SERMA – data access and security

Access to security-relevant and theft-relevant vehicle information and also RMI have to be guaranteed for independent automotive businesses. SERMA creates the prerequisites, and then cyber security measures can be added.

As far as the IT infrastructure in companies is concerned, the system administrator reserves the relevant "master rights" and protection mechanisms. No other employee can add new hardware, access sensitive data, install software or run an update. There are good reasons for this. The network, each individual computer, should be protected against malicious software, malfunctions and certainly against unauthorised third-party access. Modern motor vehicles also have countless small computers, i.e. control units, which perform individual, sometimes highly complex tasks. And they are networked, they communicate with one another and thus the vehicles collect together sensitive data. But independent automotive workshops require such technical background information and also need access rights in order to carry out their work.

Only those who are authorised have access!

An automotive service professional in the workshop can be most definitely compared to a system administrator. If the day-to-day business involves mechanical problems like gearboxes, clutches, and brakes, issues which are to be rectified by qualified mechatronics technicians, then the "teaching and programming" or "resetting" of hardware, software in general and access protection are things that are increasingly coming to the fore. In principle, according to EU Regulation 2018/858, vehicle manufacturers have to grant independent automotive businesses access to all relevant data and functions so that such workshops are able to service and repair a vehicle accordingly. This also includes software updates. There is to be no competitive disadvantage between branded and non-branded businesses.

SERMA: at long last a standardised access solution

But in order to ensure that only authorised and qualified persons have protected access to the appropriate security-relevant and theft-relevant data, access to repair and maintenance information (RMI) via the manufacturer portals has been blocked since April 1, 2024. So as to gain access to the relevant data after logging in, you also need a personalised, electronic SERMA certificate. Ways and means to achieve a standardised access solution have been discussed for a very long time. SERMA can now offer such a solution.

In Sweden, the regulation has been in force since October 1, 2023. And in Denmark, Finland and Norway since February 1, 2024. The launch date for Belgium, Germany, Luxembourg, the Netherlands, Austria, Portugal and Spain was April 1. Other EU countries did not commence the SERMI procedure until June 1, 2024 or August 1, 2024.

Who needs SERMA certification?

SERMA (Secure Repair and Maintenance Authorisation) is the conformity assessment body. It stands for a Europe-wide harmonised accreditation system that helps independent market players to maintain and repair vehicles in a safe and secure way. This also applies if the security features of the vehicle are affected (e.g. by software updates). SERMI (Secure Repair and Maintenance Information) is then, so to speak, the pan-European institution that was founded to further develop, operate and maintain the system and the process. The two abbreviations SERMA and SERMI are usually used synonymously.

SERMA is relevant for independent automotive workshops that work with original manufacturer diagnostics, for companies that offer a remote diagnostics service (remote service) and also for authorised workshops that repair other vehicle brands. But SERMA is also of interest and significance for manufacturers or dealers of workshop equipment, tools or spare parts, for publishers of technical information or for breakdown services, for providers of inspection and testing services and indeed for training and further education institutions. And incidentally: companies that carry out tuning measures, such as changes to the engine's rated power output or to emissions behaviour, do not receive approval for SERMA as per EU regulations.

How the SERMA registration and verification process works

The electronic certificate can be obtained by motor vehicle/commercial vehicle businesses or by automotive mechatronics technicians after submitting an online application, for example via the SERMA application portal (https://register.serma.eu). There are also other certified service providers, such as KIWA or the Global Network Group TIC, through which an application is possible. In any event, an extract from the commercial register, proof of company liability insurance and the relevant current certificates of good conduct for all the individual employees are required. The conformity assessment body SERMA then has the task of checking the application for approval and authorisation of your employees.

If the test result is positive, SERMA grants access authorisation to precisely this theft-relevant and security-related repair and maintenance information (RMI). Authorised employees receive a personalised electronic certificate directly on their smartphone via an app (the Digidentity Wallet app). It is valid for five years. The test procedure is carried out in accordance with the EU-wide SERMI scheme and the Type Approval Regulation (EU) 2018/858.

Cyber security + gateways

From July 2024, the EU directive ECE R155 (cyber security) will also apply to all newly produced vehicles. This obliges manufacturers to protect their vehicles against security risks throughout a vehicle’s entire life cycle with the help of a cyber security management system (CSMS). This is just one of the things ensured by the manufacturers' cyber security gateways, which prevent general external access to the control units.

With the SERMA certificate, an automotive business is authorised to access security-relevant and theft-relevant data via the manufacturer portal. Does this also mean that the issue of cyber security gateways is sorted out once and for all? No indeed, according to the experts at Hella Gutmann. They believe that the two security barriers should be considered separately. This is why the "Cyber Security Management" (CSM) function, which is free of charge specifically for workshops, has been implemented in the software of the diagnostic testers in the mega macs series. This function can also be used to communicate with secured vehicles via a security gateway. Hella Gutmann provides the so-called "Remote Service" for possible cases requiring the activation of components. So it more or less amounts to this: the SERMA certificate and the CSM function give you, as it were, all administrator rights.

Software updates "over the air"

Not least because many vehicle manufacturers also offer updates "over the air" or online activation of additional functions (or have made this a business model), the focus is most definitely on transparency and security. Automotive workshops, too, are increasingly carrying out updates or upgrades of this type for their customers.

Data is transferred via the mobile phone network or WLAN. Both are not always available in a stable state and updates are sometimes aborted. Data integrity must therefore be guaranteed in order to avoid errors. This is in accordance with EU Directive R156 (software updates), which, from July 2024, will also apply to all new vehicles sold. According to the directive, the vehicle manufacturer must in any case ensure that the software is installed securely and that manipulation and unauthorised access are prevented. In addition, vehicle owners are to be clearly informed in advance. And this is the golden rule: only authorised updates may be installed!