Securing Software-Defined Vehicles: Cybersecurity Essentials
▼ Summary
– Many automotive companies treat cybersecurity as a subset of safety, assuming safety implies security, which is not always true.
– A functionally safe vehicle under ISO 26262 can still be highly vulnerable to cyber threats, especially with rising connectivity and software-defined architectures.
– Cybersecurity requires standalone attention, distinct from safety, with different standards like ISO 21434 for threat analysis and supply-chain security.
– Current organizational structures often underprioritize cybersecurity, funding it under safety budgets despite growing attack surfaces in software-defined vehicles.
– Decoupling security from safety enables clearer supplier requirements, faster threat response, and cross-functional oversight, but requires top-down organizational change.
The automotive industry faces a critical challenge as software-defined vehicles become the norm: cybersecurity can no longer be treated as an afterthought or simply bundled with safety protocols. While safety focuses on preventing unintentional failures, security deals with deliberate threats, two fundamentally different concepts requiring distinct approaches.
Many manufacturers still operate under outdated assumptions, where cybersecurity teams share budgets and reporting structures with safety departments. This creates gaps in protection, especially as modern vehicles incorporate complex networks, over-the-air updates, and interconnected systems. A functionally safe vehicle under ISO 26262 standards might still harbor vulnerabilities to cyberattacks, leaving manufacturers exposed to risks ranging from data breaches to remote hijacking.
Why Safety and Security Need Separate Strategies
Currently, most automakers split security responsibilities across three teams: product security (PS), IT security, and operational technology (OT) security. Yet PS frequently remains tied to safety budgets, limiting its ability to address emerging threats effectively. As vehicles evolve into rolling data centers, the attack surface expands exponentially, covering everything from onboard sensors to cloud-based services.
A Unified Approach to Cybersecurity
Decoupling security from safety allows manufacturers to enforce stricter supplier requirements, such as:
- Detailed threat assessments (TARA)
- Transparency in software components (SBOM)
- Cryptographic verification (CBOM)
By fostering direct collaboration between security teams and suppliers, automakers can elevate capability maturity and implement shared solutions. A cross-functional oversight layer is emerging to monitor risks across all vehicle connection points, ensuring rapid response to vulnerabilities.
The Road Ahead
The stakes are high: without proactive measures, manufacturers risk not just financial losses but erosion of consumer trust in an increasingly connected automotive future.
(Source: HelpNet Security)