9.3.2021 |
EN |
Official Journal of the European Union |
L 82/30 |
Only the original UN/ECE texts have legal effect under international public law. The status and date of entry into force of this Regulation should be checked in the latest version of the UN/ECE status document TRANS/WP.29/343, available at:http://www.unece.org/trans/main/wp29/wp29wgs/wp29gen/wp29fdocstts.html
UN Regulation No 155 – Uniform provisions concerning the approval of vehicles with regards to cybersecurity and cybersecurity management system [2021/387]
Date of entry into force: 22 January 2021
This document is meant purely as documentation tool. The authentic and legally binding texts are:
— |
ECE/TRANS/WP.29/2020/79 |
— |
ECE/TRANS/WP.29/2020/94 and |
— |
ECE/TRANS/WP.29/2020/97 |
CONTENTS
REGULATION
1. |
Scope |
2. |
Definitions |
3. |
Application for approval |
4. |
Markings |
5. |
Approval |
6. |
Certificate of Compliance for Cybersecurity Management System |
7. |
Specifications |
8. |
Modification of vehicle type and extension of type approval |
9. |
Conformity of production |
10. |
Penalties for non-conformity of production |
11. |
Production definitively discontinued |
12. |
Names and addresses of Technical Services responsible for conducting approval test, and of Type Approval Authorities |
ANNEXES
1 |
Information document |
2 |
Communication |
3 |
Arrangement of approval mark |
4 |
Model of Certificate of Compliance for CSMS |
5 |
List of threats and corresponding mitigations |
1. SCOPE
1.1. |
This Regulation applies to vehicles, with regard to cybersecurity, of the Categories M and N.
This Regulation also applies to vehicles of Category O if fitted with at least one electronic control unit. |
1.2. |
This Regulation also applies to vehicles of the Categories L6 and L7 if equipped with automated driving functionalities from level 3 onwards, as defined in the ‘Reference document with definitions of Automated Driving under WP.29 and the General Principles for developing a UN Regulation on automated vehicles’ (ECE/TRANS/WP.29/1140). |
1.3. |
This Regulation is without prejudice to other UN Regulations, regional or national legislations governing the access by authorized parties to the vehicle, its data, functions and resources, and conditions of such access. It is also without prejudice to the application of national and regional legislation on privacy and the protection of natural persons with regard to the processing of their personal data. |
1.4. |
This Regulation is without prejudice to other UN Regulations, national or regional legislation governing the development and installation/system integration of replacement parts and components, physical and digital, with regards to cybersecurity. |
2. DEFINITIONS
For the purpose of this Regulation the following definitions shall apply:
2.1. |
‘Vehicle type’ means vehicles which do not differ in at least the following essential respects:
|
2.2. |
‘Cybersecurity’ means the condition in which road vehicles and their functions are protected from cyber threats to electrical or electronic components. |
2.3. |
‘Cybersecurity Management System (CSMS)’ means a systematic risk-based approach defining organisational processes, responsibilities and governance to treat risk associated with cyber threats to vehicles and protect them from cyberattacks. |
2.4. |
‘System’ means a set of components and/or sub-systems that implements a function or functions. |
2.5. |
‘Development phase’ means the period before a vehicle type is type approved. |
2.6. |
‘Production phase’ refers to the duration of production of a vehicle type. |
2.7. |
‘Post-production phase’ refers to the period in which a vehicle type is no longer produced until the end-of-life of all vehicles under the vehicle type. Vehicles incorporating a specific vehicle type will be operational during this phase but will no longer be produced. The phase ends when there are no longer any operational vehicles of a specific vehicle type. |
2.8. |
‘Mitigation’ means a measure that is reducing risk. |
2.9. |
‘Risk’ means the potential that a given threat will exploit vulnerabilities of a vehicle and thereby cause harm to the organization or to an individual. |
2.10. |
‘Risk Assessment’ means the overall process of finding, recognizing and describing risks (risk identification), to comprehend the nature of risk and to determine the level of risk (risk analysis), and of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable (risk evaluation). |
2.11. |
‘Risk Management’ means coordinated activities to direct and control an organization with regard to risk. |
2.12. |
‘Threat’ means a potential cause of an unwanted incident, which may result in harm to a system, organization or individual. |
2.13. |
‘Vulnerability’ means a weakness of an asset or mitigation that can be exploited by one or more threats. |
