EUROCYBCAR and AENOR join forces to certify that vehicles meet European cybersecurity standards
EUROCYBCAR and AENOR have developed the ‘Cybersecurity in Vehicles-UNECE/R155-ESTP’ certification, in which ESTP-EUROCYBCAR Standard Test Protocol- technology is key, to check whether a vehicle complies with the UNECE/R155 regulation.
From 6 July 2024, this European Regulation obliges manufacturers to sell and manufacture vehicles that meet the cybersecurity requirements of the standard, to minimise the possibility that they could be cyber-attacked with the aim of stealing, spying on the driver or taking control of the vehicle remotely to cause an accident.
The ‘Cybersecurity in Vehicles-UNECE/R155-ESTP’ certificate demonstrates that the vehicle minimises the risk of a cyber-attack affecting the privacy and lives of its occupants, as well as the integrity of the vehicle’s systems.
EUROCYBCAR and AENOR have jointly developed the ‘Cybersecurity in Vehicles-UNECE/R155-ESTP’ Certificate, which demonstrates whether a vehicle -car, truck, bus, van or motorhome- complies with the cybersecurity requirements of the UNECE/R155 regulation, i.e. whether it correctly protects the privacy and the lives of the people on board.
Within this new certification process, ESTP Technology plays an important role: an innovative modular platform, created by EUROCYBCAR -a technology company based in Vitoria-Gasteiz-, which enables a standardised, objective and automated process of analysis and evaluation of the level of vehicle cybersecurity, applying the ESTP Methodology -a EUROCYBCAR methodology and in the international patent process since 2019- and according to the examples of requirements set by the UNECE/R155 and ISO 21434 regulations.
Thanks to the AENOR Certificate and EUROCYBCAR’s prior technical evaluation process, the buyer of a new vehicle will be able to know, firstly, whether it complies with the European cybersecurity standard for vehicles -the UNECE/R155- and, furthermore, will be able to compare the level of cybersecurity between different vehicles and, therefore, make purchasing decisions based on criteria such as which of them best protects their life or hinders access to their private data or theft of the vehicle.
Today’s cars on our roads are large computers on wheels travelling at 120 km/h, receiving, managing, storing and emitting a large amount of data generated by the vehicles themselves and any of the elements that make up the mobility ecosystem with which they interact – other vehicles, mobility applications and infrastructures, passengers, users, IoT devices, etc. -.
To achieve this connectivity, any vehicle already has, as a minimum, Bluetooth, USB, Keyless, WiFi, eCall, GPS… but what can a cracker do by exploiting this technology – if it is not sufficiently protected? Stealing the car, infecting it with a virus, activating the airbag, spying on the driver and passengers of the vehicle, obtaining personal data stored inside, stopping the engine, activating or deactivating the central locking system, tracking the routes taken daily by the vehicle… It is even possible that if the vehicle is not well cyber-protected, by means of an operation as simple as charging the mobile phone battery by ‘plugging it in’ via the vehicle’s USB port, the user himself could be introducing a virus into the vehicle that could paralyse it while it is running.
As of 6 July and thanks to UNECE/R155 – the European cybersecurity regulation for vehicles – all of the above is more difficult to happen because cars, trucks, buses, vans and motorhomes – whether newly type-approved or newly manufactured – on European roads are obliged to implement minimum cybersecurity measures to protect both privacy and the lives of the driver and passengers.
To assess vehicles, the EUROCYBCAR ESTP Methodology performs three types of tests: physical access – e.g. via OBD, USB port or any other physical connection -, remote access – e.g. keyless system, WiFi, Bluetooth or GPS – and applications that the vehicle incorporates or that the user can download to a mobile device and that allow them to control, remotely, different functionalities such as heating, location or opening and closing doors. Once this cybersecurity evaluation process carried out by EUROCYBCAR has been passed, it is AENOR – as the certifying entity – that issues the corresponding cybersecurity certificate that guarantees compliance with the cybersecurity requirements established by the UNECE/R155 and which indicates the level of cybersecurity that the vehicle has obtained and, therefore, whether it implements effective means and controls to minimise the risk of a cyber-attack against the integrity of the vehicle’s systems, privacy and the lives of the people on board.
AENOR’s Director of Strategic Marketing and Business Development, Javier Mejía, stated that ‘the hyperconnection that characterises our century has turned cybersecurity into a concern and a need shared by the whole of society. For this reason, AENOR and EUROCYBCAR have joined forces to protect and generate confidence in the commitment against cybercrime that affects vehicle manufacturers’.
For her part, the CEO and founder of EUROCYBCAR, Azucena Hernández Palmero, stated that ‘for both EUROCYBCAR and AENOR, the priority is for users to know if they are really travelling on board a vehicle that complies with the mandatory cybersecurity requirements, because their privacy and, above all, their lives are at stake’.
EUROCYBCAR and AENOR, pioneers in the field of vehicle cybersecurity assessment and certification, set a global milestone in 2022.
As a result of the collaboration between EUROCYBCAR and AENOR, in April 2022, a Spanish motorbike was the first vehicle in the world to obtain the ‘Cybersecurity in Vehicles-UNECE/R155-ESTP’ certificate. It was obtained by an electric motorbike: the NUUK CargoPro, positioning the Basque Country and Spain as international benchmarks in the field of cybersecurity applied to Mobility.
Following this international milestone, EUROCYBCAR promoted the modification of the UNECE/R155 regulation which, in principle, left motorbikes out and, in September 2024, the UNECE communicated the decision to incorporate motorbikes, scooters and electric bicycles that exceed 25 km/h into the UNECE/R155 regulation, having demonstrated that they have the same level of connectivity as the rest of the vehicles that, from the beginning, had been included in this regulation.
