Government discussions on how EU type approval regulations will affect UK law post Brexit are well under way. But will all the i’s be dotted and the t’s crossed when it comes to the future of vehicle cybersecurity? Neil Pattemore analyses the complicated situation.
The UK has left the EU, but the UK Government is planning to reference the EU Vehicle Type Approval Regulations in UK law. This will ensure that vehicles manufactured in the EU can be sold here and equally, and that those manufactured in the UK can be sold in the EU – a win-win situation.
However, these EU type approval regulations include the critically important principles and requirements that provide the basis for the aftermarket to access the vehicle, its data, the replacement spare parts, technical information, and technical training – pretty much everything that supports the aftermarket business models. This is therefore an important element of the vehicle type approval that the UK Government is planning to reference; perhaps we can all relax, safe in the knowledge that the legislation needed for the aftermarket remains in place.
A spanner in the works
I hate to be the harbinger of bad news, but there is a fly in the ointment, and this is where it starts to get complicated. There are other European regulations that will come into force over the next two years, and it is not yet clear how these may be referenced by the UK Government. Secondly, and more worryingly, there is a wider issue for Europe as well as the UK.
The problem stems from the EU’s ‘General Safety Regulation’, which will come into force in July 2022. This not only mandates a range of vehicle safety systems but will also require vehicle manufacturers to ensure that their vehicles remain ‘safe and secure’.
Correspondingly, this means that the vehicle manufacturers are designing their vehicles with multiple layers of cybersecurity protection and can implement these security requirements in a variety of ways – primarily, it will control all access to the vehicle, its data and functions.
It may be that access to the vehicle is still necessary to comply with the legislative requirements to diagnose, repair and maintain the vehicle, but this will still be an issue when attempting to obtain the security certificates needed, as the vehicle manufacturer is both the ‘system administrator’ and ‘gatekeeper’ of the vehicle.
These cybersecurity requirements are currently being finalised in the UNECE WP29 discussions and will then become part of the vehicle type approval. The vehicle manufacturer will develop their own cybersecurity management systems (CSMS) and will correspondingly document how this will protect their vehicles, together with the mitigation actions should an attack be successful. This documented CSMS will then form the basis of the vehicle type approval for cybersecurity. The UK will not only continue to directly reference the requirements of European vehicle type approval legislation, but will also act as a ‘contracting party’ to the UNECE.
Cause and effect
There are likely to be a number of significant effects when these cybersecurity requirements are fully implemented into new vehicles over the next two years. The most obvious will be that the access to the vehicle will be fully controlled by security gateways that will require electronic certificates to provide authorised access – simply plugging your diagnostic tool into the OBD port and accessing all the data needed will be a thing of the past.
In order to obtain these certificates, garages will need to register with the vehicle manufacturers, so that they will know who you are, what vehicles you are working on, and even what parts you are using. Although the legislator must also define the ‘rights and roles’ of what data and functions an independent workshop is allowed to access, there should also be ‘harmonised’ access (i.e. via a single access point) to the security certificates. Otherwise there will be different systems, conditions, and costs for each manufacturer – a proverbial ‘wild west’.
The SERMI (Security Repair and Maintenance Information) scheme is due to be referenced into type approval legislation before the end of this year. This will support the accreditation of independent workshops so that they can access anti-theft related data and parts, such as locks. It will use certificated access to the VM website, and so could be adapted to provide harmonised access to the security certificates, but this does not change the fact that access to the vehicle will still be under someone else’s control – the VM.
Cybersecurity will also extend to replacement parts in the workshop, as they will need to comply with the in-vehicle security requirements, especially if the part has any electronic functionality. However, the first vehicle manufacturer has now applied a security process to replacement brake discs – only their authorised repairers using the OEM diagnostic tool can code into the vehicle.
Arguments justifying why this will be necessary in the future are based on the manipulation of the vehicle, but are also due to the higher safety requirements for automated driving and the corresponding product liability of the VM. This will lead to a higher degree of VM original parts and will give more control to the VMs within the aftermarket.
Beyond the garage
This all leads to a combination of RMI data and certificates, and, potentially, more direct VM portal access for independent workshops. This also means that if the VM gives you a certificate, they will also want to be sure that you are using the correct VM-issued repair and maintenance information and OEM replacement parts in order to protect their liability.
Last but not least, it will become more difficult for tool manufacturers to develop one multi-brand tool to manage all the different VM approaches and handle the various certificate systems and their associated costs. Tool manufacturers might be obliged to license data and certificates from all VMs at a high cost, which cannot realistically be amortised by the current low subscription price for IAM workshops.
Therefore, not only workshops, but also independent parts manufacturers, data publishers, and workshop equipment manufacturers will be heavily affected by a wider cybersecurity approach.
The good old days of ‘we can work on any car’ are about to end. Security will soon become the deciding factor – no longer reverse engineering, or ‘we will find a way’. The future of your business will be directly controlled by the VM’s cybersecurity strategy, which even with legislative ‘rights and roles’, will still impose a whole new way of independently working on your customers’ cars.