3. APPLICATION FOR APPROVAL
3.1. |
The application for approval of a vehicle type with regard to cybersecurity shall be submitted by the vehicle manufacturer or by their duly accredited representative. |
3.2. |
It shall be accompanied by the undermentioned documents in triplicate, and by the following particulars: |
3.2.1. |
A description of the vehicle type with regard to the items specified in Annex 1 to this Regulation. |
3.2.2. |
In cases where information is shown to be covered by intellectual property rights or to constitute specific know-how of the manufacturer or of their suppliers, the manufacturer or their suppliers shall make available sufficient information to enable the checks referred to in this Regulation to be made properly. Such information shall be treated on a confidential basis. |
3.2.3. |
The Certificate of Compliance for CSMS according to paragraph 6 of this Regulation. |
3.3. |
Documentation shall be made available in two parts:
|
4. MARKING
4.1. |
There shall be affixed, conspicuously and in a readily accessible place specified on the approval form, to every vehicle conforming to a vehicle type approved under this Regulation an international approval mark consisting of: |
4.1.1. |
A circle surrounding the Letter ‘E’ followed by the distinguishing number of the country which has granted approval. |
4.1.2. |
The number of this Regulation, followed by the letter ‘R’, a dash and the approval number to the right of the circle described in paragraph 4.1.1 above. |
4.2. |
If the vehicle conforms to a vehicle type approved under one or more other Regulations annexed to the Agreement in the country which has granted approval under this Regulation, the symbol prescribed in paragraph 4.1.1 above need not be repeated; in this case the Regulation and approval numbers and the additional symbols of all the Regulations under which approval has been granted in the country which has granted approval under this Regulation shall be placed in vertical columns to the right of the symbol prescribed in paragraph 4.1.1 above. |
4.3. |
The approval mark shall be clearly legible and shall be indelible. |
4.4. |
The approval mark shall be placed on or close to the vehicle data plate affixed by the Manufacturer. |
4.5. |
Annex 3 to this Regulation gives examples of the arrangements of the approval mark. |
5. APPROVAL
5.1. |
Approval Authorities shall grant, as appropriate, type approval with regard to cybersecurity, only to such vehicle types that satisfy the requirements of this Regulation. |
5.1.1. |
The Approval Authority or the Technical Service shall verify by means of document checks that the vehicle manufacturer has taken the necessary measures relevant for the vehicle type to:
|
5.1.2. |
The Approval Authority or the Technical Service shall verify by testing of a vehicle of the vehicle type that the vehicle manufacturer has implemented the cybersecurity measures they have documented. Tests shall be performed by the Approval Authority or the Technical Service itself or in collaboration with the vehicle manufacturer by sampling. Sampling shall be focused but not limited to risks that are assessed as high during the risk assessment. |
5.1.3. |
The Approval Authority or Technical Service shall refuse to grant the type approval with regard to cybersecurity where the vehicle manufacturer has not fulfilled one or more of the requirements referred to in paragraph 7.3, notably:
|
5.1.4. |
The assessing Approval Authority shall also refuse to grant the type approval with regard to cybersecurity where the Approval Authority or Technical Service has not received sufficient information from the vehicle manufacturer to assess the cybersecurity of the vehicle type. |
5.2. |
Notice of approval or of extension or refusal of approval of a vehicle type pursuant to this Regulation shall be communicated to the Parties to the 1958 Agreement which apply this Regulation, by means of a form conforming to the model in Annex 2 to this Regulation. |
5.3. |
Approval Authorities shall not grant any type approval without verifying that the manufacturer has put in place satisfactory arrangements and procedures to manage properly the cybersecurity aspects as covered by this Regulation. |
5.3.1. |
The Approval Authority and its Technical Services shall ensure, in addition to the criteria laid down in Schedule 2 of the 1958 Agreement that they have:
|
5.3.2. |
Each Contracting Party applying this Regulation shall notify and inform by its Approval Authority other Approval Authorities of the Contracting Parties applying this UN Regulation about the method and criteria taken as a basis by the notifying Authority to assess the appropriateness of the measures taken in accordance with this regulation and in particular with paragraphs 5.1, 7.2 and 7.3.
