The EOBD (European On Board Diagnostics) regulations require passenger cars and heavy duty trucks to provide a diagnostic connector conforming to ISO/DIS 15031-3/SAE J1962 to support communication of diagnostic information to off-board devices.
While the original requirement for the OBD port is to provide vehicle emissions data while the vehicle is operating, regulations evolved and now require the OBD port to also provide access to enhanced diagnostic information for vehicle repair and maintenance.
The OBD port use has become indispensable to licensed vehicle manufacturers and independent service providers for over a decade.
Thanks to the connectivity evolution, commercial fleets in particular have integrated vehicle diagnostic data with commercial fleet management and business practices.
This integration has resulted in improvements leading to the broad adoption of integrated vehicle diagnostic data within the connected fleet for over 15 years.
The associated benefits include improved safety, real time driver behaviour feedback/modification, predictive maintenance, and ultimately a more efficient fleet deployment system and commercial fleet business practices.
Beyond this, the OBD port has been proven to carry various environmental benefits by helping improve fuel economy and lower emissions.
Why are some within the industry in favour of restricting in-vehicle access to data such as currently provided by the OBD port when there are so many obvious benefits?
The concerns surrounding the OBD communication protocol came from the lack of intrinsic security provisions.
The security of a connected vehicle with a cellular OBD device relies in part on the OBD device and the telematics platform used.
However, the current security standards and best practices are voluntary. Researchers have reported on short-sighted cellular OBD device manufacturers not using current best practices.
They have demonstrated that vehicles with unsecured OBD device systems mean a cyber-adversary could interfere with vehicle data communication and in some cases vehicle operation.
Of course, it is not only cellular OBD device telematics systems that need to apply best industry cybersecurity practices.
As demonstrated by researchers, vehicle manufacturers have also been vulnerable to remote cyber-physical attacks without use of a 3rd party OBD device.
Closing in-vehicle connectivity to all except for original vehicle manufacturers would not address security directly, but rather block the innovation of mixed vehicle commercial fleets and dampen the integration benefits of mixed vehicle fleets into smart communities.
All of this in addition to shutting out future innovation from all the bright minds not employed by the vehicle manufacturer.
A secure architecture to connect a vehicle is required, but it should be done in a way that supports connected vehicle use cases, not constrains them.
The growing concern around vehicle connectivity and the management of data has been intensified by the General Data Protection Regulation (GDPR), a regulation that the European Parliament, the European Union (EU) and the European Commission will implement in a bid to strengthen and unify the protection of data across the EU.
Specifically, GDPR sets out strict requirements for the use, transfer, storage and protection of personal data of EU citizens by organisations and requires companies who collect or process that data to develop a good understanding about how it is handled.
Considering that the IoT marketplace is predicted to reach 20 billion devices by 2020, and world leaders are investing millions into the connected vehicle market, is connectivity truly something that should be ignored due to the fear of non-compliance?
Connectivity should be understood, embraced and securely handled. As technology and the IoT marketplace advance, it will be imperative for all key players and stakeholders to securely handle collected user information and collaborate in the advancement of industry security standards for the connected vehicle.
For the telematics industry in particular, closing the OBD port will only deny customers access to their own data, and block the business and environmental benefits of open data.
The work of leading telematics platform providers and the security community has already proven that open and secure access to data via the OBD port is not only possible, but equally as advanced as other options.
What’s important moving forward is for organisations to continue to push awareness of the compliance and safety benefits of the ODB port, while putting an emphasis on how up-to-date fleet management software and devices can also benefit fleet managers.
As GDPR approaches, fleet managers need to be aware of their legal requirements as collectors of personal data and those that must be met by suppliers when that data is processed.
If responsible TSP and secured OBD devices are used, there is every reason for mixed fleet managers to continue and expand the benefits of the OBD connected fleet.
For all connected mobility stakeholders to optimally benefit, a secured user and stakeholder centric model is needed not the other way around.
By Glenn Atkinson, vice president of product safety at Geotab