Regulations brought in to tighten up cybersecurity in cars could lead to new vehicles being refused type approval if manufacturers don’t meet standards by July 2022.
A white paper published last week by automotive engineering consultants HORIBA MIRA outlines what carmakers need to do to comply with the incoming rules.
A Cybersecurity Management System (CSMS) must be able to identify and respond to cyber attacks that could target a vehicle through any wireless means. The CSMS also has to pass relevant data back to manufacturers so they can analyse and combat the latest threats.
This would involve updating software as and when new dangers are identified, with over-the-air updates one method of equipping cars remotely. Unlike a car warranty, which expires after a certain amount of time or miles driven, carmakers are obliged to do this for a vehicle’s entire lifespan.
Meanwhile, vehicles themselves must go through an extensive risk assessment, and demonstrate that steps have been taken to mitigate the risks posed by cyber threats. Likewise, the supply chains used in the development and construction of vehicles need to provide evidence that they can guard against cyber attacks.
The new regulations have been set out following the United Nations Economic Commission for Europe’s (UNECE) World Forum for Harmonization of Vehicle Regulations, which offers a pathway for manufacturers to build cars in such a way that they can be sold worldwide in different markets.
Regulation 155 came into force in January this year, but won’t become a condition of type approval on new models in the UK or the EU until 6 July 2022. All newly registered vehicles – including those that were awarded type approval before this date – will have to comply with Regulation 155 by 7 July 2024.
Failing to meet the minimum standards required for type approval would mean a car couldn’t be sold to the general public.
“The impact of Regulation 155 will profoundly affect how road-going vehicles are designed, built and managed over their lifecycle,” said Anthony Martin, head of vehicle resilience technologies at HORIBA MIRA. “To avoid significant commercial liabilities – the worst of which will prevent the sale of vehicles that lack the requisite Type Approval – vehicle manufacturers need to act promptly to get a CSMS in place.
“Furthermore, they must establish that the scope and implementation of the CSMS is fit-for-purpose and ensure that their organisation is not just procedurally but also culturally aligned to a world where cybersecurity considerations will shortly become pervasive.”
The Society of Motor Manufacturers and Traders (SMMT) says some of its members had had a hand in drafting the new regulations, a process HORIBA MIRA also contributed to.
The firm is offering its services to manufacturers to help prepare for next summer’s deadline, and has suggested that some carmakers are further behind the curve than others in preparation for the new rules.
Speaking to Autocar, Paul Wooderson, HORIBA MIRA’s chief engineer explained: “The industry as a whole has known it’s coming and has been preparing for it behind the scenes for quite some time. So it’s not really a big surprise, but nonetheless it is a lot of work to get these processes and new ways of working in place.
“Some will have had a lot of this in place for some time and others will be starting from scratch. It’s certainly a mixture that we’ve seen.”
New registrations in the UK fell by 29.4% in 2020 largely thanks to the impact of Covid-19, and few manufacturers – if any – can afford to be refused type approval on new products in the aftermath of such a big market slump.