Securing the Connected Car with Security & Compliance Lifecycle Management

The ubiquitous description of modern cars being veritable computers on wheels is accurate.
Autonomous technologies and more digitally enabled vehicles have ushered in a new wave of
connectivity solutions. This also means that cybersecurity is now a critical aspect of
automotive safety. Recognizing this, the United Nations Economic Commission for Europe
(UNECE), adopted two new regulations that specify requirements for managing a vehicle’s
cyber risk and software updates. These requirements apply to both automotive original
equipment manufacturers (OEMs), and indirectly affect automotive suppliers, who are now
required to prepare and implement security measures.
For the Illinois-headquartered UL Solutions, a global applied safety science leader, this has
spelled good news as it has been designated a technical service for auditing and testing
vehicles by the Netherlands Vehicle Authority (RDW). UL Solutions will conduct audits and
testing for passenger cars, trucks and buses to comply with the two key UN automotive
security regulations. These include UN Regulation R155, which covers cybersecurity,
requiring that connected vehicles have a certified cybersecurity management system (CSMS).
The second security regulation is UN R156 which covers software updates management
system (SUMS) for connected vehicles. According to a March 2022 press statement from UL
Solutions, approval from RDW of a vehicle's compliance with UN R155 and UN R156 also
applies for all 27 European Union countries and 37 countries worldwide, including Australia,
Japan, South Korea and throughout the United Kingdom, among others.
“RDW has worked closely with UL Solutions for many years, and that includes the
preparation of the United Nations Economic Commission for Europe Regulations R155 and
R156 for cybersecurity and software updates and the ISO/SAE 21434 industry standard for
automotive cybersecurity engineering,” said Gerard Doll, director of Vehicle Regulation and
Vehicle Admission at RDW in the same press release. “UL Solutions brings expertise from
other ecosystems with significant security governance, which are multi-stakeholder, global in
nature, and combining information technology and operational technology, similar to the
automotive industry. We are pleased that we can continue to leverage expertise of UL
Solutions to help ensure that any connected vehicle innovations introduced into Dutch roads
are done so in a safe and secure manner.”
With over 500 international security experts, UL Solutions works with customers worldwide,
leveraging its industry-leading working knowledge of automotive standards and best
practices. Representatives from UL Solutions serve as participants and advisers on key
standards groups and industry consortiums, such as the International Organization for
Standardization, the UN World Forum for Harmonization of Vehicle Regulations and more.
UL Solutions also has extensive expertise in cybersecurity with a global network of Internet
of Things (IoT) and Operational Technology (OT) security laboratories, security experts and
advisers with specialized expertise in global security standards, frameworks and best
practices for the automotive ecosystem.
The company referenced a report from Statista, which estimates that the roughly 8.74 billion
connected devices in use in 2020 will swell to over 25.4 billion by 2030. Amid that uptick in
connectivity, organizations are facing a rash of new cybersecurity threats – a recent study
revealed that supply chain attacks rose by 42% in the first quarter of 2021 via 27 third-party
vendors. Coupled with a fast-moving and complex global regulatory landscape, now more
than ever organizations need a comprehensive yet streamlined solution to assess their overall
cybersecurity posture and risk.

“Increasing consumer expectations are pushing automotive manufacturers and their suppliers
to transform and increase the speed of innovation while building and
maintaining trust. Automotive and mobility companies understand they must innovate to
remain competitive,” said Chante Maurio, vice president and general manager of the Identity
Management and Security groups at UL Solutions in a media release. “With rising
expectations for connectivity, interoperability, transparency and safety paired with rapid
advancements in electric and autonomous vehicles, they must create safe and secure
innovations that consumers can trust. While these opportunities and the challenges are
immense, we, at UL Solutions, are honoured to play a role in helping drive their success
and continue cooperative relationships with RDW and other regulators, approval authorities
and the automotive industry for a safer and safer and more secure world.”
The company’s SafeCyber TM  Digital Security Platform, was launched in November 2021 as a
suite of solutions aimed at democratizing IoT security and empowering key organizations,
such as device manufacturers, suppliers and systems integrators, to take charge of their
connected ecosystems. From smart home devices and sophisticated medical devices, to
advanced automotive and Industry 4.0 technology, the UL Solutions SafeCyber TM  Digital
Security Platform aims to mitigate the growing volume of cybersecurity threats facing these
organizations, says the company.
The SafeCyber™ platform offers Maturity Path, a solution that provides device
manufacturers, suppliers and system integrators with a maturity assessment for connected
device security to build sustainable product security governance and processes. In a June
2022 press release, UL Solutions also announced that it offers a Binary Check capability
within the platform.
During the development phase, binary code analysis and vulnerability detection can help
connected device stakeholders prevent attacks, speed up security and compliance checks of
third-party, open-source components and their own implementations for faster time to
market. In the operational phase, vulnerability monitoring and management can help
connected device stakeholders prevent attacks and maintain their device’s security posture by
tracking and remediating vulnerabilities as they emerge. Binary Check will apply security
early in product, application or system development life cycle with automated security and
compliance testing. Compliance analysis against supported standards and guidelines
including UL Solutions IoT Security Rating Program, ETSI 303 645, ISO/SAE 21434 and
IEC 62443 4-2.
“Collectively, these capabilities will allow UL Solutions customers to manage cybersecurity
governance and processes for all product lines in one integrated solution. Further, the
platform will help speed up firmware development turnaround times while also addressing
vulnerabilities to help ensure security and compliance readiness from the start,” said a
company statement.
UL Solutions also offers cybersecurity training programs to enable participants to understand
security processes, related standards, and their impact on the automotive industry. These
programs are compatible with the ISO/SAE 21434 standards. Topics covered include
cybersecurity management, cybersecurity policy and culture, and tailoring of cybersecurity