This information shall be shared (a) only before granting an approval according to this Regulation for the first time; and (b) each time the method or criteria for assessment is updated. This information is intended to be shared for the purposes of collection and analysis of the best practices and in view of ensuring the convergent application of this Regulation by all Approval Authorities applying this Regulation. |
5.3.3. |
The information referred to in paragraph 5.3.2 shall be uploaded in English language to the secure internet database ‘DETA’ (2), established by the United Nations Economic Commission for Europe, in due time and no later than 14 days before an approval is granted for the first time under the methods and criteria of assessment concerned. The information shall be sufficient to understand what minimum performance levels the Approval Authority adopted for each specific requirement referred to in paragraph 5.3.2 as well as the processes and measures it applies to verify that these minimum performance levels are met (3). |
5.3.4. |
Approval Authorities receiving the information referred to in paragraph 5.3.2 may submit comments to the notifying Approval Authority by uploading them to DETA within 14 days after the day of notification. |
5.3.5. |
If it is not possible for the granting Approval Authority to take into account the comments received in accordance with paragraph 5.3.4, the Approval Authorities having sent comments and the granting Approval Authority shall seek further clarification in accordance with Schedule 6 to the 1958 Agreement. The relevant subsidiary Working Party (4) of the World Forum for Harmonization of Vehicle Regulations (WP.29) for this Regulation shall agree on a common interpretation of methods and criteria of assessment (5). That common interpretation shall be implemented and all Approval Authorities shall issue type approvals under this Regulation accordingly. |
5.3.6. |
Each Approval Authority granting a type approval pursuant to this Regulation shall notify other Approval Authorities of the approval granted. The type approval together with the supplementing documentation shall be uploaded in English language by the Approval Authority within 14 days after the day of granting the approval to DETA (6). |
5.3.7. |
The Contracting Parties may study the approvals granted based on the information uploaded according to paragraph 5.3.6. In case of any diverging views between Contracting Parties this shall be settled in accordance with Article 10 and Schedule 6 of the 1958 Agreement. The Contracting Parties shall also inform the relevant subsidiary Working Party of the World Forum for Harmonization of Vehicle Regulations (WP.29) of the diverging interpretations within the meaning of Schedule 6 to the 1958 Agreement. The relevant Working Party shall support the settlement of the diverging views and may consult with WP.29 on this if needed. |
5.4. |
For the purpose of paragraph 7.2 of this Regulation, the manufacturer shall ensure that the cybersecurity aspects covered by this Regulation are implemented. |
6. CERTIFICATE OF COMPLIANCE FOR CYBERSECURITY MANAGEMENT SYSTEM
6.1. |
Contracting Parties shall appoint an Approval Authority to carry out the assessment of the manufacturer and to issue a Certificate of Compliance for CSMS. |
6.2. |
An application for a Certificate of Compliance for Cybersecurity Management System shall be submitted by the vehicle manufacturer or by their duly accredited representative. |
6.3. |
It shall be accompanied by the undermentioned documents in triplicate, and by the following particular: |
6.3.1. |
Documents describing the Cybersecurity Management System. |
6.3.2. |
A signed declaration using the model as defined in Appendix 1 to Annex 1. |
6.4. |
In the context of the assessment, the manufacturer shall declare using the model as defined in Appendix 1 to Annex 1 and demonstrate to the satisfaction of the Approval Authority or its Technical Service that they have the necessary processes to comply with all the requirements for cybersecurity according to this Regulation. |
6.5. |
When this assessment has been satisfactorily completed and in receipt of a signed declaration from the manufacturer according to the model as defined in Appendix 1 to Annex 1, a certificate named Certificate of Compliance for CSMS as described in Annex 4 to this Regulation (hereinafter the Certificate of Compliance for CSMS) shall be granted to the manufacturer. |
6.6. |
The Approval Authority or its Technical Service shall use the model set out in Annex 4 to this Regulation for the Certificate of Compliance for CSMS. |
6.7. |
The Certificate of Compliance for CSMS shall remain valid for a maximum of three years from the date of deliverance of the certificate unless it is withdrawn. |
6.8. |
The Approval Authority which has granted the Certificate of Compliance for CSMS may at any time verify that the requirements for it continue to be met. The Approval Authority shall withdraw the Certificate of Compliance for CSMS if the requirements laid down in this Regulation are no longer met. |
