processes used to monitor for, detect and respond to cyber-attacks, cyber threats and vulnerabilities on vehicle types and the processes used to assess whether the cyber security measures implemented are still effective in the light of new cyber threats and vulnerabilities that have been identified
The aim of this requirement is to ensure that the manufacturer has processes to monitor for
cyber-attacks, threats or vulnerability to vehicles that the manufacturer has had type
approved, i.e. are in the post-production or production phase, and that they have established processes that would permit them to respond in an appropriate and timely manner.
*Reporting: The vehicle manufacturer shall report at least once a year, or more frequently if relevant, to the Approval Authority or the Technical Service the outcome of their monitoring activities, this shall include relevant information on new cyber-attacks.
The processes used to provide relevant data to support analysis of attempted or successful cyber-attacks
Procedure for implementing Security Incident Response Team activities(incidents);Field monitoring (obtaining information on incidents and vulnerabilities);Procedure when an incident occurs (including an overview of what information is passed to the analyst in what steps) could be used for evidence for data handling and analysis