Connected Business Technology What do UNR 155 and ISO/SAE 21434 mean for OEMs? September 13th, 2023 When it comes to automotive cybersecurity, UNR 155 and ISO/SAE 21434 are the most comprehensive frameworks that have been developed so far. However, beyond the regulations and legal requirements themselves, what do UNR 155 and ISO/SAE 21434 mean for OEMs in a long-term perspective? How can OEMs spend their time and resources most wisely, and make sure that their cybersecurity work will yield the best possible results? What are UNR 155 and ISO/SAE 21434, and how have they come about? UNR 155 was passed by the United Nations in 2021, and later adopted by a great number of nations worldwide, including Japan, South Korea, the United Kingdom, and the European Union member states. This UN regulation stipulates that automakers need to ensure that their vehicles are manufactured and managed with cybersecurity in mind. Automotive cybersecurity must be an integral aspect of the entire vehicle lifecycle: from the initial business conception and throughout the vehicle’s many years of service. For many in the automotive industry, this has meant that they have had to evolve their cybersecurity practices very rapidly – in many cases more rapidly than they have been comfortable with. And so, partly due to the demands that UNR 155 places on the OEMs, the ISO (International Standards Organization) and SAE (Society of Automotive Engineers) came together to create a standard – ISO/SAE 21434 – on how to build a security management system through a cybersecurity by design approach. This standard applies to all the vehicle’s software, connections, and components. OEMs can certainly comply with UNR 155 without working extensively with ISO/SAE 21434. What the latter does, however, is facilitate the compliance process and make it more digestible. Moreover, ISO/SAE 21434 helps secure a development process where cybersecurity becomes a fully integrated part of the vehicle’s entire lifecycle. In a sense, automotive cybersecurity is simply catching up to things like emissions or general vehicle safety, and how they are approached by and regulated within the industry. How OEMs can overcome the challenges of new cybersecurity regulations and standards While all OEMs already work with a variety of safety aspects, cybersecurity – and the extent to which it now needs to be introduced and maintained – is a new endeavor for almost all of them. Many have begun to introduce it, but still have a lot of ground to cover in terms of both their knowledge and capability. In addition, no OEM has yet been through this process, meaning that there are no previous examples or benchmarks to work off of. Since the subject of automotive cybersecurity is relatively new, and the scope of it is huge, there is a lot of hesitation among OEMs on how to best spend their time and resources. Are they spending way too much of it, or not nearly enough? Similarly, are they investing wisely, or not focusing enough on what will be most beneficial to them and their customers? This is where WirelessCar’s long experience can make a concrete difference, on many levels. While UNR 155 and ISO/SAE 21434 are new to the entire automotive industry, the cybersecurity by design concept has long been a key component of the way we work. It is through collaboration that we are all able to learn more and develop faster. Crucially, it also allows OEMs to focus more on the service offers that set them apart from their competitors. How can WirelessCar support OEMs in their cybersecurity work? These are some of the areas where WirelessCar can support OEMs, both during their transition towards full cybersecurity implementation and as a long-term connected car service provider and partner. • Product/service cybersecurity by design WirelessCar’s solutions and offerings are all cybersecure by design. This is integral to how we work. • Frequent service releases that help ensure cybersecurity over time By frequently releasing service updates, we can make sure that all digital services remain cybersecure over time. At WirelessCar, we sometimes do several service releases per week, including patches and security updates. • Continuous cybersecurity risk monitoring and assessment We monitor and assess potential cybersecurity risks throughout the entire product/service development process and lifecycle. Your digital products and services need to be maintained and remain cybersecure throughout the entirety of your vehicles’ lifespans, thus over many years. • 20+ years of connected car service experience WirelessCar started out as a connected car service developer in 1999. We have had to learn, adapt and break new ground ever since, and it has made us highly attentive to the needs and challenges of the automotive industry, including in the field of cybersecurity. While no one can predict the future in detail, we have to build and prepare for the change to come. • Connected car services that fit OEMs’ make/buy strategies OEMs need to focus their time and resources on what they should do themselves, rather than what they are capable of doing. Some connected car services should be developed by the OEMs’ own organizations, but far from all. Regardless of what your make/buy strategy looks like, make sure you get the best results for your investments. As automotive cybersecurity evolves, so must OEMs In many ways, UNR 155 and ISO/SAE 21434 constitute more of a starting point rather than an end result. Automotive cybersecurity is here to stay, and will become stricter and more complex over time. That complexity will not only be technological in nature, but certainly legislative as well, as different countries and regions introduce different cybersecurity frameworks for their respective markets. As for drivers, they will expect your digital services to always be safe and convenient to use, and that their personal data will be protected at all times. Cybersecurity compliance is already highly intricate, and will only require greater commitment and a deeper understanding as the technology evolves. With that evolution comes new risks, but also new business opportunities. No matter how you look at it, prioritizing safety will be both necessary and beneficial for OEMs. They need to use the resources they have, yet also be willing to learn and adapt. That is what WirelessCar has done over the course of its history – comprehension, implementation, innovation – and we look forward to continuing to assist OEMs on the road ahead. Feel free to get in touch via the contact link below if you want to know more about WirelessCar’s work with cybersecurity. Make sure to also read our other articles on cybersecurity and data privacy here on the WirelessCar Insights blog! Zachary Garner Cybersecurity Compliance Lead Contact