A secure future?

Access to data, and to the vehicle itself is going to be one of the key battlegrounds for the automotive aftermarket in the 2020s

Published:  22 March, 2022

Life used to be so simple when running a repair workshop; Find suitable premises, equip the workshop with some lifts and diagnostic tools, employ some technicians and open your doors to the throng of customers who were queuing up to pay you money to have their vehicles repaired.
Of course, my description is very tongue-in-cheek, but fundamentally you were free to do what I have described above. When conducting these service and repair activities, you could also choose from a range of local parts suppliers who delivered several times a day to your door. “Perfick,” as David Jason used to say in the Darling Buds of May in those bygone days.
As time moved on and vehicles became more sophisticated, more advanced diagnostics were needed to address the more difficult-to-find faults and the work became more related to being a computer engineer who was used to finding software or communication network faults. To support the need for the aftermarket to be able to continue to offer vehicle owners and operators a competitive choice of where and how their vehicles could be serviced and repaired, the legislator introduced regulations that ensured non-discrimination between workshops (i.e. main dealer and independent workshops) to compete on level terms. These terms are contained in the Block Exemption Regulations introduced in 2002 and revised in 2010. However, this is all under Competition Law, which makes it difficult for SMEs (e.g. an independent workshop) to challenge any non-compliance with the legislation, so the legislator put detailed repair and maintenance (RMI) requirements into Vehicle Type Approval Regulations, originally in Euro 5 legislation in 2007 (and more recently when the vehicle type approval legislation was updated and simplified in 2018), where a non-compliance challenge is supported through the type approval process.
Over this period, the vehicle has increasingly become a sophisticated computer-on-wheels, with the corresponding embedded applications and remote access functions for a wide range of vehicle-related services.
Supported by these legislative requirements, the aftermarket has found a way to survive and thrive, supported by better levels of diagnostic tools, technical training and technical information.  Unfortunately, the world has now changed to reflect our love of mobile phones and the applications they support, including when in our car.

Real challenges
In automotive terms, this has led to the vehicle becoming compatible with Apple and Google operating systems and to host an increasing range of consumer-centric applications that are embedded in the vehicle, normally accessible via the in-vehicle dashboard display. This has all been made possible by the implementation of remote access using wide-area networks (mobile phone networks to you and I) and SIM cards embedded directly in the vehicle. The situation has also been further exacerbated by the mandatory introduction of eCall, the pan European system that automatically calls the emergency services in the event of an accident.
Although eCall is now a vehicle type approval requirement, it is dormant until triggered and is free to use, so vehicle manufacturers wanted to add additional remote services, not only to cover the costs of implementing eCall, but to enhance their product offer/brand value to the vehicle user and develop new business models using remote vehicle data.
This is where the real challenges for the aftermarket become such issues.

Legislative requirements
Other legislative requirements cover the general safety of a product, which requires a vehicle manufacturer to design their vehicles to be safe to use throughout their service life, while new requirements for vehicle type approval coming in July 2022 for new type approvals and from July 2024 for all vehicles already type-approved, will introduce ‘approval of vehicles with regards to cyber security and cyber security management system.’  This addresses the definition in the Regulation for cyber security which ‘means the condition in which road vehicles and their functions are protected from cyber threats to electrical or electronic components.’
Just think about that for a moment.
The vehicle manufacturers have designed vehicles that include a wide range of electronically controlled components and can connect to the vehicle remotely. They now have to ensure that this vehicle remains safe to use and cannot be compromised (i.e. attacked) by a cybersecurity hacker. The Cybersecurity Regulation (UNECE R155) requires a vehicle manufacturer to design their cybersecurity management system to address not only the design of the vehicle and its systems/components, but also to show how any threat or attack will be mitigated.
The general approach is therefore to block any access to the vehicle, its data, functions and replacement electronic parts unless authorised by the vehicle manufacturer. This also includes software updates, either in the workshop or over the air using the remote connection to the vehicle (UNECE R156). This cybersecurity activity has already started with OBD connector security gateways, with the associated security certificates, but is going to get a whole lot more challenging.
Furthermore, the vehicle manufacturers are now becoming much more active in providing aftermarket services, such as bespoke service and maintenance offers. These monitor the vehicle data generated by the driver when using the vehicle (i.e. driving style), as well as component function/replacement criteria and then a service quotation is sent to the vehicle, which is displayed on the dashboard. The driver then just has to confirm acceptance of the quotation, together with the location/date/time choices included in the offer with just a press of a button. Independent operators don’t get a look-in.

Mobility as a service
The vehicle manufacturer’s embedded diagnostics will also flag up when a fault has occurred, and again, propose a place and time for the vehicle to come to their workshop. This not only locks in the repair offer to the vehicle owner, but also reduces the cost of diagnosis and repair by up to 50%; Vitally important in not just offering a competitive repair, but also when that vehicle is part of the increasingly important mobility as a service where the cost of hiring the vehicle is influenced by its operational status and cost of service/maintenance.
All this is legitimised by the introduction of the cybersecurity regulations mentioned above. So, where does this leave the aftermarket and its continuing ability to provide competitive choices to consumers and avoid the vehicle manufacturers implementing their business plans that will divert the profit from the aftermarket across to them?
Quite simply, it leaves the automotive aftermarket increasingly reliant on the legislator to do two things. Firstly, accept that competition in the market has priority over cybersecurity. Secondly, implement legislation that is able to address complicated technical requirements that equally need to be able to address the rapidly changing demands of software and security functions. This is not going to happen unless the UK aftermarket works together to engage with the UK government, a situation not made any easier following Brexit and the need to create our own legislation.  Fortunately, an alliance of aftermarket organisations (aftermarket associations and commercial entities) are working together as UK AFCAR (the UK Alliance for Freedom of Car Repair), to do just that, but this takes significant resources and expertise. If you are not already a member of one of the UK AFCAR aftermarket association members, now is the time to become one.
The good old days have gone and the time for the aftermarket to come together is now. Without the inherent support needed by UK AFCAR, then the future of the aftermarket may be secure, but only for the vehicle manufacturers.


Related Articles


©DFA Media Group
Terms and Conditions