Risk Management

Under UNECE R155, manufacturers must demonstrate a systematic, repeatable risk management process that identifies, evaluates, treats, and monitors cybersecurity risks across the vehicle lifecycle and supply chain. In practice, this is commonly implemented using ISO/SAE 21434 methods and work products.

Objectives

• Identify assets, threats, and vulnerabilities relevant to vehicle types.
• Evaluate impact and feasibility to derive risk levels.
• Select and implement proportionate risk treatments.
• Maintain traceability from risks → goals/requirements → tests → operation.
• Continuously monitor and update risk posture in the field.

Process Expectations (At a Glance)

1. Scoping & Context – define vehicle type boundaries, interfaces, dependencies.
2. Asset Identification – E/E components, comms channels, data, credentials, tooling.
3. Threats & Vulnerabilities – use curated catalogs; include misuse/abuse cases.
4. Risk Evaluation – impact (safety, regulatory, operational, privacy) × feasibility.
5. Treatment Selection – preventive/detective/corrective; defense-in-depth.
6. Requirements & Design – derive and allocate security requirements.
7. Verification & Validation – plan tests proportional to risk; capture evidence.
8. Operational Feedback – vuln intake, incident learnings, telemetry → re-assess.

TARA Alignment (ISO/SAE 21434)

A Threat Analysis and Risk Assessment (TARA) provides the structure for risk decisions. Typical elements include:

• Assets & Attack Paths (e.g., OBD, telematics, BLE, Wi-Fi, V2X, service tools).
• Threat scenarios (remote compromise, privilege escalation, spoofing, tampering, DoS).
• Vulnerabilities (design flaws, misconfig, weak crypto, supply chain gaps).
• Impact categories (safety, legal/regulatory, operational, financial, reputation).
• Feasibility factors (time, expertise, knowledge of item, opportunity, equipment).
• Risk rating and treatment decision with acceptance criteria.

Risk Treatment & Control Strategy

• Preventive – hardening, authN/Z, secure boot, partitioning, rate limiting.
• Detective – logging, on-board IDS, anomaly detection, integrity monitoring.
• Corrective – secure update/rollback plans (coordinate with R156/ISO 24089).
• Assurance – testing depth tied to risk (static/dynamic, fuzzing, pentest, fault-injection).
• Defense-in-depth – layered controls across ECUs, networks, and backends.

Risk Acceptance & Escalation

Define organization-wide acceptance criteria and escalation paths:

• Document residual risk and rationale when accepting risk.
• Use governance bodies (e.g., CSMS board) for exceptions and waivers.
• Link accepted risks to monitoring triggers and revisit periodically.

Traceability & Evidence

Maintain end-to-end traceability so auditors can follow the chain:

• Threat scenario ⇄ asset ⇄ requirement ⇄ design element ⇄ test case ⇄ result ⇄ operational control.
• Bidirectional links (IDs) and change history for all artifacts.
• Coverage metrics (e.g., % high-risk scenarios with implemented/verified controls).

Operational Feedback Loop

• Vulnerability management – coordinated intake (PSIRT), triage, CVE/CVSS mapping where applicable.
• Incident response – detect, contain, eradicate, recover; lessons learned into TARA.
• Telemetry/health – define KPIs, thresholds; trigger re-assessment or campaigns.
• Supplier coordination – propagate advisories, patches, evidence exchange.

Practical Do / Don’t

Typical Outputs / Evidence

• Approved TARA method and templates; training/competence records.
• TARAs per vehicle type with risk ratings, treatment decisions, residual risks.
• Requirements & traceability matrices; verification/validation plans and reports.
• Operational monitoring KPIs, vulnerability/incident records, re-assessment logs.
• Supplier risk assessments and exchanged evidence packages.