The automotive cybersecurity discipline is now structured around two interlocking standards: **UN-R 155** (the United Nations regulation mandating Cybersecurity Management Systems for vehicle type approval) and **ISO/SAE 21434** (the international standard for cybersecurity engineering of road vehicles). The 2024 UN-R 155 implementation deadline in many regulatory regimes has moved this work from voluntary practice to type-approval prerequisite. Melina supports automotive OEMs and Tier-1 suppliers across the technical and process layers of this work. ## Where Melina engages on automotive cybersecurity ### CSMS readiness for UN-R 155 type approval Vehicle manufacturers seeking type approval need a documented Cybersecurity Management System addressing concept, development, production, operations, and decommissioning. We support readiness work on: - CSMS process design and gap assessment against UN-R 155 and [ISO/SAE 21434](/knowledge/glossary/iso-sae-21434/) - Cybersecurity-interface agreement design for OEM-supplier coordination - Pre-audit gap remediation before formal type-approval audit ### TARA execution [TARA](/knowledge/glossary/tara/) (Threat Analysis and Risk Assessment) is the central artifact in ISO/SAE 21434 implementation. We execute TARA on items ranging from individual ECU classes to full vehicle E/E architectures, working alongside the engineering team. A common engagement frame: the OEM has drafted an initial TARA, the supplier has drafted their portion, and the two need to be reconciled at the cybersecurity-interface boundary. We run that reconciliation as a structured workshop output. ### In-vehicle network and ECU testing Hands-on testing on physical hardware: - [CAN bus](/knowledge/glossary/can-bus/) and CAN-FD message analysis, replay, and injection - [OBD-II](/knowledge/glossary/obd-ii/) and [DoIP](/knowledge/glossary/doip/) diagnostic-service security review (UDS authentication, programming session, security access) - [ECU](/knowledge/glossary/ecu/) firmware extraction, reverse engineering, vulnerability research - Gateway behavior between in-vehicle network zones - Telematics Control Unit (TCU) end-to-end security — cellular path, OTA channel, back-end API - Infotainment head unit (IVI) attack surface — BLE, Wi-Fi, USB, side-loaded apps ### Cybersecurity case documentation The cybersecurity case is the per-project evidence package that demonstrates the cybersecurity goals were met. We support cybersecurity-case preparation as a deliverable alongside technical findings — including traceability between TARA risk treatments, design decisions, verification artifacts, and validation outcomes. ## Service mapping Automotive engagements typically draw across: - [IoT & Embedded Security](/services/iot-embedded-security/) — for ECU and embedded testing - [Architecture & Cloud Review](/services/architecture-cloud-review/) — for TCU back-end and connected services - [Mobile & App Security](/services/mobile-app-security/) — for companion mobile apps - [AI/ML Security](/services/ai-ml-security/) — where ADAS or in-vehicle assistants integrate ML models ## Compliance and standards frame Automotive engagements typically operate within: - UN-R 155 / UN-R 156 (vehicle type-approval cybersecurity and SUMS) - [ISO/SAE 21434](/knowledge/glossary/iso-sae-21434/) (the de-facto implementation standard for CSMS) - ISO/PAS 5112 (the audit-specific companion standard for CSMS audits) - China-market: GB/T 44464 (passenger vehicle cybersecurity), MLPS classification for connected services - ISO 26262 alignment for safety-relevant cybersecurity work ## Engagement model UN-R 155 readiness and CSMS gap assessment are typically [Custom Engagement](/engagement-models/custom-engagement/). TARA execution and ECU testing are typically [Scoped Assessment](/engagement-models/scoped-assessment/). Continuous engagement across multiple ECU programs is typically [Retainer](/engagement-models/retainer/). > "Most of the substantive risk in an automotive cybersecurity program lives in TARA quality, not in ECU pentest depth. A high-quality TARA propagates correctly into the cybersecurity case and the verification activities; a TARA with anti-patterns inherits the drift downstream, where it surfaces at type-approval audit. That's why we publish the [Seven Anti-Patterns + Four-Question Review Protocol](/research/tara-quality-patterns/) as a free internal-review tool." — Tatiana K., CEO, Melina Security ## What buyers ask us first In most discovery calls with automotive teams, the first three questions cluster: 1. **"Can you sign off on type approval?"** — No. UN-R 155 type approval is decided by accredited Technical Services. Our work informs the OEM's submission and improves its chances; we are not in the approval path. 2. **"Can you reconcile the OEM TARA with our supplier TARA?"** — Yes. The cybersecurity-interface agreement boundary is where most automotive engagements start. We facilitate a structured reconciliation workshop and document the outcome in a form that survives an audit. 3. **"How do we handle Chinese-market type approval alongside UN-R 155?"