Cybersecurity Risks for Modern Vehicles 

Modern vehicles may contain up to 150 connected electronic control units (ECUs) and 100 million lines of software codes [1], herein the growing complexity and connectivity pose significantly increasing cybersecurity risks. To motivate our point, we briefly discuss a real-world example (see Figure 1), where vulnerabilities within a vehicle were exploited by attackers to steal the vehicle. This attack was analyzed in a technical blog [2] by Dr. Ken Tindell. He explained how the attacker used a Controller Area Network (CAN) injector looking like a JBL Bluetooth speaker to steal the vehicle by performing a CAN injection attack through the headlight. The attacker connected the CAN injector to the wiring of the headlight and injected fake CAN messages of ‘key validated’, mimicking genuine messages from the smart key receiver. This fake message was then transferred to the engine control unit to deactivate the immobilizer and after that a fake message was sent to the door ECU to unlock the doors. In less than two minutes, the car was stolen. This attack was successful due to, e.g., the lack of suitable authentication controls.

Automotive Cybersecurity UN Regulation No.155/ No.156

Driven by the dramatically increasing cyber threats, the World Forum for Harmonization of Vehicle Regulations (WP.29), which is a Working Party within United Nations Economic Commission for Europe (UNECE), released the regulation No.155 (UN R155) [3] and No.156 (UN R156) [4] in 2021. The goal of WP.29 is to develop worldwide harmonized vehicle regulations mainly aiming at improving vehicle safety, environment protection, energy efficiency, anti-theft performance and security. The UN R155 contains the uniform provisions concerning the approval of vehicles with regards to cybersecurity and cybersecurity management system (CSMS), whereas the UN R156 consists of those with regards to software update and software update management system (SUMS).

The date of entry into force for both regulations (UN R155 and UN R156) is on 22 January 2021. More specifically, in the applying countries from July 2022, the regulations are mandatory for all new vehicle types; and from July 2024, the regulations are mandatory for all new vehicles. That means, both Original Equipment Manufacturers (OEMs) and suppliers shall adhere to the requirements from such regulations from July 2024.

Applying Countries and Scope

The UN R155/R156 apply to countries participating the WP.29 1958 Agreement. As shown in Figure 2, the contracting parties to the 1958 Agreement mainly include Europe Union countries, Japan, South Korea, and Australia [5]. The regulations are legally binding, which means for the vehicle manufactures selling the vehicles in these countries the requirements in the regulations are mandatory to be complied with for vehicles to be type approved.

The UN R155 applies to vehicles within the following categories:

• Category M: passenger vehicles and buses
• Category N: light and heavy-duty trucks
• Category O if implementing with at least one electronic control unit: trailers
• Categories L₆ and L₇ if equipped with automated driving functionalities beyond level 3: light and heavy quadricycles
• Recently, it has been also decided to extend the scope of R155 to all L Categories including motorcycles, scooters and electric bicycles.

The UN R156 applies to vehicles within the following categories which permit software updates:

• Categories M, N, O: see explanations above
• Categories R, S and T: agricultural vehicles

What Are the Primary Requirements?

The primary requirements of the two regulations are listed in Paragraph 7 (named as specifications) [3] [4] and consist of two parts: 1) requirements for the CSMS in R155 (for the SUMS in R156) where the vehicle manufacturer shall demonstrate the organizational structure, roles/responsibilities, processes and security governance, and 2) requirements for vehicle types.

R155 – Selected CSMS and vehicle type requirements:

• The vehicle manufacturer is required to have a CSMS in place. The CSMS includes at least processes for cybersecurity management in the organization, risk assessment and treatment, verification and validation of security features, incident monitoring and responses.
• The CSMS shall apply to the vehicle lifecycle including development, production and post-production phase.
• The vehicle manufacturer shall have a valid Certificate of Compliance for the CSMS relevant to the vehicle type being approved.
• The vehicle manufacturer shall identify and manage, for the vehicle type being approved, supplier-related risks.
• The vehicle manufacturer shall perform an exhaustive risk assessment for the vehicle type and shall treat/manage the identified risks appropriately.
• The vehicle manufacturer shall perform appropriate and sufficient testing to verify the effectiveness of the implemented security measures.

