Challenges and best practices in the OEM – Tier 1 information exchange while preparing for the UN R155 certification

by Gilad Bandel and Ruben Bokobza | August 29, 2022
  1. Why do car manufacturers (OEMs) need to interact with top tier suppliers (T1s) to obtain OEM UN R155 certification?
    1. The OEM needs to obtain lots of information from their Tier 1s as part of the certification process. By doing this, the certification authority verifies that the entire supply chain complies with the instructions as stated in the regulations. 
    2. This communication is bi-directional. The OEM needs to convey to its Tier 1s what information is required and what actions must be taken for vehicle compliance. 
    3. This process needs to be performed as early as possible in the development stage of software and hardware to keep the development costs to a minimum. Consider the case when a vulnerability is detected very close to the audit date. This would require extensive and expensive refurbishing of the software to remove the risks emerging from the vulnerability. This also can delay delivery of the software, or the ECU given the substantial amount of time to perform the task.
    4. Ultimately, the target of the UN R155 is to bring secure vehicles to the market that are safe to drive on the roads. It is acknowledged and understood that no one expects perfect, zero risk, 100% secured vehicle from cyber attacks. The target is to have continuous improvement of the security managing process for more secure and safer vehicles over time. 
  2. A disclaimer 
    1. This article is based on our own extensive experience in the market, leading this kind of process with OEMs and Tier 1s. It is not an academic article. We are sharing our knowledge, insights, and experience in the goal to assist the industry and promote the security of our vehicles.
    2. Although this process can be performed all manually, we use a Cyber Security Management System (CSMS) automated tool for managing the compliance process, better preparation for the audit and controlled storage of the information and documents. We strongly recommend the industry to adopt this approach.
  3. What information exchange is needed?
    1. OEM to Tier 1
      1. Security concept – the OEM needs to lead and instruct the Tier 1s and the whole supply chain regarding implementing the security strategy and exactly how everything should be built.
      2. Requirements – very clear and specific guidelines regarding the proper implementation of the security mechanisms and methods need to be employed. Lack of this part of the process can result in legal liability of the Tier 1 towards the OEM in case of a major mishap.
      3. Documentation and templates – to assist and facilitate this process, the OEM typically provides a set of documentation and templates for the Tier 1 to use. This brings all the supply chain to a common language that optimizes the information flow. 
      4. Note: Tier 1s normally work with numerous OEMs for which they need to provide the information in each OEMs specific format. OEMs evidently work with multiple Tier 1s. It would be desired that the industry will generate a global secured a common generic interface model that can be used by all OEMs and Tier 1s for this information exchange.
    2. Tier 1 to OEM
      1. Information and documentation: A Tier 1 needs to provide reports, evidence and artifacts to the OEM in the required format that will enable the OEM to aggregate and present to the auditor proof of its compliance with the regulation. For instance, the documentation of the Secured Software Development Life Cycle (SecSDLC) is needed for the audit process.
      2. Vulnerability management: The Tier 1 needs to provide the OEM with proof of its proper management of vulnerabilities. This includes documentation of the detected vulnerabilities accompanied by their severity score, the management of the emerging risks and the mitigation plan to implement for risk reduction. 
      3. Support: The Tier 1 needs to actively participate and the support the OEM during the preparation process for the audit with additional information, clarification and generation of documentation as needed and as indicated for the pre-audit act.
  4. The roles of a consultancy company in facilitating the process.
    1. Supporting the OEM
      1. Should a consultancy company be included in the process, as an expert in governance risk compliance, they can lead and accompany the OEM in the process of preparation for the audit. A consultancy company can play a crucial role in the process since the OEM relies on the company for the professional guidance towards the successful completion of the audit.
      2. Supporting the Tier 1
      3. Under the umbrella of the OEM, the consultancy firm can interact with the Tier 1s on behalf of the OEM for efficient transfer of information.
      4. It is also possible that the Tier 1 would commission the consultancy company for preparation and independent readiness to better serve its OEMs in this respect.
  5. Challenges in the process and solutions
    1. The consultancy company can assist greatly if there is a lack of knowledge of the UN R155 actions both from OEM and Tier 1 supplier, particularly with: 
      1. Its familiarity with the process and know how to communicate with the Tier 1s
      2. Its knowledge of the ECU development lifecycle 
    2. The difficulty in retrieving information from suppliers. The consultancy company knows exactly how to ask specific questions to avoid wasting time.
    3. Few professionals can identify and list critical ECUs. The consultancy company has the relevant experience, knowledge, methodology and experience in classifying and identifying the ECU critical role. It can indicate the proper sorting and prioritization of ECU importance from the security perspective.
    4. The challenge in setting the minimum requirements for homologation. The consultancy company has experience with the auditing bodies and the process that the OEM needs to undergo. This enables implementing only the necessary controls and protection means required for optimal results. It will eventually result in cost reduction and shortening delivery time. 
    5. There are endless issues during the supplier security review. The consultancy company interacts will all the Tier 1s to generate the required information and documentation from each one of them. The information is collected in a common format and is normalized for effective presentation to the auditing body.
    6.  There is too much information. The consultancy company can collect, sort, filter and prioritize the information received for effective generation and compilation of the materials required to be presented to the auditing body.
  6. A risky timeline and process
    1. This is regarded by OEMs as the highest risk item, particularly when performing this procedure for the first time. This process takes many months for successful completion and resources need to be allocated for it. Also, the cooperation of the Tier 1s needs to be ensured. The consultancy company needs to lead and assist the OEM in this process, mapping and minimizing the risk along the way. Most crucial is creation of a relationship of trust between the consultancy company, the OEM and the Tier 1s. In addition, prior acquaintance of the consultancy company with the auditing body also facilitates the process and reduce the risks.
  7. Proposed course of action of an effective and efficient process
    1.  Tier 1s
      1. Tier 1s are advised to initiate this process regardless of fact that they are not required to comply with regulation. However, since they are part of the supply chain and enable the OEM to comply, they also need to have all the security methodology implemented and ready to be presented to the OEM.
      2. During the OEM preparation for the audit, Tier 1s need to be very cooperative and supportive of the process. They need to timely provide all the required documentation as indicated by the OEM to support the process.
    2. OEM
      1. OEMs need to allocate the required internal resources and to dedicate management attention to prepare for the audit efficiently and effectively.
      2. Commissioning a professional and experienced consultancy company will expedite the process, drastically increase the chances for a successful homologation and reduce the costs.
    3. General
      1. OEMs and Tier 1s are strongly advised to use an automated CSMS tool. Manual work will not reach the desired results nor in quality and neither regarding schedule. It will be much more expensive and inefficient to work with Word and Excel files.
      2. Integration and synergy with additional systems such as integration with the asset management database, vulnerability management, security testing automation, etc. will generate substantial value and reduce costs.

More News

Show More