Mender blog

Driving secure innovation: ISO/SAE 21434 & UNECE compliance

The automotive industry is undergoing changes alongside the trend of consumer products — increasingly including embedded connected components. Vehicles are no longer defined by mechanics alone but by software and connectivity.

Today's software-defined vehicles (SDVs) are packed with technology and software, from complex codebases to embedded systems, making them as much digital devices as they are machines. Even lower-level SDVs have upwards of 100 million lines of code and hundreds of electronic control units (ECUs),1 dictating their functionality and how they work to serve the end consumer. SDVs are transforming what we expect from our vehicles, from something as simple as an infotainment overhaul to fully autonomous driving capabilities.

However, alongside the benefits of these enhancements come growing cybersecurity concerns. As connected, autonomous technologies advance, vehicles are directly tied to a dynamic software ecosystem. These digital components enable new features while simultaneously creating dependencies and vulnerabilities that can impact safety and functionality if left unchecked.

Like our phones and computers, SDVs need regular software updates to stay secure while performing at the highest, most modern standards. To safeguard consumers against growing threats, all updates and the technology that delivers them must meet rigorous cybersecurity guidelines emphasizing reliability and transparency to the end consumer. 

Cybersecurity is as critical to automotive safety as reliable brakes or airbags. Due to the nature of a software-defined vehicle, the software must be as secure as the physical hardware to protect consumers. All functionality and security updates are safety critical and must be kept at the top of manufacturers' and consumers' minds. With standards like ISO/SAE 21434 and UNECE R155/R156 setting a benchmark for cybersecurity best practices, vehicle manufacturers and suppliers must now build robust, compliant processes for secure updates. To remain competitive, the automotive industry must fully embrace cybersecurity in every layer of vehicle design and operation, ensuring safe innovation throughout the vehicle's entire lifecycle.

Why cybersecurity standards matter: The role of ISO/SAE 21434 and UNECE R155/R156

With digital transformation sweeping through the automotive industry, cybersecurity standards are essential in setting a global benchmark for automotive cybersecurity practices. ISO/SAE 21434, while non-mandatory, has become a de facto industry standard, providing a structured path for automotive manufacturers to establish and maintain robust cybersecurity practices throughout the SDV lifecycle. For many, adherence to ISO/SAE 21434 is contractually required and directly supports compliance with the United Nations Economic Commission for Europe (UNECE). Implementing these standards may appear complex, but they build upon fundamental cybersecurity best practices that manufacturers should already be familiar with. For instance, ISO/SAE 21434 emphasizes proactive risk management, due diligence, and a risk-oriented engineering approach—principles critical for protecting the vehicle's electronic systems and connected software.

UNECE regulations, specifically R155 and R156, enforce a mandatory cybersecurity framework across UNECE member states, requiring compliance from automakers with potential penalties and fines for violations. Since 2022, UNECE R155 and R156 have been in effect in the EU and Japan, with R155/156 becoming applicable to all vehicles in UNECE member states as of July 2024.3 The regulations mandate verifications every three years, and in cases of non-compliance, manufacturers may face fines, public reputation damage, or even suspension of vehicle sales. Both UNECE R155/R156 and ISO/SAE 21434 require a holistic cybersecurity approach across every phase of a vehicle’s lifecycle—from design to decommissioning. With cybersecurity now a core part of regulations, compliance safeguards vehicles against emerging cyber threats and ensures continued innovation and consumer trust in today's software-driven automotive world.

The importance of OTA updates for cybersecurity in the SDV space

Considering the importance of proactive, timely updates for comprehensive cybersecurity, over-the-air (OTA) updates are essential for maintaining these standards post-production. OTA update capabilities allow manufacturers to rapidly address vulnerabilities, bug fixes, and threats in real time, helping to ensure that vehicles remain secure as new threats emerge and software dependencies evolve.

Professional OTA addresses these challenges by enabling secure and efficient OTA update management that aligns with ISO/SAE 21434 standards. With professional OTA, manufacturers can manage update campaigns that deploy quickly across fleets, mitigating cybersecurity risks immediately when identified. A proper defense-in-depth model must include strict user authentication with multi-factor authentication (MFA), role-based access control (RBAC) to limit access privileges, and secure binary storage to ensure that only authenticated users and devices access software updates. Audit logs and software bill of materials (SBOM) tracking also enhance traceability, helping manufacturers monitor and respond effectively to security events. With these security-first practices in place, OTA updates respond to evolving threats and do so with the security required to protect SDVs in a fast-moving digital landscape. Ultimately, relying on a professional OTA solution safeguards vehicles further, preventing unforeseen threats and possible ‘bricking’ due to an underdeveloped homegrown OTA. 

However, the complexity of OTA infrastructure introduces a double-edged sword. While OTA updates provide an essential layer of defense, securely implementing these updates presents a formidable challenge. Poorly designed or homegrown OTA systems can unintentionally open new security gaps, exposing vehicles to potential cyber risks. Future-proofing OTA systems with rigorous security protocols ensures these updates strengthen vehicle security throughout its lifecycle without opening the door for cyber attacks.

