Identifying Cybersecurity Focus Areas in Connected Cars Based on WP.29 UN-R155 Attack Vectors and Beyond

The UN working group WP.29 published UN Regulation No. 155, the “Uniform provisions concerning the approval of vehicles with regards to cyber security and cyber security management systems,” which became a binding resolution on January 22^nd, 2021 with expectations that at least 54 countries will mandate it starting July 2022. The regulation lists 69 attack vectors directly affecting vehicle cyber security. Car manufacturers, suppliers, government organizations, etc. all stakeholder’s cooperation and efforts are necessary for the successful implementation of the published regulation. The first course of action is to sort these attack vectors according to their expected threat severity levels, so stakeholders can determine the order in which to tackle mitigating said threats. In this paper, using the industry standard DREAD threat modelling, we calculated the severity levels of the attack vectors listed in the WP.29 UN-R155 cyber security regulation. Additionally, we go beyond the attack vectors listed in UN-R155 - using our own analysis, experience and insights, we explored other attack vectors that will also affect vehicle cybersecurity.