6.9. |
The manufacturer shall inform the Approval Authority or its Technical Service of any change that will affect the relevance of the Certificate of Compliance for CSMS. After consultation with the manufacturer, the Approval Authority or its Technical Service shall decide whether new checks are necessary. |
6.10. |
In due time, permitting the Approval Authority to complete its assessment before the end of the period of validity of the Certificate of Compliance for CSMS, the manufacturer shall apply for a new or for the extension of the existing Certificate of Compliance for CSMS. The Approval Authority shall, subject to a positive assessment, issue a new Certificate of Compliance for CSMS or extend its validity for a further period of three years. The Approval Authority shall verify that the CSMS continue to comply with the requirements of this Regulation. The Approval Authority shall issue a new certificate in cases where changes have been brought to the attention of the Approval Authority or its Technical Service and the changes have been positively re-assessed. |
6.11. |
The expiry or withdrawal of the manufacturer’s Certificate of Compliance for CSMS shall be considered, with regard to the vehicle types to which the CSMS concerned was relevant, as modification of approval, as referred to in paragraph 8, which may include the withdrawal of the approval if the conditions for granting the approval are not met anymore. |
7. SPECIFICATIONS
7.1. |
General specifications |
7.1.1. |
The requirements of this Regulation shall not restrict provisions or requirements of other UN Regulations. |
7.2. |
Requirements for the Cybersecurity Management System |
7.2.1. |
For the assessment the Approval Authority or its Technical Service shall verify that the vehicle manufacturer has a Cybersecurity Management System in place and shall verify its compliance with this Regulation. |
7.2.2. |
The Cybersecurity Management System shall cover the following aspects: |
7.2.2.1. |
The vehicle manufacturer shall demonstrate to an Approval Authority or Technical Service that their Cybersecurity Management System applies to the following phases:
|
7.2.2.2. |
The vehicle manufacturer shall demonstrate that the processes used within their Cybersecurity Management System ensure security is adequately considered, including risks and mitigations listed in Annex 5. This shall include:
|
7.2.2.3. |
The vehicle manufacturer shall demonstrate that the processes used within their Cybersecurity Management System will ensure that, based on categorization referred to in paragraph 7.2.2.2(c) and 7.2.2.2(g), cyber threats and vulnerabilities which require a response from the vehicle manufacturer shall be mitigated within a reasonable timeframe. |
7.2.2.4. |
The vehicle manufacturer shall demonstrate that the processes used within their Cybersecurity Management System will ensure that the monitoring referred to in paragraph 7.2.2.2(g) shall be continual. This shall:
|
7.2.2.5. |
The vehicle manufacturer shall be required to demonstrate how their Cybersecurity Management System will manage dependencies that may exist with contracted suppliers, service providers or manufacturer’s sub-organizations in regards of the requirements of paragraph 7.2.2.2. |
7.3. |
Requirements for vehicle types |
7.3.1. |
The manufacturer shall have a valid Certificate of Compliance for the Cybersecurity Management System relevant to the vehicle type being approved.
However, for type approvals prior to 1 July 2024, if the vehicle manufacturer can demonstrate that the vehicle type could not be developed in compliance with the CSMS, then the vehicle manufacturer shall demonstrate that cybersecurity was adequately considered during the development phase of the vehicle type concerned. |
7.3.2. |
The vehicle manufacturer shall identify and manage, for the vehicle type being approved, supplier-related risks. |
7.3.3. |
The vehicle manufacturer shall identify the critical elements of the vehicle type and perform an exhaustive risk assessment for the vehicle type and shall treat/manage the identified risks appropriately. The risk assessment shall consider the individual elements of the vehicle type and their interactions. The risk assessment shall further consider interactions with any external systems. While assessing the risks, the vehicle manufacturer shall consider the risks related to all the threats referred to in Annex 5, Part A, as well as any other relevant risk. |
7.3.4. |
The vehicle manufacturer shall protect the vehicle type against risks identified in the vehicle manufacturer’s risk assessment. Proportionate mitigations shall be implemented to protect the vehicle type. The mitigations implemented shall include all mitigations referred to in Annex 5, Part B and C which are relevant for the risks identified. However, if a mitigation referred to in Annex 5, Part B or C, is not relevant or not sufficient for the risk identified, the vehicle manufacturer shall ensure that another appropriate mitigation is implemented.
