|
UNECE R155 is probably not top of mind for most casual observers
of the automotive industry. However, for those within it is
generating plenty of discourse and generating fundamental questions
as to what original equipment manufacturers' future competencies
should be. For those outside the industry, the nearest encounter
with R155 could be the news that Porsche ceased the sale of its
internal combustion engine (ICE) Macan in Europe early in 2024
because of compliance issues.
Because of this one could be forgiven that it is another
electric vehicle mandate. But no, R155 is all about cybersecurity.
Not just cybersecurity at a vehicle's start of production, but
throughout its end-to-end life cycle.
The increasing connectivity of vehicles is bringing more
vulnerabilities. A mini-industry has sprung up that exposes the
frailties of today's cars through a series of audacious hacks.
Among the famous hacks are the example of the Nissan Leaf in the north of England being
remotely controlled from a poolside in Australia or Tencent's Keen Security Lab hack of Tesla models
back in 2016. R155 is designed to lessen the frequency
of such incidents.
The regulation requires systematic measures such as regular risk
assessments, penetration tests and robust incident response
mechanisms to mitigate cyberthreats. The regulation also emphasizes
a secure software update management system to maintain vehicle
safety with up-to-date software.
The R155 regulation* has implications beyond in-vehicle
considerations, requiring extensive organizational effort and
potentially high costs. Managing risk throughout the vehicle life
cycle can be challenging, particularly for traditional OEMs with a
wide range of vehicle models. Consequently, OEMs are now focused on
embedding security into vehicle design and ensuring compliance to
avoid penalties and withdrawal of vehicle homologation.
The transition to a compliant Cybersecurity Management System
(CSMS) presents challenges and cost considerations for OEMs. In a
recent estimation by S&P Global Mobility, the costs of
compliance for two vehicles designed with older design distributed
E/E architectures were calculated for an A-segment vehicle and a
premium D-segment vehicle. The implementation costs on existing
models can easily exceed $1 million even for the A-segment vehicle
with fewer features. Thus, withdrawing vehicles from sale that are
approaching end of life or are sold in low volume makes perfect
sense.
Thus far, the Porsche Macan has been the only vehicle officially
retired because of R155 and there has been much speculation in the
press with nine specific vehicles widely cited as impacted. To
verify the reports, we sought the counsel of colleagues in S&P
Global Mobility's production forecasting division. Based on this,
we can confirm that of the nine vehicles reported, five are
specifically impacted by the R155 regulation. The affected vehicles
are three Porsche models (Boxster, 718 Cayman and Macan) and two
Audi models (R8 and TT). None of these models will continue to be
sold in Europe owing to the regulation. However, sales of these
vehicles may continue in regions outside of Europe that are not
subject to the legislation.
In the midterm, OEMs cannot discontinue all legacy platforms,
however, and they must bear the cost of making vehicles compliant,
especially high-volume platforms that are planned to continue for
several years. The following chart displays the relative exposure
of OEMs to these “retrofit” compliancy costs. It shows the number
of platforms still in production in 2025 with SOP earlier than
2016, i.e., before most OEMs started considering cybersecurity in
design.
However, OEMs are less tactical and are rethinking the way they
design vehicles as they make them software-defined vehicle
(SDV)-ready. Deploying SDV-ready vehicles supported by advanced E/E
architectures, particularly centralized zonal architecture that can
deploy software updates seamlessly, avoids the costly retrofitting.
They also ensure compliance with regulations as the
system-on-a-chip (SoC) powering them are equipped with embedded
crypto and security functions compliant with R155.
As with the SDV and many of the other industry megatrends,
cybersecurity has brought a lot of navel-gazing among industry
participants. There are fundamental questions to answer as to what
the core competencies of the OEMs and tier 1s should be in the
future. They are unsure, for example, whether software development
and SDV stacks should rely on outsourcing or to keep certain
aspects in-house. How to add cybersecurity compliance may also
present conflicts with an OEM's chosen software path on the
fundamental make or buy decision. The company that has chosen the
make path may find hidden costs with cybersecurity compliance such
as adding in-house expertise and the cost of operating Security
Operation Centers in-house.
Either way, R155 and cybersecurity obligations are posing new
challenges that need to be addressed. While there may be headlines
about production runouts in Europe, the focus is on navigating
these new roadblocks.
*Adopted by the United Nations Economic Commission for
Europe (UNECE), the UN R155 became effective in January 2021. This
regulation mandates that all new vehicle types must comply starting
from July 2022, and all vehicles produced must comply by July
2024.
Subscribe to
AutoTechInsight
|
