Starting July 6th, new cars that do not comply with UNECE regulations R155 and R156 cannot be sold. But let’s take a closer look at these regulations and see if Santa will be able to bring me that V10 I wanted for Christmas... or not.

Regulation R155 is part of a legislative package promoted by the UN, designed to protect vehicles against potential cyberattacks. It ensures efficient management of incidents and vulnerabilities throughout the life of the vehicle. This means we’ll still receive software updates, even after 2 or 3 years, regardless of whether a new version of our model is released, unlike the current situation.

Regulation R156, meanwhile, establishes the requirements to ensure that software or firmware updates are carried out securely. This means preventing cybercriminals from intercepting and modifying the software package before it reaches the vehicle, ensuring the software code is secure and properly audited, and making sure that the new update does not introduce new risks or vulnerabilities.

OK, that’s all fine and good... but what about that 2015 560 hp V10 I asked Santa to bring me for Christmas, seeing as I plan to be very good this year?

The regulations only apply to vehicles certified after July of 2022, and models manufactured after the 6^th of July of 2024. At GMV, we have been working along these lines with a well-known bus manufacturer that has certified four new models. For these, we conducted various activities, such as a detailed threat assessment and remediation analysis (TARA) and a specific pentest to ensure that the threats identified in the TARA were properly addressed. In short, a cybercriminal couldn't board the bus at the Plaza de Castilla stop in Madrid, sit in the back row with a hoodie, and carry out a denial-of-service attack on the entire bus, making us late to the office or cranking up the heating so we’d sweat buckets.

So, I can ask Santa for that 2015 V10... but the environmental regulations in my city probably won’t let me drive it.

Not all countries have universally adopted these regulations as mandatory. For instance, Japan and South Korea have embraced without any problem, extending them beyond European countries. However, the United States aligns more closely with guidelines and standards established by national and international bodies, such as ISO/SAE 21434. Ultimately, ISO/SAE 21434 provides a detailed framework for managing cybersecurity throughout the life of the vehicle—from design and development through production, maintenance, and decommissioning at the end of its service life. 

The truth is that it’s a very intriguing standard. Unlike its counterparts R155 and R156, it is not inherently mandatory. Instead, it’s a voluntary international standard developed by the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE). However, its adoption may become mandatory or necessary indirectly through regulations (for example, when exporting vehicles to Europe), market requirements, or specific contracts within the automotive industry.

It is also worth noting that GMV has been at the forefront of training on all these standards and regulations. Currently, we have a robust team capable of guiding manufacturers through the entire validation process of new vehicles. We can review the manufacturer-provided TARA and conduct all necessary intrusion tests to validate identified threats. Often, we uncover new vulnerabilities that were previously unidentified by the manufacturer. This part’s the most fun.

It goes without saying that the 2015 V10 I mentioned earlier has loads of vulnerabilities in its in-vehicle network that were never patched... but given that vehicles in 2015 weren’t connected to the outside world, the most effective protection we can apply is simply not giving anyone the keys.

Author: Carlos Sahuquillo