Type approval cybersecurity deadline looming in 2022

Regulations brought in to tighten up cybersecurity in cars could lead to new vehicles being refused type approval if manufacturers don’t meet standards by next summer.

A white paper published last week by automotive engineering consultancy firm Horiba MIRA outlines what car makers need to do to comply with the incoming rules.

A cybersecurity management system (CSMS) must be able to identify and respond to cyber attacks that could target a vehicle through any wireless means. The CSMS also has to pass relevant data back to manufacturers so they can analyse and combat the latest threats.

This would involve updating software as and when new dangers are identified, with over-the-air software updates one method of equipping cars remotely. Unlike a car warranty, which expires after a certain time or mileage, car makers are obliged to do this for a vehicle’s entire lifespan.

Meanwhile, the vehicles themselves must go through an extensive risk assessment and demonstrate that steps have been taken to mitigate the risks posed by cyber threats.

Likewise, the supply chains used in the development and construction of vehicles need to provide evidence that they can guard against cyber attacks.

The new regulations have been set out following the United Nations Economic Commission for Europe’s World Forum for Harmonization of Vehicle Regulations, which offer a pathway for manufacturers to build cars in such a way that they can be sold worldwide in different markets.

Regulation 155 came into force in January this year but won’t become a condition of type approval on new models in the UK or the EU until 6 July 2022.

All newly registered vehicles – including those that were awarded type approval before this date – will have to comply with Regulation 155 by 7 July 2024.

Failing to meet the minimum standards required for type approval would mean a car couldn’t be sold to the general public.

“The impact of Regulation 155 will profoundly affect how road-going vehicles are designed, built and managed over their lifecycle,” said Anthony Martin, head of vehicle resilience technologies at Horiba MIRA.

“To avoid significant commercial liabilities, the worst of which will prevent the sale of vehicles that lack the requisite type approval, vehicle manufacturers need to act promptly to get a CSMS in place.

“Furthermore, they must establish that the scope and implementation of the CSMS is fit for purpose and ensure that their organisation isn’t just procedurally but also culturally aligned to a world where cybersecurity considerations will shortly become pervasive.”

The Society of Motor Manufacturers and Traders (SMMT) said some of its members had a hand in drafting the new regulations – a process to which Horiba MIRA also contributed.

Horiba MIRA is offering its services to manufacturers to help them prepare for the deadline and has suggested that some car makers are further behind the curve than others in preparation for the new rules.

Speaking to Autocar, Paul Wooderson, Horiba MIRA’s chief engineer, said: “The industry as a whole has known it’s coming and has been preparing for it behind the scenes for quite some time. So it’s not really a big surprise, but nonetheless it’s a lot of work to get these processes and new ways of working in place.

“Some will have had a lot of this in place for some time and others will be starting from scratch. It’s certainly a mixture that we’ve seen.”

Advertisement

Advertisement

New car registrations in the UK fell by 29.4% year on year in 2020, largely due to the impact of the Covid-19 pandemic, and few manufacturers, if any, can afford to be refused type approval on new products in the aftermath of such a big market slump.