Compliance with UN R156: Securing Vehicle Software Updates

In the past, vehicles were purchased with a fixed set of functionalities that remained unchanged until the owner acquired a new vehicle. However, modern cars have evolved into customizable platforms with software that can be continuously updated and enhanced.

To meet the growing demand for personalization and remain competitive, manufacturers now offer advanced features that can be subscribed to and downloaded onto vehicles at any time after purchase. These functionalities, such as entertainment applications, driver assistance systems, self-driving capabilities, and others, are constantly being improved and updated.

Maintaining this kind of flexible software structure requires vehicle manufacturers to implement periodic update procedures. However, since these updates essentially alter the vehicle’s software and carry a fair amount of potential risks, it is crucial that they are implemented in the most secure way possible. This is where the UNECE Regulation 156 (UN R156) comes into play, establishing a much-needed framework for secure vehicle software updates.

UN R156 Requirements

UNECE Regulation 156 establishes the minimum cybersecurity and Software Update Management System (SUMS) requirements for vehicle manufacturers. According to the regulation, manufacturers must implement the SUMS and demonstrate that they have the necessary processes in place to comply with all secure software update requirements. The requirements can be divided into two main categories:

  1. Software Update Management System Requirements: These include securing communication channels for updates, validating software integrity, implementing access control mechanisms, and maintaining update logs for auditing purposes.
  2. Vehicle Type Requirements: Specific rules and standards that vehicles must meet to ensure secure software updates.

As vehicles become increasingly software-defined, the ability to update their software securely and efficiently is paramount as unsecured software updates can leave vehicles vulnerable to cyber threats, such as malware infections, data breaches, or even remote control of vehicle systems. These risks can compromise vehicle safety, privacy, and security, making it essential to implement robust cybersecurity measures for software updates.

Securing Updates for UN R156 compliance

UNECE Regulation 156 requires manufacturers to implement appropriate cybersecurity measures to mitigate potential risks from software updates. These measures include:

  • Implementing a software update management system
  • Securing communication channels for update processes
  • Validating software integrity to prevent tampering
  • Implementing access control mechanisms to protect against unauthorized access
  • Maintaining update logs for auditing purposes

AUTOCRYPT offers a suite of in-vehicle cybersecurity products and solutions that implement the necessary security processes in line with UN R156 requirements for secure software updates. Apart from cybersecurity implementation, we also offer UN R155/156 compliance consulting services. Visit our UNECE WP.29 Consulting page to learn more and download the WP.29 regulation checklist outlining the steps for UNECE regulation compliance.

As the automotive industry continues to embrace software-defined vehicles, UN R156 plays a crucial role in ensuring the safe and secure updating of vehicle software. By establishing baseline requirements for cybersecurity and software update management systems, this regulation helps protect vehicles, their occupants, and the broader transportation ecosystem from potential cyber threats. Compliance with UNECE Regulation 156 is a critical step towards building a safer and more secure future for the automotive industry.

Bayanat and AUTOCRYPT Sign MOU to Advance Autonomous Driving and AI Smart Roads in the Region

Under the agreement, firms aim to develop a comprehensive V2X infrastructure plan

ABU DHABI, Apr. 26, 2024 — Bayanat, a leading provider of AI-powered geospatial solutions, has signed a memorandum of understanding (MoU) with AUTOCRYPT, an industry-leading vehicle-to-everything (V2X) and automotive cybersecurity technology firm, to combine its expertise in V2X infrastructure deployment with Bayanat’s AI Smart Roads, enabling and advancing Level 4+ autonomous driving.

The MoU was signed by Abdulla Al Shamsi, Chief Operating Officer of Bayanat, and Seokwoo Lee, AUTOCRYPT’s Chairman and Co-founder, at DRIFTx, an international exhibition supported by the Abu Dhabi Investment Office (ADIO) dedicated to advancing the future of smart and autonomous mobility across air, land, and sea. Under the agreement, Bayanat and AUTOCRYPT will explore a V2X infrastructure deployment strategy, joint R&D projects, and collaboration opportunities.