In particular, for type approvals prior to 1 July 2024, the vehicle manufacturer shall ensure that another appropriate mitigation is implemented if a mitigation measure referred to in Annex 5, Part B or C is technically not feasible. The respective assessment of the technical feasibility shall be provided by the manufacturer to the approval authority. |
7.3.5. |
The vehicle manufacturer shall put in place appropriate and proportionate measures to secure dedicated environments on the vehicle type (if provided) for the storage and execution of aftermarket software, services, applications or data. |
7.3.6. |
The vehicle manufacturer shall perform, prior to type approval, appropriate and sufficient testing to verify the effectiveness of the security measures implemented. |
7.3.7. |
The vehicle manufacturer shall implement measures for the vehicle type to:
|
7.3.8. |
Cryptographic modules used for the purpose of this Regulation shall be in line with consensus standards. If the cryptographic modules used are not in line with consensus standards, then the vehicle manufacturer shall justify their use. |
7.4. |
Reporting provisions |
7.4.1. |
The vehicle manufacturer shall report at least once a year, or more frequently if relevant, to the Approval Authority or the Technical Service the outcome of their monitoring activities, as defined in paragraph 7.2.2.2(g), this shall include relevant information on new cyberattacks. The vehicle manufacturer shall also report and confirm to the Approval Authority or the Technical Service that the cybersecurity mitigations implemented for their vehicle types are still effective and any additional actions taken. |
7.4.2. |
The Approval Authority or the Technical Service shall verify the provided information and, if necessary, require the vehicle manufacturer to remedy any detected ineffectiveness.
If the reporting or response is not sufficient the Approval Authority may decide to withdraw the CSMS in compliance with paragraph 6.8. |
8. MODIFICATION OF VEHICLE TYPE AND EXTENSION OF TYPE APPROVAL
8.1. |
Every modification of the vehicle type which affects its technical performance with respect to cybersecurity and/or documentation required in this Regulation shall be notified to the approval authority which approved the vehicle type. The Approval Authority may then either: |
8.1.1. |
Consider that the modifications made still comply with the requirements and documentation of existing type approval; or |
8.1.2. |
Proceed to necessary complementary assessment pursuant to paragraph 5, and require, where relevant, a further test report from the Technical Service responsible for conducting the tests. |
8.1.3. |
Confirmation or extension or refusal of approval, specifying the alterations, shall be communicated by means of a communication form conforming to the model in Annex 2 to this Regulation. The Approval Authority issuing the extension of approval shall assign a series number for such an extension and inform there of the other Parties to the 1958 Agreement applying this Regulation by means of a communication form conforming to the model in Annex 2 to this Regulation. |
9. CONFORMITY OF PRODUCTION
9.1. |
The Conformity of Production Procedures shall comply with those set out in the 1958 Agreement, Schedule 1 (E/ECE/TRANS/505/Rev.3) with the following requirements: |
9.1.1. |
The holder of the approval shall ensure that results of the conformity of production tests are recorded and that the annexed documents remain available for a period determined in agreement with the Approval Authority or its Technical Service. This period shall not exceed 10 years counted from the time when production is definitively discontinued; |
9.1.2. |
The Approval Authority which has granted type approval may at any time verify the conformity control methods applied in each production facility. The normal frequency of these verifications shall be once every three years. |
10. PENALTIES FOR NON-CONFORMITY OF PRODUCTION
10.1. |
The approval granted in respect of a vehicle type pursuant to this Regulation may be withdrawn if the requirements laid down in this Regulation are not complied with or if sample vehicles fail to comply with the requirements of this Regulation. |
10.2. |
