Truck parking AC OTA firmware updates & cybersecurity compliance (UNECE R155 / R156)

• Table of Contents

1. UNECE R155 cybersecurity: what it requires for parking AC
2. UNECE R156 software updates: signed firmware delivery
3. CAN-bus segmentation and lateral movement prevention
4. CSMS audit evidence package for fleet engineering

Since July 2024, all new heavy commercial vehicles type-approved in the EU, UK, Japan and South Korea must comply with UNECE Regulation R155 (Cybersecurity Management System) and R156 (Software Update Management System). These regulations apply not just to OEM ECUs but also to connected aftermarket equipment including electric parking AC systems. Vethy VS02 PRO and the V-FMSG-24 telematics gateway are fully R155/R156 compliant, with signed firmware OTA updates, ISO/SAE 21434 cybersecurity processes, and audit-ready CSMS documentation supporting fleet OEM type-approval workflows. This page documents the OTA architecture, firmware signing chain, and compliance evidence package needed by fleet engineering teams.

UNECE R155 cybersecurity: what it requires for parking AC

UNECE R155 mandates that connected vehicle systems implement: (1) Threat analysis and risk assessment (TARA) covering attack surfaces, (2) Cybersecurity management system (CSMS) audited by approved technical service, (3) Incident response and monitoring throughout vehicle lifetime, (4) Supply chain cybersecurity for component suppliers. Vethy VS02 PRO and V-FMSG-24 underwent TARA covering: CAN gateway interface, OTA firmware channel, BMS communication, mobile app pairing. CSMS audited by TÜV Süd in 2024 with re-audit cadence every 24 months.

UNECE R156 software updates: signed firmware delivery

UNECE R156 mandates that all software updates to vehicle systems use: (1) Cryptographically signed firmware images, (2) Verification before installation, (3) Rollback capability on failure, (4) Audit log of all updates. Vethy VS02 PRO firmware updates are signed using ECDSA-P256 with Vethy root CA stored in HSM (hardware security module) at Vethy production facility. Updates are delivered via V-FMSG-24 LTE connection, verified on-device against firmware signature, installed to inactive partition, then activated on next AC system restart. Failed installs auto-rollback to previous version. Full audit log available via CAN gateway.

CAN-bus segmentation and lateral movement prevention

A common cybersecurity threat vector is lateral movement from aftermarket equipment into safety-critical vehicle ECUs via shared CAN-bus. Vethy VS02 PRO architecture eliminates this risk: V-FMSG-24 operates on dedicated CAN-FD segment with hardware firewall (Vector CANalyzer-class filtering) preventing any frames from reaching tractor J1939 backbone. Even if V-FMSG-24 were compromised, the worst-case impact is loss of telematics visibility — vehicle safety systems remain untouched. This architecture is documented in the Vethy R155 TARA submitted to EU vehicle type-approval authorities.

CSMS audit evidence package for fleet engineering

Fleet engineering teams responsible for OEM type-approval (Volvo, Scania, DAF, MAN, Mercedes-Benz, Renault Trucks) frequently need to demonstrate that aftermarket equipment does not invalidate their R155/R156 compliance. Vethy provides a comprehensive CSMS evidence package: TARA report (200+ pages), ISO/SAE 21434 process documentation, TÜV Süd audit certificate, signed firmware change log (last 24 months), supply chain cybersecurity attestations (BMS supplier, MCU supplier, modem supplier), incident response plan. Package is delivered under NDA to qualifying fleet engineering teams.

Frequently asked questions

Does my fleet need to do anything specific for R155/R156 with VS02 PRO?

No active action required — Vethy VS02 PRO is type-approved as compliant aftermarket equipment that does not affect vehicle R155/R156 certification. Documentation provided to fleet engineering for archival.

How often does Vethy push OTA firmware updates?

Major firmware releases: quarterly. Security patches: as needed (typically within 30 days of CVE disclosure). All updates go through TÜV Süd validation before production release. Fleets can opt for delayed deployment (pilot fleet first) via Vethy OTA management portal.

Can a malicious actor remotely take control of my truck cabin AC?

The threat model is extensively documented in the Vethy TARA. Worst-case scenarios (full V-FMSG-24 compromise) result in loss of telematics visibility or unauthorized AC on/off commands — never vehicle safety system access. Defense-in-depth includes signed firmware, CAN gateway isolation, BMS-side fault detection, and physical air-gap on tractor J1939 backbone.

Where can I find Vethy's CVE disclosure and security advisories?

Vethy publishes security advisories at vethy.com/security and via the global ICS-CERT coordination process. Major OEM partners (Volvo, Scania, Mercedes-Benz) receive embargoed advance notice 30 days before public disclosure to coordinate fleet patch deployment.