By combining their expertise to accelerate the development of core technologies for the future of transportation, the companies will develop a comprehensive V2X infrastructure plan.

Abdulla Al Shamsi, Bayanat COO, said: “Our partnership with AUTOCRYPT marks a pivotal moment in our journey towards revolutionizing AI autonomous driving and Smart Road technology. Bayanat is well aligned with the UAE’s strategy for sustainability and is developing technology to provide cutting-edge mobility solutions while allowing for streamlined travel that is not limited by human error. This partnership supports the UAE’s dedication to improving urban development by prioritizing smart mobility and infrastructure initiatives that make our cities more efficient, sustainable, and livable.”

Seokwoo Lee, commented: “We are thrilled to collaborate with Bayanat on developing secure and reliable V2X infrastructure for the UAE’s smart roads. Having played a major role in all of South Korea’s V2X infrastructure development projects throughout the past decade, we look forward to contributing our expertise to this rapidly expanding market.”

Cybersecurity Management System for UNECE Regulation 155

The automotive industry is entering an important stage of cybersecurity implementation. In July of 2024, UNECE Regulation 155 (UN R155) about vehicle cybersecurity and Cybersecurity Management Systems (CSMS) is coming into full force. What does this mean for the larger automotive industry?

Vehicle manufacturers across the 64 WP.29 member countries will be required to adhere to regulatory compliance measures outlined in UNECE Regulation 155. Vehicles that do not comply with the regulations will not be eligible for registration starting July 2024. We can already see how the regulation is affecting the industry in the recent Porsche announcement. The company stated that they will be discontinuing the combustion-powered 718 Boxster convertible and the 718 Cayman models in certain countries, due to not meeting the cybersecurity standards outlined in UN R155 legislation.

UN R155 is a set of regulations developed by the United Nations Economic Commission for Europe (UNECE) pertaining to cybersecurity in vehicles. The regulation establishes cybersecurity requirements for the vehicle manufacturing process and vehicle type approval, aimed at enhancing the security of connected vehicles and increasing resilience against cyber threats.

Essential Approval Requirements

The essential UN R155 approval requirements for automotive cybersecurity, address standards and protocols for securing connected vehicles against cyber threats. However, UN R155 does not only focus on vehicle cybersecurity. The regulation oversees the entire vehicle manufacturing process, enforcing cybersecurity measures to be incorporated on an organizational level and throughout the vehicle’s entire lifecycle.

OEMs wishing to receive UN R155 approval must implement a cybersecurity management system that verifies secure operations throughout the vehicle development, production, and post-production phases.

Upon CSMS implementation OEMs must go through a CSMS assessment process, also known as a CSMS audit, that will be conducted by an appointed Approval Authority. During a CSMS audit, the Approval Authority assesses and verifies the manufacturer’s compliance with the requirements outlined in UN R155. If the assessment deems cybersecurity management system implementation successful, the OEM obtains the Certificate of Compliance for CSMS. The Certificate of Compliance is valid for three years and can be extended upon expiration.

Requirements for CSMS

The requirements for the Cybersecurity Management System are holistic in nature and call for vehicle manufacturers to follow cybersecurity-by-design principles. From a grander organizational perspective to granular vehicle attack vector assessments, the CSMS requirements seek appropriate cybersecurity measures that continuously monitor, detect, and respond to cyber threats across the vehicle development lifecycle According to UN R155, vehicle manufacturers should ensure that their Cybersecurity Management System complies with the following stipulations:

1. The vehicle manufacturer shall demonstrate that their CSMS applies to the vehicle development, production, and post-production stages.

2. The vehicle manufacturer shall demonstrate that the processes used within their CSMS to ensure security is adequately considered and implemented continuously. This requirement entails cybersecurity management processes, risk identification, assessment, and mitigation.

