Whose ECU is it anyway?
As vehicle networks grow in complexity and automotive cyber security falls under closer scrutiny from government legislators, OEMs are beginning to worry about who will carry the legal, financial, and administrative responsibility for vehicles which have undergone aftermarket maintenance and upgrades.
Aftermarket components are a large part of the automotive market with ECUs alone expected to account for over $58 billion in parts sales by 2023. This market has vexed OEMs and dealerships for many years, slowly eroding their profits and market share and creating administrative headaches with safety regulations, and customers who have made modifications to their vehicles before attempting to claim on warranties for repairs and replacements.
In addition to electronic components, non-dealership maintenance and the diagnostic tools market that supports it, has seen a strong surge in products and services that rival OEM brands. But is this really a problem? From a market perspective it provides balance, leveling out prices and preventing monopolies. However, from a cyber security perspective it raises a significant challenge.
Why are aftermarket components a problem?
It’s difficult to specify the number of actors with potential access to the in-vehicle network, they can range from the mechanics and vehicle owners plugging into OBDII ports, to technicians accessing telematics units, or anyone with physical or remote access to the vehicle, be they malicious or benign.
When you add to this anyone with access to ECUs and diagnostic tools at supply chain level the list expands exponentially. How can you possibly guard against that number of potential vectors? The answer is you can’t, not directly, or at least not without the prohibitive cost and effort required to restructure supply chain processes.
And whilst that may be an option for some OEMs and the Tier suppliers, to some it is prohibitively expensive and not all manufacturers will adhere to such standards, especially those in unregulated markets. Instead it is safer to work with the assumption that someone will find their way into the supply chain and aim to protect the vehicle at the network level instead.
What does the customer want?
When asked this question the most common response is usually ‘the cheapest option’. But it’s probably more accurate to say, ‘customers want the best solution to their problem’, and that does not always mean the cheapest. Just as vehicles are becoming more complex, so too are customer expectations and demands. Traditional markets are fragmenting and people are looking for specific solutions to specific problems, and they’re willing to pay for it.
The key to this change is the vast array of information available to the discerning consumer: How-to videos, blogs, guides and social network groups. In this kind of environment, it’s important to consider how customer expectations can be met, but also how to educate and manage those expectations.
The mechanically minded will always be interested in making their own adjustments to their vehicles and will weigh the pros and cons of violating a warranty. Of course, there are customers with cost in mind who will look to find the cheapest suppliers for components (and the mechanics to fit them), but there are also those with safety and security as their main purchasing drive. Those who will be more considerate of the penalties to their safety that non-optimal parts and labor may incur.
What can OEMs do?
It is unrealistic in the modern era to set punitive boundaries on vehicle maintenance and part replacement. In a sense this is what legislative frameworks are in place to enforce, to offer guidance and best practice to industry and to provide safety and freedom of choice to the consumer.
And that freedom of choice is the key. To offer it successfully you must be able to set clear boundaries and limits on what customers can and cannot do. Transparency and choice allow the customer to make decisions for themselves, providing clear information about the risks that their actions pose, be that hacking vulnerability, safety issues, or the risk of invalidating their warranty.
But to provide that transparency you need to be able to both monitor and secure the vehicle, and a good place to start is with a cyber security solution that not only protects the in-vehicle network from compromised ECUs and tools, but also monitors and reports on new connections and component installation. This combination will enable you to address warranty violations in real time, and protect the end-user from any critical safety or cyber security issues, be they from malicious actors, or the unintended consequences of aftermarket products. A win-win for both the manufacturer and the consumer.