** — GB/T 44464 and MLPS classification for the connected-services tier are the relevant Chinese-market gates. Our [China-Compliance hub](/knowledge/china-compliance/) covers the framework; engagements split work into UN-R 155 readiness and China-market readiness as two parallel tracks against one TARA. ## Regulatory horizon Automotive cybersecurity teams should be tracking three trends that will affect 2026-2028 engagement scope: - **Software-update governance** — UN-R 156 (Software Update Management Systems) is now type-approval mandatory in many jurisdictions; the audit posture extends beyond the SUMS process document to evidence of update integrity, rollback handling, and change-control linkage to TARA. - **AI/ML components in safety-relevant functions** — ADAS perception stacks, in-vehicle assistants, and driver-monitoring systems blur the line between cybersecurity and functional safety. Engagements increasingly need to address the model-input adversarial-robustness question alongside the conventional CAN-bus question. - **Post-market obligations** — UN-R 155 imposes ongoing monitoring duties on type-approval holders. The cybersecurity case is not a launch document; it's a living record. Engagement structures shift toward retainer when this is taken seriously. ## How a typical Tier-1 engagement unfolds A Tier-1 supplier with one ECU program and an existing process framework typically runs the following shape: - **Weeks 1-2:** Discovery and scoping. Reviewing the existing TARA, cybersecurity-interface agreement, supplier-side process documentation, and the engineering schedule. We agree the in-scope ECUs, the test bench setup, and the cybersecurity-case structure. - **Weeks 3-6:** Gap assessment against ISO/SAE 21434 work products. Technical bench testing on the ECUs (UDS service surface, firmware integrity, in-vehicle network behavior). Reconciliation workshop with the OEM cybersecurity team if applicable. - **Weeks 7-9:** Reporting and remediation guidance. Cybersecurity-case input drafted in the format the OEM expects. Remediation workshop with the supplier's engineering team to clarify fixes. - **Weeks 10-12:** Re-test on remediated items. Final cybersecurity-case input delivered. 60-day [remediation re-check](/methodology/) scheduled. Multi-ECU programs run on the same shape but extend across quarters under [Retainer](/engagement-models/retainer/), with TARA updates and re-tests scheduled around the supplier's release cadence. ## Frequently asked questions ### Can you sign off as the third-party assessor for UN-R 155 type approval? No. UN-R 155 type-approval assessment is performed by accredited Technical Services designated by the type-approval authority. We provide assessment and engineering support to the OEM or supplier — our work is input into the OEM's submission, not the type-approval decision. ### Do you work in Chinese-market automotive cybersecurity? Yes. Chinese-market vehicles operate under a different regulatory frame (GB/T 44464 and related GB-series standards, MLPS for connected services, automotive Important Data under DSL). Our China-market work supports OEMs and suppliers operating in or selling into mainland China. ### What's the typical engagement length for a CSMS readiness assessment? For a Tier-1 supplier with one product line and an existing process framework, 6-10 weeks for the gap assessment and 3-6 months for remediation alongside the supplier's engineering team. For an OEM building CSMS from a low maturity baseline, the readiness work is typically multi-quarter and structured as a retainer rather than a fixed assessment. ### How does the Seven Anti-Patterns catalog apply during an active TARA engagement? We use the catalog as a structured input at TARA review checkpoints rather than as a closing audit. Internal reviewers can apply the [Four-Question Review Protocol](/research/tara-quality-patterns/) during TARA close-out — typically catching three or four of the seven anti-patterns within an hour of focused review. External cybersecurity-case auditors using the same catalog often surface the remaining patterns at type-approval review; addressing them in advance materially reduces audit-cycle cost. ### Do you support post-market obligations after type approval is granted? Yes — UN-R 155 imposes ongoing monitoring duties on type-approval holders, and we structure post-market support as a [Retainer](/engagement-models/retainer/) covering quarterly threat-landscape review, TARA refresh on substantive design changes, and incident-response coordination if a field-discovered vulnerability emerges. The cybersecurity case is a living document, not a launch artifact, and the post-market support model reflects that. ### Related - [What is TARA?](/knowledge/glossary/tara/) - [What is ISO/SAE 21434?](/knowledge/glossary/iso-sae-21434/) - [What is UN-R 155?](/knowledge/glossary/un-r-155/) - [Is UN-R 155 the same as ISO/SAE 21434? — FAQ](/knowledge/faq/un-r-155-vs-iso-21434/) - Companion research: [TARA Quality Anti-Patterns — A Practitioner Catalog and Four-Question Review Protocol](/research/tara-quality-patterns/)