3. OEMs are expected to stay on top of new cyber threats and vulnerabilities, keeping their security measures current.

4. Vehicle manufacturers must be able to provide relevant data to support analysis of attempted or successful cyberattacks to their designated Approval Authority.

5. OEMs shall demonstrate that the processes used within their CSMS will ensure that cyber threats and vulnerabilities are addressed and mitigated within a reasonable time frame.

6. Vehicle manufacturers must be able to demonstrate how their CSMS will manage dependencies that may exist with suppliers, service providers, or manufacturer’s sub-organizations. This means that OEMs are accountable for implementing and verifying cybersecurity practices along their supply chains.

Requirements beyond the CSMS

Meeting cybersecurity management system requirements and obtaining the CSMS Certificate of Compliance is the first step of the regulatory compliance process. UN Regulation 155 also includes an array of cybersecurity requirements for vehicle type approval. The type approval process focuses on the effectiveness of the security measures implemented in the actual vehicle and its components.

Our latest ebook delves into the key vehicle components to focus on for UN R155 type approval and can offer insight into how different vehicle components require different types of cybersecurity measures. 

Download eBook

Automotive cybersecurity implementation cannot be done in a one-size-fits-all manner. Different OEMs will have different cybersecurity and testing needs based on their organizational structures, vehicle manufacturing processes, and supply chains. With industry-leading expertise accumulated through years of experience in cybersecurity implementation, AUTOCRYPT offers professional consulting services for automotive OEMs and suppliers in establishing the CSMS.

To learn more about our CSMS Consulting Services and cybersecurity regulation compliance, contact

AUTOCRYPT and MicroNova Launch Strategic Partnership to Advance Automotive Cybersecurity

The Focus is on the development of innovative test solutions in the field of automotive cybersecurity

MUNICH, Feb. 28, 2024 — The increasing digitalization of vehicles is creating the need for innovative approaches to combat cyberattacks and ensure the integrity of vehicle electronics. The memorandum of understanding signed by the two companies specifies that they will work together on test solutions for the cybersecurity field. The focus will be on pentests (penetration tests) and fuzzing (automated software tests) as well as data forensics and vulnerability management during the test phase. The aim is to further improve the reliability of vehicles and meet the increasing requirements for networked mobility.

Joint Expertise for Automotive Cybersecurity

The cooperation between MicroNova and AUTOCRYPT combines the two companies’ comprehensive know-how in the field of automotive technology. MicroNova has decades of experience in test solutions for the automotive industry and will be contributing its skills in the areas of embedded test and validation, software development, and test automation. AUTOCRYPT is an expert in mobility security solutions and will be providing innovative products to protect vehicle communication systems from cyber threats.

“This partnership agreement with AUTOCRYPT represents a major step towards offering our customers pioneering applications in the field of cybersecurity,” explains Orazio Ragonesi, CEO of MicroNova. “Combining the strengths of our companies will enable us to develop customized solutions that meet current and future requirements for the safety of connected vehicles.”

Daniel ES Kim, CEO and co-founder of AUTOCRYPT, emphasizes: “Working together with MicroNova, we will be able to make full use of our expertise in creating innovative security solutions for the automotive industry. The combination of MicroNova’s comprehensive expertise in embedded systems for automotive applications with our decades-long expertise in vehicle safety will pave the way for groundbreaking developments.”

Daniel ES Kim, CEO of AUTOCRYPT (left), and Orazio Ragonesi, CEO of MicroNova (right), signing the letter of intent (Memorandum of Understanding) at MicroNova’s headquarters in Vierkirchen near Munich
About Autocrypt Co., Ltd.

AUTOCRYPT is the leading player in automotive cybersecurity and smart mobility technologies. It specializes in the development and integration of security software and solutions for in-vehicle systems, V2X communications, and Plug&Charge, paving the way towards secure and reliable transport in the age of software-defined vehicles. Built to support both AUTOSAR and legacy vehicular platforms, AUTOCRYPT’s In-Vehicle Systems Security solution consists of embedded security libraries and algorithms, security testing tools and services, as well as threat mitigation solutions, helping automotive OEMs and suppliers comply with international standards and regulations like ISO/SAE 21434 and UN R155/156.

