Cybersecurity regulations: Are non-compliant cars more vulnerable?

7 months, 2 weeks ago - 07. May 2024, autocar
Cybersecurity regulations: Are non-compliant cars more vulnerable?
Makers have axed models due to new regulations, but what about those on sale that don't comply?

News that Porsche will continue to sell the 718 Boxster, 718 Cayman and Macan in the UK while withdrawing the models from the EU, where a forthcoming cybersecurity regulation will forbid their sale, might please British consumers, but its decision raises questions: what exactly will buyers be missing and will their cars be more vulnerable to theft or hacking as a consequence?

The UNECE WP.29 Cybersecurity regulation has been agreed by the EU and the UN and comes into force across the EU from 1 July. Models that don’t comply with it will no longer be eligible for new registration.

The regulation is concerned with vehicle cybersecurity, and every new car sold in the EU from then on must come with a certificate confirming that it’s protected against 70 vulnerabilities – including cyber attacks – during development, production and post-production.

The difficulty and expense of retrofitting models to satisfy the new regulation means many of them, including the Volkswagen e-Up, as well as the 718 and Macan, have been withdrawn from sale in the EU.

Because fewer cars are produced for right-hand drive markets, by default, most models covered by the regulation will also be withdrawn from sale in countries including the UK, which doesn’t as yet recognise it (although no domestic car maker could afford to ignore it).

However, as Porsche has demonstrated, where continuing to produce these versions is possible, they may continue to be sold. The new regulation arrives at a time when another – General Safety Regulation 2 – recently came into force.

As its name suggests, GSR2, which went live in July 2022, is concerned with vehicle safety and makes at least 20 technologies – including advanced emergency braking, driver drowsiness and attention sensing, and intelligent speed assistance – standard on all new models.

Many already are, of course, but the regulation now mandates their fitment. As with the UNECE WP.29 Cybersecurity regulation, bringing some older models into line with GSR2 has proved impossible, which is why the Renault Zoe, for example, was retired early.

The technologies demanded by GSR2 are key to the EU achieving its stated ambition of zero road deaths by 2050.

Accordingly, vehicles that are autonomous or that rely on satellite navigation are set to increase in number. Ensuring that they can’t be overridden or hacked by a third party is just one of the aims of the new UNECE WP.29 Cybersecurity regulation.

The fact is that cars are at risk of becoming as popular a target for hackers as mobile phones and desktop computers. Vehicle theft by electronic means is already a well-documented problem, but installing malware in a vehicle’s operating system and demanding payment for its removal is a growing issue.

Meanwhile, the increasing use of over-the-air updates by manufacturers presents its own problems. By strengthening a car’s cybersecurity and boosting manufacturers’ and consumers’ trust in it an array of autonomous and on-board digital services – including more advanced safety systems, vehicle-to-vehicle communication and even automatic payments – will become possible.

To achieve this level of access and convenience, data and cyber protection will need to be in place at every stage of a car’s design and production. It’s this level of protection that cars such as the 718 and Macan lack.

However, Porsche insists the models are secure. A spokesman said: “Although the processes now required by the new regulation could not be implemented because they were not then known and applicable when, for example, the 718 platform was developed, this does not mean that older Porsche vehicles are not, per se, secure.

“When it comes to current models, we regularly check the cybersecurity of our products and work together with the global security community using a publicly accessible interface.”

The Department for Transport has said that British manufacturers are already beginning to comply with the regulation and that work is under way to explore options for adopting it for new vehicles in the UK. However, it has given no indication when this work will be completed.

Until it is, the SMMT says consumers need not fear EU manufacturers dumping non-compliant models on the UK market. A spokesman said: “The cybersecurity requirements will apply to all vehicles sold in the EU and Northern Ireland, and manufacturers would be highly unlikely to build different versions of those vehicles just for Great Britain, so consumers here are also set to benefit.

While a very small number of models coming to the end of production may not be upgraded and stocks could theoretically still be sold in Great Britain for a limited time, given that right-hand-drive vehicles comprise only a tiny proportion of the overall EU market, any ‘offloading’ would be extremely improbable.”

Support Ukraine