Cyber Security Regulation is Coming to Two-Wheelers
In January 2024, the UNECE’s Working Party on Automated/Autonomous and Connected Vehicles decided to extend its cyber security management regulation (aka UNR 155) to include motorcycles, scooters and electric bicycles with speed exceeding 25 km/h.
This decision is a shrill wake-up call for the motorcycle industry. Until now, cyber security was not something motorcycle OEMs have had to worry about.
But that’s about to change – and two-wheeler manufacturers need to saddle up.
So what’s behind this decision and why is cyber security becoming essential for two-wheelers? What are the risks involved? And what are the business implications of UNR 155 compliance for motorcycle OEMs?
This post shares our insights into the basics of automotive cyber security and UNR 155 compliance, as well as valuable lessons learned from vehicle manufacturers for navigating the compliance journey.
Why Do Vehicles Need Cyber Security?
Cyber security in the automotive industry has only been implemented in the last couple of years, but today it’s become a household term for just about every vehicle manufacturer and tier-1 supplier.
The reason for this is that tens of millions of cars on the road today are software-defined vehicles (SDVs) with cloud connectivity. Similar to any other connected device, SDVs are exposed to cyber security risk from software vulnerabilities and hacking attempts. This was clearly demonstrated in a recent hacker competition, where dozens of software vulnerabilities were discovered in vehicle charging systems, in-car entertainment technology and modem subsystems from major automotive suppliers.
Unlike a cyber-attack on your IT network, a cyber-attack on your vehicle can have life-threatening consequences. By exploiting specific vulnerabilities, bad actors can potentially compromise safety-critical systems (e.g., braking) or even start and control a car from a remote location.
In addition to safety concerns, vehicle cyber-attacks can also compromise personal data. While the data generated and collected by SDVs helps automakers improve vehicle operations and personalize the driver experience, it also introduces serious data privacy concerns. Research by Mozilla stated that modern cars are “the worst product category we have ever reviewed for privacy,” due to poor data protection practices by OEMs.
With the introduction of telematics, adaptive cruise control and advanced connectivity in today’s motorcycles, concerns about potential cyber risks for two-wheelers are also increasing.
Understanding the Regulatory Landscape
New automotive cyber security regulations and standards have emerged in recent years as a response to the growing risk of cyber-attacks against connected vehicles. Global directives like UNR 155 and ISO/SAE 21434 already have a major impact on the way OEMs and their suppliers develop and manage their products.
ISO 21434 is an international standard for road vehicle cyber security engineering. This standard provides guidelines for managing cybersecurity risks across the entire vehicle lifecycle – from concept and design to production, operation, maintenance, and decommissioning.
UNR 155 requires that all OEMs implement a risk-based management framework (aka Cyber Security Management System or CSMS) for detecting and protecting against cyber threats throughout the vehicle life cycle. Mandatory for passenger cars, trucks and buses in UNECE member states – including EU countries, Japan, Korea and others – UNR 155 provides an international framework for the type approval of road vehicles with regard to cyber security.
UNR 155 comprises two main pillars:
- CSMS – CSMS is a systematic risk-based approach defining organizational processes, responsibilities and governance to mitigate cyber threats and protect vehicles from cyber attacks. Detailed specifications for the CSMS are provided in the UNR 155 documentation. UNR 155 specifies the processes that need to be implemented during the development, production and post-production phases, but does not stipulate specific tools or products to be used to execute such processes.
- Type Approval Certification – UNR 155 established a new landscape of organizational and technical requirements for vehicle OEMs to fulfill for vehicle type approval. The regulation set two milestones for type approval certification. In July 2022, it became mandatory for all new vehicles to receive a CSMS certificate of compliance (CoC) in order to receive type approval. The second milestone, set for July 2024, extends this requirement to all new vehicles on the road (both previously approved types and new types) in UNECE member states. The CoC is granted following a rigorous audit process carried out by an authorized type approval authority.
UNR 155 compliance has triggered intensive activity across the automotive value chain. Since OEMs must now demonstrate compliance in order to achieve type approval, they are demanding that their suppliers also bake cyber resilience into their product design, development, operation and maintenance processes.
Implications of Regulatory Compliance for Motorcycle OEMs
Based on what we’ve learned from four-wheeler manufacturers that have implemented compliance projects, it’s important for motorcycle OEMs to understand the potential implications of the new regulation on their business and product development.
Establishing a CSMS and achieving regulatory compliance for motorcycle type approval is a complex effort, requiring automotive cyber security knowledge, skilled resources and purpose-built tools. Not only that, it’s critical to evaluate the efforts needed to retrofit cyber security onto existing models.
As a recent example of the potential impact of cyber security regulation, Porsche announced that its best-selling ICE-powered Macan SUV will be discontinued from markets within the European Union in spring of 2024 due to cybersecurity regulations. Porsche explained that the updates required for the SUV to comply with the new rules were deemed excessively complex and costly. This is just the latest in a series of similar announcements from OEMs regarding other vehicles, including VW and Audi models.
Bottom Line
The extension of UNR 155 to motorcycles (vehicle category L) is scheduled for formal adoption in June 2024.
Now’s the time for motorcycle and scooter OEMs that sell in UNECE member states to start thinking about cyber security and initiate robust planning for the upcoming regulatory requirements.
Cyber security for two-wheelers has arrived – and the sooner the industry starts to prepare, the better.
Need help navigating the cyber security compliance maze? Contact the Argus Services team to get you started with gap analysis, CSMS and Motorcycle Type Approval.