About MicroNova

MicroNova has been a software and systems vendor since 1987 and offers products, solutions and services in four business areas: testing of automotive electronicstechnology consulting, management of mobile radio and communication networks including energy management solutions based on the Industrial Internet of Things (IIoT) as well as the distribution of ITdigitalization and project management solutions. 400 experts work with technological competence and passion at the headquarters in Vierkirchen near Munich and at eight other locations in Germany and the Czech Republic. Numerous customers such as Audi, BMW, Continental, Telefónica Germany, Vodafone Germany and Volkswagen rely on MicroNova’s expertise.

*This press release is provided by MicroNova.

The Role of Penetration Testing in the Automotive Industry

The esteemed hackathon Pwn2Own has had its first ever automotive-focused event in Tokyo, Japan this January. At the end of the three-day hackathon, hackers identified 49 unique zero-day exploits, accumulating over a million dollars in awarded bounties. Hackathons like this have been common practice in the tech industry for years, however, they are just getting popular in the automotive sector.

During these hackathons, white-hat hackers gather to uncover zero-day vulnerabilities in vehicles and their systems. While hacking may have its negative connotations, ethical hacking performed in these events is better defined by the term penetration testing.

As technology advances, vehicles become increasingly vulnerable to cyber threats. Securing vehicles from these cyber threats requires extensive and proactive cyber security practices that not only protect vehicles but also actively search for new vulnerabilities in constantly developing systems. In this blog, we delve into the realm of automotive penetration testing, a critical practice aimed at identifying weaknesses in vehicle security systems.

Understanding Automotive Penetration Testing

Automotive penetration testing, or pentesting, is a process designed to identify vehicle vulnerabilities by means of hacking into specific components of a vehicle. This proactive way of cybersecurity testing allows for the uncovering of security gaps in a controlled environment. 

Penetration tests can be conducted internally by cybersecurity experts employed by an OEM, as well as externally, by independent ethical hackers. Upon successful identification of a vehicle vulnerability, hackers share their findings with an OEM for further investigation and remediation.

Besides vulnerability assessment, penetration testing provides positive feedback that can be used for attack surface analysis and compliance assessment.

Attack surface analysis allows cybersecurity experts to evaluate potential entry points that malicious actors could exploit to breach a vehicle’s system. The adoption of connected features in vehicles, such as IoT devices, telematics systems, and infotainment units, has opened up new avenues for cyber attacks. The exponential growth in vehicle technology multiplies the avenues hackers can exploit to gain unauthorized access to vehicle systems, compromise safety features, or steal sensitive data. Hence, penetration testing can be used to uncover the vulnerabilities within the system and also the various entry points and attack vectors that can be used to exploit said vulnerability.

For instance, to identify security gaps in a vehicle’s external communications a hacker may conduct a penetration test on ECUs responsible for a vehicle’s connectivity functions like Wi-Fi or V2X. Hacking into these individual ECUs allows cybersecurity experts to generate a threat model that lays out the potential entryways, threats, and influences that may impact an ECU.

Why Automotive Penetration Testing Matters

By conducting thorough security assessments manufacturers can identify vulnerabilities in vehicle systems and address them proactively. This not only enhances the overall security of vehicles but also helps meet regulatory obligations effectively.

Vehicle security regulations have evolved to include robust cybersecurity measures as compliance requirements. UN Regulation No. 155 (UN R155), aimed at ensuring the cybersecurity of vehicles, mandates manufacturers to implement measures to protect against unauthorized access, manipulation, and theft of data.

To comply with the regulations manufacturers must conduct and document risk assessment tests, implement appropriate cybersecurity measures, detect, and respond to possible cyber attacks, as well as log data to support the detection of cyber attacks. Considering the extent of risk assessment required, it is clear that automotive penetration testing serves as a crucial tool in achieving and maintaining compliance with UN R155 requirements.

