We are all familiar with the threat cybersecurity issues can pose, but could it even be threatening the very basis of your business? In the second part of our look at cybersecurity and data issues surrounding the independent aftermarket, Neil Pattemore investigates the tactics being used by OEs to lock out the competition.
So what exactly is the problem with ‘cybersecurity’? As vehicles have continued to develop the sophistication of their on-board systems, these systems have introduced advanced electronic control of the functions and increasingly sophisticated software. This in itself provides the potential basis for malicious attacks, but this would be on an individual vehicle basis and the reward would not be worth the effort for the criminal.
What has changed is the introduction of remote communication with the vehicle. So-called ‘telematics’ are now being fitted to all new vehicles to provide not only emergency ‘eCall’ services, but often also a wide range of commercial ‘vehicle-centric’ services. This effectively creates a ‘computer on wheels’.
These remote services are already becoming the basis for the vehicle service, maintenance and repair, as not only do they provide real-time vehicle data and information, but the (increasingly bespoke) service offer quotation, together with the acceptance of this quotation with the corresponding time and date of a workshop appointment, are all being offered to the driver remotely via the in-vehicle dashboard display. This significantly reduces the workshop and repair costs and unless an (independent) competing service provider has the same abilities, they simply cannot compete.
Unfortunately, this remote access is also more appealing to the criminal due to the huge volume of vehicles involved. Currently, the vehicle manufacturer retains complete control over access to the vehicle (including via the OBD port) and although some very basic data may be made available to independent operators (at a price), these data points do not support viable and competitive remote services. Quite literally, the vehicle manufacturer is in the driving seat when it comes to remote services, as they want to control all communication to/from the vehicle and are now using cybersecurity requirements to the disadvantage of their aftermarket competitors.
Vehicle type approval
Understandably, independent operators are in a vigorous debate with the legislator to obtain the same abilities to connect to the vehicle to directly access the vehicle-generated data and information, but this is not a simple discussion. The key issue is the clash between the changing requirements of the vehicle type approval legislation.
Since 2007, vehicle type approval legislation has required vehicle manufacturers to provide ‘non-discriminatory’ access to repair and maintenance information, e.g. vehicle information, together with diagnostic tools, technical training, or electronic service records. This is to ensure that both independent and main dealer workshops compete on a level playing field.
This vehicle type approval legislation was updated in 2020 to include further requirements for this RMI which included access to the OBD port and the ‘full data stream’ required for diagnostics, service and repair functions. It also included the vehicle manufacturer becoming part of the ‘nondiscrimination’ requirement as they are increasingly a service provider themselves. However, although this new legislation includes the intent, the practical details of how these various requirements will be provided are not only being disputed by the vehicle manufacturer, but other ‘general safety legislation’ also has an impact.
The key issue is how vehicle manufacturers are implementing their ‘cybersecurity management system’ (CMS).
Vehicle type approval regulations are developed at the UNECE in Geneva and referenced in legislation across the world – including the UK. Until now, all vehicle type approval requirements have been defined technically as standardised requirements (e.g. emissions, braking performance, headlight alignment/intensity etc.), but now there is ‘R155’ – the Cybersecurity Regulation – which requires the individual vehicle manufacturer to develop their own proprietary CMS which is assessed by a vehicle type approval body as part of the whole vehicle type approval.Vehicle manufacturers are now controlling all access to the vehicle and its data as part of their compliance with their type approval, but in doing so, are also the ‘system administrator’ and the arbitrator for the ‘rights and roles’ of anyone, or anything, that needs to communicate with the vehicle.
As an example of the impact that cybersecurity is already having, virtually all vehicle manufacturers have introduced a security gateway behind the OBD port on new vehicles, which requires an independent operator to register with the vehicle manufacturer to obtain a security certificate. This also requires them to disclose who they are, their customer’s vehicle details and the work which needs to be performed. This creates anti-trust and conflict-of-interest issues, so there may be a ‘middle ground’ where an intermediary company (such as a diagnostic tool manufacturer) can reduce the exposure of the independent workshop. Unfortunately this is just a ‘sticking plaster’ for the bigger problem of remote access to the vehicle, where embedded applications now run the diagnostic, service and maintenance functions.
Even if registering with the vehicle manufacturer provides some level of access, there are costs associated with the corresponding security certificates and the vehicle manufacturer controls what can be done through the rights and roles associated with the certificate. A good example is the way that in-vehicle access is controlled by certificates and codes which are currently only available to main dealers (e.g. ADAS component replacement), or the requirement for a dedicated certificate for each vehicle system, or that the certificate is session based (i.e. time limited).
The Cybersecurity Regulation provides the vehicle manufacturer with the legitimisation of controlling the aftermarket by setting all the criteria of who can communicate with a vehicle to perform competing services, with what parts, together with the required level of competence required from the technician – and much more. The days of the aftermarket simply ‘finding a technical solution around the problem’ have gone. The future of the sector now lies in the hands of the legislator.