If an Approval Authority withdraws an approval it has previously granted, it shall forthwith so notify the Contracting Parties applying this Regulation, by means of a communication form conforming to the model in Annex 2 to this Regulation. |
11. PRODUCTION DEFINITIVELY DISCONTINUED
11.1. |
If the holder of the approval completely ceases to manufacture a type of vehicle approved in accordance with this Regulation, he shall so inform the authority which granted the approval. Upon receiving the relevant communication that authority shall inform thereof the other Contracting Parties to the Agreement applying this Regulation by means of a copy of the approval form bearing at the end, in large letters, the signed and dated annotation ‘PRODUCTION DISCONTINUED’. |
12. NAMES AND ADDRESSES OF TECHNICAL SERVICES RESPONSIBLE FOR CONDUCTING APPROVAL TEST, AND OF TYPE APPROVAL AUTHORITIES
12.1. |
The Contracting Parties to the Agreement which apply this Regulation shall communicate to the United Nations Secretariat the names and addresses of the Technical Services responsible for conducting approval tests and of the Type Approval Authorities which grant approval and to which forms certifying approval or extension or refusal or withdrawal of approval, issued in other countries, are to be sent. |
(1) E.g. ISO 26262-2018, ISO/PAS 21448, ISO/SAE 21434.
(2) https://www.unece.org/trans/main/wp29/datasharing.html
(3) Guidance for the detailed information (e.g. method, criteria, performance level) to be uploaded and the format shall be given in the interpretation document which is under preparation by the Task Force on Cybersecurity and Over-the-Air issues for the seventh session of GRVA.
(4) The Working Party on Automated/Autonomous and Connected Vehicles (GRVA).
(5) This interpretation shall be reflected in the interpretation document referred to in the footnote to paragraph 5.3.3.
(6) Further information on the minimum requirements for the documentation package will be developed by GRVA during its seventh session.
ANNEX 1
Information document
The following information, if applicable, shall be supplied in triplicate and include a list of contents. Any drawings shall be supplied in appropriate scale and in sufficient detail on size A4 or on a folder of A4 format. Photographs, if any, shall show sufficient detail.
1.
Make (trade name of manufacturer): …
2.
Type and general commercial description(s): …
3.
Means of identification of type, if marked on the vehicle: …
4.
Location of that marking: …
5.
Category(ies) of vehicle: …
6.
Name and address of manufacturer/manufacturer’s representative: …
7.
Name(s) and Address(es) of assembly plant(s): …
8.
Photograph(s) and/or drawing(s) of a representative vehicle: …
9.
Cybersecurity
9.1.
General construction characteristics of the vehicle type, including:
(a) |
The vehicle systems which are relevant to the cybersecurity of the vehicle type; |
(b) |
The components of those systems that are relevant to cybersecurity; |
(c) |
The interactions of those systems with other systems within the vehicle type and external interfaces. |
9.2.
Schematic representation of the vehicle type
9.3.
The number of the Certificate of Compliance for CSMS: …
9.4.
Documents for the vehicle type to be approved describing the outcome of its risk assessment and the identified risks: …
9.5.
Documents for the vehicle type to be approved describing the mitigations that have been implemented on the systems listed, or to the vehicle type, and how they address the stated risks: …
9.6.
Documents for the vehicle type to be approved describing protection of dedicated environments for aftermarket software, services, applications or data: …
9.7.
Documents for the vehicle type to be approved describing what tests have been used to verify the cybersecurity of the vehicle type and its systems and the outcome of those tests: …
9.8.
Description of the consideration of the supply chain with respect to cybersecurity: …
Appendix 1 to Annex 1
Model of Manufacturer’s Declaration of Compliance for CSMS
Manufacturer’s declaration of compliance with the requirements for the Cybersecurity Management System
Manufacturer Name: …
Manufacturer Address: …
………… (Manufacturer Name) attests that the necessary processes to comply with the requirements for the Cybersecurity Management System laid down in paragraph 7.2 of UN Regulation 155 are installed and will be maintained.