The Importance of Collaboration for Cybersecurity Testing

Compliance with regulations may be time-consuming and costly for vehicle manufacturers. Therefore, collaboration between automotive manufacturers, cybersecurity experts, and regulatory bodies is essential for effective security assessments. Comprehensive solutions that allow for continuous testing, threat intelligence gathering, and integrating security measures into the development process are crucial to ensure cybersecurity best practices.

AutoCrypt CSTP serves as a comprehensive cybersecurity testing platform that enables automotive OEMs to conduct cybersecurity testing for regulatory compliance and share integrated results for vehicle type approval. The newly launched platform runs a variety of vulnerability testing techniques, like penetration testing, engineering specification testing, and fuzz testing, using test cases mapped out for UN R155/156 and GB (GB/T).

As vehicles become increasingly connected, securing them against cyber threats is paramount. Automotive penetration testing emerges as a vital practice in safeguarding vehicles and ensuring the safety and security of drivers and passengers. By adhering to best practices, collaborating with industry stakeholders, and staying on top of regulatory requirements, automotive manufacturers can build resilient vehicles capable of withstanding the challenges of the digital age.

AUTOCRYPT Launches Cybersecurity Testing Platform for UN R155/156 and GB Compliance

New platform enables automotive OEMs to conduct regulatory compliant security testing and share integrated results for vehicle type approval

SEOUL, Feb. 20, 2024 — Automotive cybersecurity company AUTOCRYPT announced the launch of AutoCrypt CSTP, a comprehensive cybersecurity testing platform that enables integrated cybersecurity testing for vehicle type approval, in compliance with UNECE’s Regulations 155/156 and SAC’s GB and GB/T standards.

As UN R155 and R156 take full effect on all vehicles beginning July 2024, automotive OEMs and vehicle inspection centers will be obligated to conduct cybersecurity testing and validations based on the required criteria. AutoCrypt CSTP provides a comprehensive platform that runs a variety of vulnerability testing techniques using test cases mapped out for UN R155/156 and GB (GB/T).

With customizable hardware adaptable to PC and test bench environments, AutoCrypt CSTP offers test case licenses for three types of tests:

  1. Penetration testing: Users can select penetration testing scenarios crafted by AUTOCRYPT’s offensive security testing team.
  2. Engineering Specification Testing: AUTOCRYPT offers test cases based on a vehicle’s engineering specifications, enabling the accurate validation of vehicle functions.
  3. Fuzz Testing: Utilizing technology from AUTOCRYPT’s proprietary vehicle fuzzing tools, AutoCrypt CSTP provides compact test cases generated by AI-based algorithms.

From test case selection and configuration to real-time logging and report generation, the entire testing process can be managed on an intuitive GUI, which can be securely linked to all inspection centers and authorities in different countries, consequently empowering faster and more precise decision-making.

“We developed AutoCrypt CSTP to give automotive OEMs the freedom to customize their test cases and select only the licenses they need for their environment, while obtaining testing results ready for vehicle type approval,” AUTOCRYPT’s CEO, Daniel ES Kim remarked. “Furthermore, the platform enables multi-ECU testing grouped by projects, requiring less manual intervention. The goal of making this platform is to help manufacturers allocate their resources efficiently and reduce unnecessary spending.”

Besides the testing platform, AUTOCRYPT also offers fuzz testing and penetration testing services customized for the OEM’s environments and needs, along with CSMS and TARA consulting services for UN R155/156 compliance.

About Autocrypt Co., Ltd.

AUTOCRYPT is the industry leader in automotive cybersecurity and smart mobility technologies. The company specializes in the development and integration of security software and solutions for in-vehicle systems, V2X communications, Plug&Charge, and mobility platforms, paving the way towards a secure and reliable C-ITS ecosystem in the age of software-defined vehicles. AUTOCRYPT also provides consulting and testing services along with holistic solutions for UN R155/156 and ISO/SAE 21434 compliance.