Automaker Cybersecurity Concerns: Are you R155/6 compliant?

Complying with cybersecurity regulations has become an increasingly complex challenge for automakers, with the introduction of new UN regulations, such as R155/6, putting pressure on the entire supply chain. Duncan Licence, Parkopedia's Chief Product Officer, explains that not all in-vehicle systems and services fall under these regulations, and highlights how Parkopedia’s back-end to back-end infrastructure setup, and compliance with various international standards, provides automakers with a compliant value-add solution for their drivers.

The Importance of Connectivity in Modern Vehicles

In today's software-defined vehicles, connectivity is crucial for enhancing and upgrading the user experience, generating revenue through feature-on-demand services and offering cutting-edge, data-driven experiences. However, successfully integrating connected car services does not just involve adding technical functionality, but also requires navigating a complex web of regulations, particularly concerning cybersecurity and privacy to protect drivers. 

Enabling car connectivity involves handling vast amounts of sensitive data specific to the driver and the vehicle, making cybersecurity a growing concern for automakers. To address this, the United Nations brought in regulations for newly introduced models from July 2022, mandatory for all new vehicles produced from July 2024. The impact on the market has been significant, leading to the discontinuation of popular vehicle models such as the ICE versions of the Porsche Macan SUV and the all-electric previous generation Renault Zoe, which did not meet the new cybersecurity requirements introduced after their launch.

Understanding the Latest UN Cybersecurity Regulations

The two new UN regulations, UN R155 and UN R156, mandate comprehensive actions to ensure vehicle cybersecurity and software update management. These regulations have far-reaching implications for automakers, suppliers and the entire automotive value chain.

UN R155: Cybersecurity Management System (CSMS)

UN R155 mandates that automakers implement a Cybersecurity Management System (CSMS) to manage vehicle cyber risks. This includes integrating cybersecurity measures into vehicle design, managing cyber risks throughout the vehicle lifecycle, and ensuring ongoing monitoring and response to cyber threats. The regulation requires automakers to demonstrate that cybersecurity is managed at both the organisational level and within their processes. This includes risk assessments, cybersecurity controls, and regular audits to ensure compliance. Introduced in 2021, UN R155 applies to all new models approved from July 2022 and to all new vehicles sold as of July 2024. The regulation affects OEMs in the European Union (EU) and other UNECE member states, making it a global concern for the automotive industry, however, it must be noted that China is still not a signatory. Automakers must ensure that their entire value chains, including suppliers, comply with these rules. Suppliers are required to enhance their security measures and implement their own CSMS, with recognised frameworks such as TISAX and ISO/IEC 27001 being essential for compliance.

UN R156: Software Update Management System (SUMS)

UN R156 focuses on ensuring the security and reliability of software updates in vehicles. This includes managing over-the-air (OTA) updates, verifying the integrity of software updates, and ensuring that updates do not introduce new vulnerabilities. 

Automakers must establish a Software Update Management System (SUMS) to oversee the deployment and management of software updates. This system ensures that updates are delivered securely and that any issues arising from updates are promptly addressed. 

UN R156 mandates that software updates must be managed throughout the vehicle's lifecycle, from production to end-of-life. This includes providing updates for cybersecurity vulnerabilities, functionality enhancements and regulatory compliance. Where vehicle root certificates for ‘Plug & Charge’ functionality require updating, this must be carried out in an R156-compliant manner, to ensure that the vehicle’s integrity and performance are not compromised.

Impact on the Automotive Industry

The introduction of UN R155 and R156 has significant implications for the automotive industry, affecting various aspects of vehicle design, production, and maintenance.

Automakers face increased costs associated with implementing and maintaining CSMS and SUMS. These costs include investment in new technologies, staff training and regular audits to ensure ongoing compliance. Compliance with UN R155 and R156 requires changes to existing operational processes, with automakers having to integrate cybersecurity measures into their design and production workflows, impacting everything from vehicle architecture to supply chain management.

The stringent requirements of UN R155 and R156 have led to the discontinuation of some vehicle models that could not be easily retrofitted with updated software to meet the new standards. Automakers that can successfully and efficiently implement CSMS and SUMS may gain a competitive advantage by offering vehicles that meet the highest cybersecurity standards, enhancing brand reputation and customer trust in a market increasingly concerned with data security.

The regulations necessitate closer collaboration between automakers and suppliers to ensure compliance throughout the supply chain. This includes sharing best practices, conducting joint risk assessments and ensuring that suppliers meet the required cybersecurity standards. Suppliers must invest in new technologies and processes to meet the demands of UN R155 and R156, which can drive innovation in cybersecurity solutions and software update management, benefitting the entire industry.

Parkopedia’s Cybersecurity Standards - Peace of mind for Automakers

While connected car services can complicate the process of ensuring sufficient cybersecurity, not all services fall under the latest UN cybersecurity regulations that focus on security issues, specifically between the vehicle and company back-end systems. At Parkopedia, our services communicate back-end to back-end, minimising security risks and eliminating the need for complex additional work to comply with UN R155/6 rules. Parkopedia designs its services to provide maximum value to end users and OEMs alike by simplifying the integration process and offering a ‘one-stop’ solution.

Cybersecurity is fundamental and of the utmost importance to all services that Parkopedia provides to the automotive industry. Our In-Car Payments service is a safe and frictionless solution, with full PCI-DSS payment data security compliance, enabling automakers to securely manage payment details while significantly reducing complexities and associated costs. The platform's payment routing capabilities also adhere to PSD2 (Europe) regulations and utilise Strong Customer Authentication (SCA) during sign-up for seamless and secure payment transactions for drivers. We hold TISAX and ISO 27001 certifications, with the latter certified by a UKAS-accredited Certification Body. Parkopedia continually works on implementing the latest cybersecurity measures to ensure maximum safety in the future.

Enhancing Value for Drivers and Automakers

Parkopedia's In-Car Payments service consolidates multiple suppliers and payment providers into a single API, which is critical for ensuring a premium connected services user experience within a back-end to back-end format. Not only is this safe, but more importantly, it is unaffected by UN regulations. Furthermore, beyond the initial vehicle integration, minimal effort is required by automakers, as the global Parkopedia team manages ongoing updates and maintenance to ensure the platform remains an effective solution for OEMs, fulfilling the needs of their drivers.

Driving-related services, from parking information to reservations, in-car tolls, EV charging and fuel payments, are in high demand. Their popularity is likely to continue to grow as more connected vehicles populate roads. According to the TechInsights Connected Features Interest Report, parking availability information is the connected car feature drivers globally would be most likely to choose. Parkopedia combines these features into value-added convenience products that provide excellent usability with seamless functionality and simplified integration for car makers.

As the automotive industry continues to evolve, the importance of robust cybersecurity measures cannot be overstated. Parkopedia is committed to providing solutions that adhere to industry cybersecurity regulations, ensuring a safer and more efficient connected driving experience. By leveraging our advanced back-end infrastructure, we provide easy, hassle-free solutions that enable automakers to focus on what they do best: creating high-quality vehicles and driving experiences for their customers.