activities. The concept phase of the training program includes threat analysis and risk
assessment (TARA), assigning cybersecurity goals and concepts.
Automotive Industries spoke to Jako Fritz, principal security adviser at UL Solutions.
AI: What are the most alarming threats facing the automotive industry today and how can
organizations build and roll out secure products from the ground up?
Fritz: Today, automobiles, trucks and vehicles do much more than their intended use of
transportation. The automobile has become a modern technology hub, from infotainment
systems to operational sensors to mobile app integrations. But with each connected
innovation, the risk of breaches and cyberattacks increases. Cars have up to 150 electronic
control units and 100 million lines of code. By the year 2030, many observers expect them to
have roughly 300 million lines of software code. In comparison, mass-market personal
computer software has close to 40 million. That’s where UL Solutions helps original
equipment manufacturers (OEMs) and automotive component and system manufacturers test
and verify security certification compliance.
AI: What are the potential vulnerabilities in the automotive supply chain, particularly those
focused on automotive connectivity?
Fritz: Supply chain attacks are widely used on the desktop platform, attackers have broken in
or bribed sub-suppliers for the ecosystem that, for example, created signed drivers to be able
to create malware that is seen as legitimate software, or legitimate vendors have created
software that essentially behaved like malware. OEM's have to rely on their suppliers to
behave correctly and need to implement tools to detect and act when they do not. This is the
same problem as a chef having to periodically check the produce shipped to his restaurant to
make sure that what he is receiving is of sufficient quality to use.
AI: The complex global automotive regulatory landscape means different standards – how
can UL Solutions ensure compliance with local standards and regulations such as UNECE
WP.29 and ISO/SAE 21434?
Fritz: UN R155 and UN R156, addressing cybersecurity processes and software update
management requirements, were passed by UNECE’s World Forum for Harmonization of
Vehicle Regulations and focus on cybersecurity and software updates for vehicles by
establishing clear requirements for car manufacturers. They require implementing measures
across four distinct areas: managing vehicle cyber risks, securing vehicles by design and
mitigating risks along the value chain. ISO 21434 helps here by providing a set of common
nomenclature and structured processes to make implementing these distributed cybersecurity
activities along the value chain easier.
Detecting and responding to security incidents across the vehicle fleet, providing safe and
secure software updates, and ensuring vehicle safety is not compromised, introducing a legal
basis for Over-the-Air (OTA) updates to software on the vehicle.
We conduct cybersecurity hardware and software testing on automotive components and
systems to help customers understand their product’s cybersecurity risk and to validate their
security measures. We also audit cybersecurity management systems for compliance with

industry requirements, including ISO/SAE 21434 and WP.29, to help customers understand
their process maturity and compliance with the regulation and standards
AI: Why is your SafeCyber™ platform an important solution for companies?
Fritz: SafeCyber TM  helps organizations holistically understand and assess risk, allowing both
new and existing assets to be designed and maintained to conform with the latest
cybersecurity legislation and best practices. For more than 128 years, UL Solutions has been
a trusted partner helping organizations ensure the safety and compliance of their products and
solutions, and SafeCyber TM  marks an important milestone in our long-term vision to develop a
best-in-class capability that helps organizations move beyond a compliance mindset, and
toward a proactive stance that enables them to actively manage their security posture in what
is becoming an increasingly connected, ever-evolving threat landscape.
IoT World Today named the UL Solutions SafeCyber™ Digital Security Platform one of
the Top 10 Internet of Things (IoT) Products of 2021. Being named a top product quickly
after release speaks to the necessity for security solutions as the number of new connected
devices and regulations increases. We are proud that IoT World Today quickly recognized
SafeCyber as a trustworthy and holistic solution to reducing cyber risks. SafeCyber aims to
help organizations understand IoT cyber risks and manage them for multiple product lines
from one platform. It helps with the implementation of the required cybersecurity process
with respect to cybersecurity monitoring and vulnerability management, as well as addressing
supply chain attacks. This bigger picture gives stronger guarantees with regard to the quality
and safety of the provided software.
IoT World Today noted UL Solutions broad approach when creating the SafeCyber platform
as a factor in choosing it for their top ten list. Incorporating UL Solutions benchmarks as well
as those from the European Telecommunications Standard Institute, the International
Organization for Standardization and International Electrotechnical Commission keeps
customers focused on best practices throughout the industry. This holistic view also helps to
avoid what IoT World Today calls a “fragmented ecosystem” that can cause confusion and
reduce the overall adoption of standards.