There is no doubt cybersecurity is a growing issue for carmakers. It seems like the issue exploded in 2015 when two computer guys remotely hacked into a Jeep Cherokee to show how anyone could take over a vehicle’s internal systems and create mischief. The event, which went viral, caused Chrysler to recall over 1.4 million vehicles to try to prevent future intrusions. The hacking also caused Congress to put pressure on the National Highway Traffic Safety Administration (NHTSA) to look into the possibility of hacking through the on-board diagnostic (OBD) port. NHTSA subsequently put pressure on vehicle manufacturers to take action to protect the OBD port from intrusions. The final result was a standard (J3138) developed by the Society for Automotive Engineers (SAE) that was really less of a standard and more of a “best practices” for OEMs in trying to protect the port from intrusions from diagnostic tools and dongles.
While there is nothing inherently wrong with the SAE OBD port protection standard, it fails to address a major issue: mainly that every manufacturer is now attempting to address cybersecurity in its own way. Such action threatens to create huge issues for those involved in vehicle repairs, including shops and tool suppliers.
The absence of a standardized approach to vehicle cybersecurity has become overly apparent with FCA (Chrysler). FCA has built into its model year 2018 cars a gateway that requires any scan tool attempting to connect to the OBD system to obtain authorization from FCA before being able to access many key areas of the on-board diagnostic system. While details are still coming out, it is not apparent yet how that authorization will be obtained and who will be responsible for getting it — technicians or scan tool companies.
I am not faulting FCA for attempting to develop a comprehensive gateway for their vehicle systems. The problem is every OEM is seeking its own solution for cybersecurity without accounting for the reality that those cars will be repaired in shops that fix multiple makes and models. While many car companies might prefer that their vehicles only be repaired by an “authorized dealer,” most off-warranty cars are repaired by independent repair shops.
Having standardized systems, such as an OBD connector, has worked well for everyone – OEMs, repair shops, dealers, and most importantly, vehicle owners. Shops armed with better service information and tools are able to ensure that cars are repaired properly the first time, making for more satisfied customers. Therefore, instead of developing silos for their cyber systems, OEMs should be seeking standardization that protects vehicles while still providing access to diagnostic systems.
The aftermarket, meanwhile, needs to help identify solutions that ensure independent shops can have safe access to vehicles so that they can still be diagnosed and repaired. The Auto Care Association, working with other groups, has developed a solution known as the Secure Vehicle Interface. SVI is a collection of 20-plus industry standards that provides for a firewall protecting critical vehicle systems while permitting an interface between the internal vehicle network and an external device or network — enabling secure information exchanges. The same firewall can protect wired and wireless connections, and identity and access are managed using digital certificates. Further, it is retrofit-able, so it can be used on cyber-vulnerable vehicles already on the road.
A major difference between the FCA system and SVI is that the latter is standardized, which means every OEM would implement it the same way. This would enable scan tool companies and shops to access the data they need to repair a vehicle, and it would protect vehicle systems from unauthorized access.
SVI is not a dream nor some far away goal. If you are attending AAPEX in Las Vegas, you will have the opportunity to see SVI in action during demonstrations of its capabilities. Hope to see you there.
Subscribe to Aftermarket Business World and receive articles like this every month….absolutely free. Click here.