R156 – Selected SUMS and vehicle type requirements:

• The SUMS shall be in place and include the processes mainly of software version and configuration control, assessing and identifying impact of the software update, ensuring safety, user information.
• Documentation for software update processes, configuration and all software updates shall be recorded and stored.
• The security of the software update shall be demonstrated.
• The vehicle manufacturer shall demonstrate the processes to ensure vehicle safety during software update if conducted during driving (additional requirements for software updates over the air).
• The authenticity and integrity of software updates shall be protected to ensure only valid software updates are downloaded and executed.
• For over the air updates the vehicle shall have the functionality of restoring system to previous version or set into a safe state in a failed update.

Cybersecurity Challenges

The introduction of R155 and R156 requirements brings several challenges from both technical and organizational perspective.

From a technical perspective, the challenges include:

• Cyber-attack surfaces significantly grow, and new cyber threats emerge along with the increasing amount of electrical components and communication interfaces implemented in modern vehicles.
• Highly skilled cybersecurity personnel are required at every stage of the vehicle development. This is because security shall be considered as a major system design factor, incorporating a secure-by-design and holistic approach. Specifically, security shall be considered from day one, starting at the concept phase, where threat scenarios shall be identified and addressed with suitable cybersecurity controls. These controls shall be then implemented as hardware or software solutions. Finally, these controls shall be rigorously verified and validated through suitable testing approaches.
• Security does not end at the production phase. It continues with several crucial activities, including continuous monitoring and the implementation of security policies and measures for the decommissioning of the vehicle.

From an organization perspective, the challenges include:

• All the OEMs selling vehicles in the applying countries of the two regulations are obliged to have a CSMS in place and apply to the entire vehicle lifecycle. Different parties are involved in the CSMS processes, from management, quality control, engineering, IT, production to dealer shop.
• Although the regulations are not directly for suppliers, it requires the vehicle manufacture taking measures to collect and verify the information through the supply chain. These requirements shall be managed by the contracts between OEMs and suppliers. Managing the distributed responsibilities is a challenge.
• The UN R155 does not define technical requirements, under those general requirements each company might have different interpretations and applying methods. The ISO/SAE 21434 may be used as a framework for achieving the requirements from UN R155. Implementing the requirements outlined in ISO/SAE 21434 can be challenging though, particularly because the standard often specifies what shall be accomplished (requirements) and delivered (work products) without providing detailed guidance on how to do so. For the UN R156, the ISO 24089 is the referencing technical standard.

What does FEV.io Cybersecurity Team Offer?

Figure 3 illustrates the core cybersecurity competencies at FEV.io. Specifically, our cybersecurity team may support you with the following activities:

• Cybersecurity management
• Reviews, audits and assessments
• Gap analysis, trainings, process development
• Threat analyses and risk assessments
• Security concepts & requirements
• Security analyses
• Security software development
• Verification and validation
• Vehicle penetration testing

References

[1] UN Regulations on Cybersecurity and Software Updates to pave the way for mass roll out of ‎connected vehicles ‎ | UNECE, last visited on 6 March 2026. 

[2] CAN Injection: keyless car theft | Dr. Ken Tindell, last visited on 6 March 2026. 

[3] United Nations Economic Commission for Europe, “UN Regulation No. 155 – Cyber security and cyber security management”, https://unece.org/sites/default/files/2023-02/R155e%20%282%29.pdf, 4 March 2021. 

[4] United Nations Economic Commission for Europe, “UN Regulation No. 156 – Software update and software update management system”, https://unece.org/sites/default/files/2024-03/R156e%20%282%29.pdf, 4 March 2021. 

[5] United Nations Economic Commission for Europe, “Status of the Agreement, of the annexed Regulations and of the amendments thereto – Revision 32”, ECE-TRANS-WP.29-343-Rev.32.pdf (unece.org), 29 February 2024. 

[6] File:World Forum for Harmonization of Vehicle Regulations.svg – Wikimedia Commons, last visited on 6 March 2026. 

Contact

Interested in implementing UN R155/R156 requirements or improving your vehicle cybersecurity processes? Contact the FEV.io cybersecurity team to learn how we can support you. solutions@fev.io

Authors:
Dr. Miao Zhang
Dr. Matthias Rehberger