Understanding WP.29 and R155 For Vehicle Cybersecurity
The World Forum for the Harmonization of Vehicle Regulations, commonly known as WP.29, is a unique worldwide regulatory forum within the institutional framework of the United Nations. Established in 1952, WP.29 plays a crucial role in creating a unified set of performance-based regulations for vehicles to ensure their safety, environmental efficiency, energy efficiency, and recently vehicle cybersecurity.
WP.29, through its specialized working groups, develops regulations applicable to all types of wheeled vehicles, systems, components, and equipment, including cars, trucks, buses, and two- or three-wheeled vehicles. It’s important to note that these regulations aren’t mandatory in nature but serve as robust recommendations. Countries participating in the agreement are free to adopt these regulations according to their national rules.
An essential function of WP.29 is the “1958 Agreement” – a framework for the mutual recognition of homologation (certification) of vehicles among the signatory countries. It means a vehicle type approved in one participating country can be sold in all other participating countries without the need for further testing. This approach reduces the burden of manufacturers significantly, providing an impetus to cross-border trade and harmonization of safety and performance standards globally.
UN Regulation No. 155 on Cyber Security and Cyber Security Management Systems
One of the more recent and impactful roles of WP.29 has been in the realm of cybersecurity and software updates for vehicles. In response to the rapid digitization of automotive technology and the consequent rise of cyber threats, WP.29 developed two groundbreaking regulations: UN Regulation No. 155 on Cybersecurity and UN Regulation No. 156 on Software Updates.
R155
UN R155 requires vehicle manufacturers to establish and maintain a Cybersecurity Management System (CSMS), ensure their vehicles are protected against cyber attacks, and document any efforts taken to identify and mitigate vulnerabilities. UN R155 covers the full lifecycle of the vehicle including the development phase, production phase, and post-production phase. Manufacturers must also provide evidence of the robustness of their cybersecurity defenses, including providing third-party audits.
According to the UNECE the following countries and regions have announced that they would implement UN R155 and make it compulsory1:
Japan
Japan indicated that it transposed the Regulation in January 2021 and that it will become mandatory for new vehicle types from July 2022 (if no OTA functionality, January 2024) and for new vehicles produced from July 2024 (if no OTA functionality, May 2026) 1.
South Korea
South Korea announced that the Ministry of Land, Infrastructure and Transport plans to implement it by 20221.
EU
In the European Union, the regulation will be mandatory for all new vehicle types from July 2022 and will become mandatory for all new vehicles produced from July 20241.
While today, the framework applies to all 54 member countries, it is not yet compulsory across all 54 countries. However, some countries may require OEMs to adopt the regulatory standards of UN R155 and WP.29 to produce or sell their vehicles in those markets.
Adopting these regulations can help countries, especially those without extensive regulatory structures, to quickly address cybersecurity threats related to connected and automated vehicles. These regulations, built around the principles of the ISO/SAE 21434 standard, have set a new precedent for ensuring the cybersecurity of vehicles globally.
Fleet Defender & UN R155 Compliance
UN R155 calls for specific processes within the CSMS to ensure security is adequately considered. This includes monitoring, detection and response to cyber attacks, threats , and vulnerabilities of a vehicle (7.2.2.2 (g)). UN R155 calls out specifically that vehicle manufacturers shall implement detection and monitoring systems on vehicles (7.3.7). Fleet Defender offers intrusion detection, monitoring, and alerts for cyber threats against vehicles through aftermarket hardware and OEM ready software solutions. Fleet Defender partners with fleets and OEMs to support UN R155 compliance and provide on-board, real-time intrusion detection.
Contact us today to learn more about how Fleet Defender’s on-board system helps fleets operate their platforms anytime, anywhere without fear of compromise.