Cybersecurity Approval Criteria: Application of UN R155

The UN R155 regulation is the first automotive cybersecurity regulation and has made security a mandatory approval criterion for new vehicle types. This establishes internationally harmonized security requirements for market approval, presenting a challenge for manufacturers and suppliers to demonstrate compliance throughout the product life cycle. An issued type approval is internationally recognized by the member states of the UN 1958 Agreement. International recognition implies that uniform assessment criteria are applied to demonstrate compliance and to decide whether security efforts are sufficient. Independent accredited assessors assess the security engineering results during type approval. Considering the risk-based approach of ISO/SAE 21434 to security engineering, assessing whether threats have been appropriately addressed is a challenge. While there are currently no uniform assessment criteria at product level, the question arises as to which development artifacts serve as indicators for determining the efficacy of mitigation strategies. In response to this challenge, the paper conducts an analysis of existing security concepts of the automotive security standard ISO/SAE 21434 and the Information Technology Security Evaluation Standard ISO 15408 (Common Criteria) and therefore provides an insight into the state-of-the-art of security evaluation methods. The overall objective is to derive applicable assessment criteria and recommendations for the UN R155 approval while taking into account relevant security properties that help to decide on the sufficiency of security measures. These recommendations aim to enhance the comprehensiveness of the security assessment associated with UN R155, fostering a more uniform approach to evaluating cybersecurity in the context of vehicle type approvals.