How robust OTA facilitates compliance and readiness

Professional OTA with robust features simplifies alignment with compliance standards, making it a necessary solution for security and compliance. Acting as a cybersecurity management system (CSMS) and software update management system (SUMS), robust OTA update capabilities support manufacturers in meeting technical and operational compliance needs. OTA update infrastructure with a security-first design, secure authentication protocols, and campaign management facilitate timely update deployments while keeping up with regulatory adherence. Further supplementing with a secure transport layer (TLS) defends against man-in-the-middle attacks. At the same time, mutual TLS (mTLS) offers an additional layer of protection with hardware security support, including hardware security modules (HSM) and trusted platform modules (TPM). These safeguards enable organizations to manage private keys, reducing risks associated with unauthorized access and untrustworthy deployments.

Through end-to-end cryptographic code signing, a robust OTA system ensures only validated software is deployed. Furthermore, seamless A/B updates prevent system instability by allowing complete rollbacks if an update fails, aligning with UNECE's stringent R155/156 requirements while honoring the countless software dependencies at play in SDVs. To further facilitate compliance, detailed audit logs of software configurations and device states, combined with REST API access, simplify compliance audits, providing an additional layer of operational transparency and control out of the box with minimal setup time. By adopting professional OTA update capabilities, manufacturers empower an advanced, compliant OTA solution to enhance cybersecurity and regulatory readiness for the complex software-defined automotive landscape.

Why compliance is essential to remain competitive

Compliance with regulatory standards like ISO/SAE 21434 and UNECE R155/R156 is a competitive imperative in the automotive industry. As the industry moves towards software-defined vehicles, compliance becomes essential for maintaining safety, ensuring long-term innovation, and building customer trust. These standards protect manufacturers and end users against cyber threats that could compromise vehicle safety and user data, making regulatory adherence a strategic advantage for market differentiation.

By partnering with Mender, OEMs can navigate the complexities of compliance with a streamlined, secure OTA solution. Mender's framework helps organizations meet rigorous cybersecurity and update requirements with a ready-to-use, secure, and future-proof OTA, allowing manufacturers to focus solely on product offerings and market differentiation. This compliance-ready infrastructure supports ever-changing standards while minimizing the engineering resources needed to evolve a secure OTA update process.

An investment in Mender equips OEMs with the tools necessary to efficiently meet regulatory standards, allowing teams to focus on innovation rather than the logistical challenges of compliance. In an industry rapidly advancing towards autonomous and connected vehicles, Mender enables automotive manufacturers to build trust, ensuring their products remain safe, secure, and compliant, all while staying ahead of industry shifts.

Securing the future of automotive success

With a compliant cybersecurity foundation, Mender accompanies automotive manufacturers to secure a resilient future. Maintaining robust security across the entire vehicle lifecycle is crucial as vehicles are increasingly defined by software. Mender's secure over-the-air (OTA) update capabilities simplify the deployment of critical patches and feature updates and provide manufacturers with a streamlined approach to ensure ongoing compliance with ISO/SAE 21434 and UNECE R155/R156. Mender streamlines compliance strategies and best practices to achieve a secure and resilient vehicle lifecycle. By implementing Mender, OEMs enable a comprehensive, compliant cybersecurity management system (CSMS) and software update management system (SUMS) that future-proofs vehicles against evolving security standards and cyber threats. This proactive approach helps OEMs enhance customer trust while driving innovation in a secure, regulation-ready framework. For manufacturers focused on sustainable growth, Mender's OTA solution and strategic compliance insights are essential for a successful future.

Download our white paper for in-depth guidance on staying ahead in this rapidly evolving industry with effective, secure, and compliant strategies that protect business interests and customer safety.


Notes

  1. https://spectrum.ieee.org/software-eating-car
  2. https://unece.org/sites/default/files/2023-02/R155e%20%282%29.pdf
  3. https://unece.org/sustainable-development/press/un-regulations-cybersecurity-and-software-updates-pave-way-mass-roll

Recent articles

Challenges in complying with the EU Cyber Resilience Act (CRA)

Challenges in complying with the EU Cyber Resilience Act (CRA)

Discover how manufacturers can achieve Cyber Resilience Act (CRA) compliance by tackling secure updates, SBOM management, and vulnerability tracking with robust OTA solutions.
An overview of EU Cyber Resilience Act (CRA) compliance

An overview of EU Cyber Resilience Act (CRA) compliance

Learn how the EU Cyber Resilience Act (CRA) enforces stringent cybersecurity requirements for PDEs. Explore compliance essentials in part 1 of a 4-part series.
The scope of EU Cyber Resilience Act (CRA) compliance

The scope of EU Cyber Resilience Act (CRA) compliance

Explore the scope of the EU Cyber Resilience Act (CRA). Learn about the CRA's scope, and why secure OTA updates are essential for compliance.
View more articles

Learn why leading companies choose Mender

Discover how Mender empowers both you and your customers with secure and reliable over-the-air updates for IoT devices. Focus on your product, and benefit from specialized OTA expertise and best practices.

 
sales-pipeline_295756365