Done at: … (place)
Date: …
Name of the signatory: …
Function of the signatory: …
…
(Stamp and signature of the manufacturer’s representative)
ANNEX 2
Communication
(Maximum format: A4 (210 × 297 mm))
(1) |
Issued by: |
Name of administration: … … … |
Concerning (2): |
Approval granted Approval extended Approval withdrawn with effect from dd/mm/yyyy Approval refused Production definitively discontinued |
of a vehicle type, pursuant to UN Regulation No 155
Approval No: …
Extension No: …
Reason for extension: …
1.
Make (trade name of manufacturer): …
2.
Type and general commercial description(s) …
3.
Means of identification of type, if marked on the vehicle: …
3.1.
Location of that marking: …
4.
Category(ies) of vehicle: …
5.
Name and address of manufacturer / manufacturer’s representative: …
6.
Name(s) and Address(es) of the production plant(s) …
7.
Number of the certificate of compliance for cybersecurity management system: …
8.
Technical Service responsible for carrying out the tests: …
9.
Date of test report: …
10.
Number of test report: …
11.
Remarks: (if any). …
12.
Place: …
13.
Date: …
14.
Signature: …
15.
The index to the information package lodged with the Approval Authority, which may be obtained on request is attached:
(1) Distinguishing number of the country which has granted/extended/refused/withdrawn approval (see approval provisions in the Regulation).
(2) Strike out what does not apply.
ANNEX 3
Arrangement of approval mark
MODEL A
(See paragraph 4.2 of this Regulation)
a = 8 mm min.
The above approval mark affixed to a vehicle shows that the road vehicle type concerned has been approved in the Netherlands (E 4), pursuant to Regulation No 155, and under the approval number 001234. The first two digits of the approval number indicate that the approval was granted in accordance with the requirements of this Regulation in its original form (00).
ANNEX 4
Model of Certificate of Compliance for CSMS
Certificate of Compliance for Cybersecurity Management System
with UN Regulation No 155
Certificate Number [Reference number]
[……. Approval Authority]
Certifies that
Manufacturer: …
Address of the manufacturer: …
complies with the provisions of paragraph 7.2 of Regulation No 155
Checks have been performed on: …
by (name and address of the Approval Authority or Technical Service): …
Number of report: …
The certificate is valid until […………………………………………………Date]
Done at […………………………………………………Place]
On […………………………………………………Date]
[…………………………………………………Signature]
Attachments: description of the Cybersecurity Management System by the manufacturer.
ANNEX 5
List of threats and corresponding mitigations
1.
This annex consists of three parts. Part A of this annex describes the baseline for threats, vulnerabilities and attack methods. Part B of this annex describes mitigations to the threats which are intended for vehicle types. Part C describes mitigations to the threats which are intended for areas outside of vehicles, e.g. on IT back-ends.
2.
Part A, Part B, and Part C shall be considered for risk assessment and mitigations to be implemented by vehicle manufacturers.
3.
The high-level vulnerability and its corresponding examples have been indexed in Part A. The same indexing has been referenced in the tables in Parts B and C to link each of the attack/vulnerability with a list of corresponding mitigation measures.
4.
The threat analysis shall also consider possible attack impacts. These may help ascertain the severity of a risk and identify additional risks. Possible attack impacts may include:
(a) |
Safe operation of vehicle affected; |
(b) |
Vehicle functions stop working; |
(c) |
Software modified, performance altered; |
(d) |
Software altered but no operational effects; |
(e) |
Data integrity breach; |
(f) |
Data confidentiality breach; |
(g) |
Loss of data availability; |
(h) |
Other, including criminality. |
Part A. Vulnerability or attack method related to the threats
1. |
High-level descriptions of threats and relating vulnerability or attack method are listed in Table A1.
