UN Regulation No. 155 - Cyber security and cyber security management system

UN Regulation No. 155 is a mandatory framework by the UNECE World Forum for Harmonization of Vehicle Regulations (WP.29) to address automotive cybersecurity. It legally requires vehicle manufacturers to implement a certified Cyber Security Management System (CSMS) to manage cyber risks throughout the vehicle's entire lifecycle—from development and production to post-production phases. The CSMS must be certified as compliant before a new vehicle type can be sold in signatory countries. The regulation's technical requirements are closely aligned with the processes detailed in ISO/SAE 21434:2021, which serves as the de facto standard for implementation. UNR155 focuses on ensuring vehicle resilience against cyber-attacks, distinguishing it from data privacy regulations like GDPR and its counterpart, UNR156, which specifically governs software updates.

Application involves a structured, three-step process. Step 1: Establish a CSMS. Based on ISO/SAE 21434, companies define cybersecurity policies, governance structures, and integrate security into the V-model development lifecycle. This includes assigning clear roles and responsibilities. Step 2: Conduct Threat Analysis and Risk Assessment (TARA). For each vehicle type, potential threats and vulnerabilities are systematically identified and assessed. This analysis informs the design of security controls, such as secure boot, intrusion detection, and encrypted communications. Step 3: Achieve Certification and Maintain Operations. The CSMS and vehicle-specific risk assessments are submitted to an approval authority for type approval. Post-approval, a Vehicle Security Operations Center (VSOC) is required for continuous monitoring, threat intelligence, and incident response. A leading German automaker achieved a 98% reduction in post-production security patches by embedding this process, demonstrating significant risk reduction.

Taiwanese enterprises, particularly in the extensive supply chain, face three key challenges. 1. Supply Chain Complexity: Ensuring cybersecurity compliance across numerous, often smaller, suppliers is difficult. Solution: Mandate ISO/SAE 21434 compliance through contractual agreements and conduct supplier audits. Priority: Focus on Tier-1 suppliers first. 2. Talent Gap: There is a shortage of professionals with integrated expertise in automotive engineering, IT security, and regulatory compliance. Solution: Form cross-functional teams and partner with external experts like Winners Consulting for specialized training and gap analysis. Priority: Conduct foundational workshops to build internal awareness. 3. High Initial Investment: The cost of establishing a CSMS and VSOC can be a barrier. Solution: Frame compliance as a market access enabler, not just a cost. Quantify the risk of non-compliance (e.g., lost sales in the EU) to justify the investment to management.

Winners Consulting specializes in UNR155 for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact