Automotive Cybersecurity -State of the Industry 2024

As a cybersecurity product and services provider working across the automotive supply chain, we often receive the question, “What are other OEMs/suppliers doing about cybersecurity?” Although specifics about our clients remain confidential, this article will discuss the current state of automotive cybersecurity, focusing mainly on the U.S. market.

Spoiler Alert: If your engineering processes don’t align with ISO/SAE 21434, you are trailing behind your competitors who are already moving on to cost-saving solutions. Oh, and there are more standards and regulations coming soon! Fortunately, there is an upside: those who implemented ISO 21434 early have provided valuable lessons from which you can benefit and early generation tools are available to help you get ahead.

It has been 2 years since UN Regulation No. 155 was enforced for new vehicle types and the July 2024 deadline for all vehicle types is just around the corner. Many major OEMs and Tier 1 suppliers have already implemented a CSMS. According to PwC’s Global Automotive Cyber Security Management System Survey, two-thirds of participating OEMs already had their CSMS design audited by an external auditor as early as 2022.

Industry insights reveal two main points: First, continuously operated cybersecurity has a significant impact on vehicle costs and second, meeting the standard doesn’t always lead to enhanced product cybersecurity.

Today’s consumers demand more from their vehicles.

Unlike a 2008 vehicle, with relatively static features, modern vehicle features are dynamically driven by user demand and can be delivered via software updates. A prime example is Tesla’s ‘one-pedal driving’ update, which offers a more traditional driving experience by modifying deceleration behavior and was delivered through an update. Even battery life and power increases have been delivered via software updates. Our expectations of vehicle functionality have less and less to do with simply getting around.

Automobiles last longer than your mobile devices

Unlike first-generation iPads—which serve as little more than photo frames today despite perfectly working hardware—vehicles must last as long as users will drive them. Getting us from one place to another, after all, is still their primary function. Moreover, automobiles are safety-critical systems! This means they will need regular updates that extend well beyond the life of the typical smartphone and end of cybersecurity support can potentially have life-threatening consequences. Current regulations have yet to address this issue in depth. For example, will you be allowed to drive a car whose steering can be remotely controlled by an attacker, but is no longer receiving security updates from the manufacturer?

The long-term costs of continuous threat/vulnerability monitoring and software update add unprecedented post-production expenses, significantly altering the dynamics for automotive manufacturers and suppliers.

The relationship between OEMs and suppliers has evolved as vehicles have become more complex. Recently, the trend has reversed, with manufacturers taking back control of software and E/E architecture primarily due to software update support and cybersecurity needs. As noted in the survey mentioned, 96% of respondents prioritized vehicle software architecture to enhance cybersecurity and manage associated risks.

Securing the automotive supply chain is challenging and cannot be accomplished effectively with the current mostly-outsourced dynamic. Companies like Ford are consolidating code and bringing E/E architecture in-house, fundamentally changing supplier requirements. This shift necessitates redefining collaboration between OEMs and suppliers to build and manage software that meets their evolving needs.

Block Harbor’s most requested services are establishing / managing Vehicle Security Operations Centers (VSOC), conducting validation testing (pentesting), and performing TARAs. These three services require a high level of specialized skill and fill major skill gaps. The real challenge in securing products, however, is consolidating and integrating the cybersecurity data generated from these activities into a cohesive and comprehensive risk management system that spans the entire supply chain.

Whether risks are being collected during a TARA, design, development, validation, production, or post-production activities, they need to be analyzed quickly and efficiently by the correct teams and the appropriate mitigation strategy needs to be applied. Managing these required cybersecurity activities throughout the vehicle lifecycle–and throughout the whole supply chain–via documents isn’t economical or scalable. As an example, 20 outsourced cybersecurity relevant items will generate 840 ISO 21434 Work Products that need to be managed and exchanged between OEMs and suppliers. This is purely administrative work that does nothing to manage cybersecurity risks of the product in real time and it adds significant costs, processes, and errors into the system.

This supply chain and product lifecycle centric risk management approach is not only what industry-leading OEMs are looking for, but it’s what we’ve been developing, based on our decade-long industry experience (see VSEC). Managing the cybersecurity impacts of continuous feature-driven development and sustained cybersecurity support that extends beyond the initial sale of a vehicle is not an easy or a quick race; it’s an ultra-marathon with infinite routes to accomplish. Leading OEMs who are adopting these solutions early will have an agile advantage over those who are just checking regulatory boxes.

For OEMs, cybersecurity is not just business critical, it is a quality requirement that sets the tone across their supply chains. High cybersecurity maturity will become a key competitive advantage and suppliers who effectively collaborate with their customers to address long-term cybersecurity challenges will thrive.

Steps suppliers should take include:

  1. Get ISO 21434 certified – Initial implementation will likely be document-driven, but the standard will help guide the activities you should be doing and will help align your organization & sub-suppliers to a common set of important cybersecurity activities. Initial adopters took 30 months on average to implement a CSMS, but resources are more abundant now and smaller Tier 1 suppliers have accomplished this in as little as six months.
  2. Find Synergies – ISO 21434 and ISO 26262 share similar frameworks, facilitating easier integration into automotive environments where functional safety is established. The AVCDL overlays many of these standards together to help show synergies. This book and this video series (in progress) may also help.
  3. Collaborate – Successful CSMS implementations often rely on strong external partnerships. Enhance existing relationships and collaborate across your supply chain to streamline the adoption of ISO 21434, leveraging platforms and sharing resources to reduce cost. Join Auto-ISAC, ASRG, ISO standards boards, and other cybersecurity related collaborations to hear what’s happening and to provide your voice.
  4. Stay Up to Date on Regulations – Understanding both current and draft standards is crucial. We have listed some resources below.

This section lists current and developing standards, policies, and best practices shaping automotive cybersecurity: If I missed any, please reach out here and let me know! Also, please check ASRG’s standards page for a more thorough list.

Regulations & Government (Automotive)

Regulations & Government (US only, not specific to Automotive)

Standards & Frameworks

  • ISO/SAE 21434 – Road Vehicles — Cybersecurity Engineering
  • ISO 24089 – Road vehicles — Software update engineering
  • ISO PAS 5112 – Road vehicles — Guidelines for auditing cybersecurity engineering
  • TISAX – Trusted Information Security Assessment Exchange
  • [under development] ISO/SAE PAS 8477 – Road vehicles — Cybersecurity Verification and Validation
  • [under development] ISO/SAE PAS 8475 – Road vehicles — Cybersecurity Assurance Levels (CAL) and Targeted Attack Feasibility (TAF)

Guidelines & Best Practices

[1]         PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft, “Pedal to the Metal − How to Navigate the Way to Automotive Cybersecurity,” 2022.

[2]         S. D. Smith, “Tesla Reintroduces One-Pedal Driving Options With Latest Software Update,” 24 04 2023. [Online]. Available: https://www.carscoops.com/2023/04/tesla-reintroduces-one-pedal-driving-options-with-latest-software-update

[3]         L. Colllis, “Tesla launches software update following criticism of battery range ratings: ‘This is a welcome update’,” 26 03 2024. [Online]. Available: https://www.msn.com/en-us/news/technology/tesla-launches-software-update-following-criticism-of-battery-range-ratings-this-is-a-welcome-update/ar-BB1ktLnd

[4]         D. Beard, “Tesla Model 3 Firmware Update Delivers Every Bit of Promised 5 Percent Power Increase,” 06 01 2020. [Online]. Available: https://www.caranddriver.com/news/a30393484/tesla-model-3-firmware-update-power-performance-test

[5]         R. Stumpf, “Ford CEO Explains Why Legacy Automakers Take Forever to Issue OTA Updates,” 07 08 2023. [Online]. Available: https://www.thedrive.com/news/ford-ceo-explains-why-legacy-automakers-take-forever-to-issue-ota-updates

[6]         PwC Germany, “PwC’s Global Automotive CSMS Survey 2022,” 2022. [Online]. Available: https://www.pwc.de/en/cyber-security/global-automotive-cyber-security-management-system-survey.html

[7]         D. Carney, “Design News,” 22 12 2022. [Online]. Available: https://www.designnews.com/automotive-engineering/why-software-defined-vehicles-are-the-future

[8]         Motional, “The Autonomous Vehicle Cybersecurity Development Lifecycle,” [Online]. Available: https://github.com/nutonomy/AVCDL