Table A1 List of vulnerability or attack method related to the threats
|
Part B. Mitigations to the threats intended for vehicles
1. |
Mitigations for ‘Vehicle communication channels’
Mitigations to the threats which are related to ‘Vehicle communication channels’ are listed in Table B1. Table B1 Mitigation to the threats which are related to ‘Vehicle communication channels’
|
2. |
Mitigations for ‘Update process’
Mitigations to the threats which are related to ‘Update process’ are listed in Table B2. Table B2 Mitigations to the threats which are related to ‘Update process’
|
3. |
Mitigations for ‘Unintended human actions facilitating a cyberattack’
Mitigations to the threats which are related to ‘Unintended human actions facilitating a cyberattack’ are listed in Table B3. Table B3 Mitigations to the threats which are related to ‘Unintended human actions facilitating a cyberattack’
|
4. |
Mitigations for ‘External connectivity and connections’
Mitigations to the threats which are related to ‘external connectivity and connections’ are listed in Table B4. Table B4 Mitigation to the threats which are related to ‘external connectivity and connections’
|
5. |
Mitigations for ‘Potential targets of, or motivations for, an attack’
Mitigations to the threats which are related to ‘Potential targets of, or motivations for, an attack’ are listed in Table B5. Table B5 Mitigations to the threats which are related to ‘Potential targets of, or motivations for, an attack’
|
6. |
Mitigations for ‘Potential vulnerabilities that could be exploited if not sufficiently protected or hardened’
Mitigations to the threats which are related to ‘Potential vulnerabilities that could be exploited if not sufficiently protected or hardened’ are listed in Table B6. Table B6 Mitigations to the threats which are related to ‘Potential vulnerabilities that could be exploited if not sufficiently protected or hardened’
|
7. |
Mitigations for ‘Data loss / data breach from vehicle’
Mitigations to the threats which are related to ‘Data loss / data breach from vehicle’ are listed in Table B7. Table B7 Mitigations to the threats which are related to ‘Data loss / data breach from vehicle’
|
8. |
Mitigations for ‘Physical manipulation of systems to enable an attack’
Mitigation to the threats which are related to ‘Physical manipulation of systems to enable an attack’ are listed in Table B8. Table B8 Mitigations to the threats which are related to ‘Physical manipulation of systems to enable an attack’
|
Part C. Mitigations to the threats outside of vehicles
1. |
Mitigations for ‘Back-end servers’
Mitigations to the threats which are related to ‘Back-end servers’ are listed in Table C1. |
Table C1
Mitigations to the threats which are related to ‘Back-end servers’
Table A1 reference |
Threats to ‘Back-end servers’ |
Ref |
Mitigation |
1.1 & 3.1 |
Abuse of privileges by staff (insider attack) |
M1 |
Security Controls are applied to back-end systems to minimise the risk of insider attack |
1.2 & 3.3 |
Unauthorised internet access to the server (enabled for example by backdoors, unpatched system software vulnerabilities, SQL attacks or other means) |
M2 |
Security Controls are applied to back-end systems to minimise unauthorised access. Example Security Controls can be found in OWASP |
1.3 & 3.4 |
Unauthorised physical access to the server (conducted by for example USB sticks or other media connecting to the server) |
M8 |
Through system design and access control it should not be possible for unauthorised personnel to access personal or system critical data |
2.1 |
Attack on back-end server stops it functioning, for example it prevents it from interacting with vehicles and providing services they rely on |
M3 |
Security Controls are applied to back-end systems. Where back-end servers are critical to the provision of services there are recovery measures in case of system outage. Example Security Controls can be found in OWASP |
3.2 |
Loss of information in the cloud. Sensitive data may be lost due to attacks or accidents when data is stored by third-party cloud service providers |
M4 |
Security Controls are applied to minimise risks associated with cloud computing. Example Security Controls can be found in OWASP and NCSC cloud computing guidance |
3.5 |
Information breach by unintended sharing of data (e.g. admin errors, storing data in servers in garages) |
M5 |
Security Controls are applied to back-end systems to prevent data breaches. Example Security Controls can be found in OWASP |
2. |
Mitigations for ‘Unintended human actions’
Mitigations to the threats which are related to ‘Unintended human actions’ are listed in Table C2. Table C2 Mitigations to the threats which are related to ‘Unintended human actions’
|
3. |
Mitigations for ‘Physical loss of data’
Mitigations to the threats which are related to ‘Physical loss of data’ are listed in Table C3. Table C3 Mitigations to the threats which are related to ‘Physical loss of data’
|