Trend Micro -
The United Nations Regulation No. 155 sets provisions for cybersecurity and cyber security management systems in vehicles. A notable section of the document is Annex 5, which lists 69 attack vectors affecting vehicle cybersecurity. In order to help organizations comply with this regulation, we conducted a threat modelling exercise on the defined attack vectors as a form of risk assessment.
One of the challenges presented by the regulation is for manufacturers to conduct their own risk assessments in order to best implement cybersecurity measures, with Annex 5 serving as a guide.
In our research paper, “Identifying Cybersecurity Focus Areas in Connected Cars Based on WP.29 UN R155 Attack Vectors and Beyond,” we used the DREAD threat model to assess the risk level of the attack vectors listed in Annex 5. First, we considered the current technological and threat landscape to make our assessment. Then we conducted the exercise again, based on our predictions of how these technologies and threats would evolve. This blog entry provides an overview of this process.
UN R155’s attack vectors and current risk ratings
The Annex 5 attack vectors were grouped into factors that affect the connected car ecosystem, such as the backend, communication channels, update