Introduction
Imagine this. One fine morning, you start your car, and the infotainment screen welcomes you with your favorite playlist. A navigation route is preloaded based on your daily commute. But what if someone else was making those decisions for you? What if a cyberattack altered your route without your knowledge?
As we move toward fully autonomous vehicles, cybersecurity isn’t just about privacy; it’s about control. The question is no longer whether cars can be hacked but how we stay ahead of the threats.
According to Upstream’s 2025 automotive cybersecurity report, the automotive industry is experiencing a surge in cyber threats, with an increasing number of sophisticated attackers emerging from the deep and dark web.
One of the most concerning developments is the rise of large-scale cyberattacks capable of compromising vast fleets of vehicles or connected systems simultaneously. Rather than targeting individual components, attackers are now exploiting weaknesses in cloud services, software platforms, and API integrations to maximize disruption and impact.
Some of the notable large-scale automotive cybersecurity incidents in 2024 include:
- Kia Vehicles Vulnerability (June 2024): In June 2024, researchers uncovered a critical flaw in Kia’s web portal that allowed unauthorized control over internet-connected Kia vehicles manufactured after 2013. By exploiting this vulnerability, attackers could remotely access a vehicle using just its license plate number, enabling them to track its location, unlock doors, and even start the engine. Although Kia promptly addressed the issue, the incident underscored widespread security challenges in the automotive sector.
- Skoda Superb III Security Flaws (December 2024): In December 2024, cybersecurity researchers identified vulnerabilities in the Skoda Superb III model, affecting over 1.4 million vehicles. These flaws permitted hackers to access sensitive information such as GPS data and vehicle speed, record in-car conversations, and view the infotainment screen remotely. While critical driving controls like brakes and steering were not compromised, the incident raised significant privacy and security concerns.
- AutoNation Cyberattack Impact (October 2024): AutoNation, a prominent automotive retailer, reported a substantial drop in quarterly earnings in October 2024, partly due to a cyberattack on CDK Global, a software provider for car dealerships. This attack disrupted operations, leading to a 5.2% decline in AutoNation’s stock and highlighting the broader impact of cybersecurity breaches on the automotive supply chain.
The cyberattacks that have targeted the automotive sector serve as a clear warning that future threats are not a matter of IF, but a matter of WHEN. Without proactive security measures and timely mitigation strategies, the financial and safety repercussions could be catastrophic. As the industry continues to evolve, there is a growing recognition that cybersecurity is not just a priority—it is a necessity.
Cybersecurity Standards and Regulations
In the increasingly connected automotive world, various components require robust cybersecurity measures, including infotainment systems, Advanced Driver-Assistance Systems (ADAS), EV charging infrastructure, and the entire supply chain, to protect against potential cyber threats and ensure vehicle safety and functionality.
Consumer Burden & Mistrust
Traditionally, cybersecurity responsibility was often treated as an IT-specific concern rather than an industry-wide priority. However, there was also an indirect burden on consumers —such as requiring them to install software updates or use secure passwords, etc.
Also, there was a general mistrust and reluctance to share vulnerabilities among stakeholders. This has improved with the adoption of vulnerability disclosure programs and the rise of collaborative efforts like Auto-ISAC.
Shift in Cybersecurity Ownership
The industry has recognized the critical importance of cybersecurity, and manufacturers, suppliers, and other stakeholders are now actively working together to set standards, best practices, and guidelines.
The adoption of common cybersecurity frameworks and the implementation of vulnerability disclosure mechanisms (e.g., Common Vulnerabilities and Exposures (CVE) are becoming more standardized across the sector.
Regulatory & Industry Collaboration
Several regulatory and collaborative organizations have played a key role in developing cybersecurity regulations and guidelines for best practices. Such organizations include,
- EU (European Union): EU plays a crucial role in shaping digital and cybersecurity regulations across member states, setting legally binding requirements to enhance cybersecurity, data protection, and digital resilience across industries, including the automotive sector.
- UNECE (United Nations Economic Commission for Europe): UNECE establishes international automotive cybersecurity regulations, including UN R155 and R156, to ensure cybersecurity and software update management in vehicles.
- CISA (Cybersecurity and Infrastructure Security Agency, USA): CISA safeguards critical infrastructure, including the automotive sector, by providing cybersecurity guidance, threat assessments, and incident response support.
- NHTSA (National Highway Traffic Safety Administration (NHTSA): NHTSA promotes vehicle cybersecurity through research, regulations, and best practices to enhance road safety and prevent cyber threats.
- ISO (International Organization for Standardization): Develops global automotive cybersecurity standards like ISO/SAE 21434 to guide cybersecurity risk management.
- Auto ISAC (Automotive Information Sharing and Analysis Center): A global industry-led initiative where OEMs, suppliers, and other stakeholders collaborate to share threat intelligence, best practices, and mitigation strategies to enhance vehicle cybersecurity.
- JASPAR (Japan Automotive Software Platform and Architecture): A Japanese industry consortium that promotes collaboration on cybersecurity measures for automotive software and network architectures.
Automotive Cybersecurity Standards & Regulations
Many standards and regulations to counter cyberattacks have been released in the past few years. ISO/SAE 21434 & 24089, UN regulations – R155 & R156, Cyber Resilience Act, and Data Act are some of the standards and regulations that have come into force.
Understanding these standards/regulations and implementing the guidelines is a daunting but necessary step towards making future vehicles secure.
Standards vs Regulations
The key difference between the standards and regulations is that the Regulations are the laws that all stakeholders need to comply with or otherwise face severe financial penalties, whereas the standards are recommendations to comply with that will aid in fighting increasing cyberattacks and ensure vehicle and end-user safety and security.
Each standard and regulation provides a specific set of requirements and guidelines. It is important to note that there are several commonalities and overlaps among the various automotive cybersecurity-related standards and regulations.
Secure by Design, Secure by Default
The shift in cybersecurity responsibility from consumers to manufacturers and product owners is not just a policy change, it is a fundamental transformation in how automotive systems are designed and secured. Recent standards and regulations emphasize this shift by embedding cybersecurity principles throughout the product lifecycle rather than treating security as an afterthought.
At the core of these requirements is the “Secure by Design” and “Secure by Default” approach, which ensures that security is proactively built into automotive systems from the ground up. This means that every phase—from concept and design to development, deployment, and maintenance—incorporates cybersecurity best practices to withstand evolving cyber threats.
Another common theme across these standards and regulations is the structured approach to risk and vulnerability management. By enforcing guidelines that mandate the prompt disclosure and mitigation of known vulnerabilities, the industry is moving toward a more transparent and collaborative security model. This ensures that threats are addressed swiftly, minimizing potential damage.
This two-pronged approach—integrating cybersecurity throughout the product lifecycle while continuously managing vulnerabilities—enables automotive manufacturers to build compliant, resilient, and future-ready systems. The iterative nature of these processes ensures that vehicles remain secure, not just against today’s cyber threats but also against those that will emerge in the future.
Key Standards and Regulations: A Brief Overview
As cybersecurity threats in the automotive industry continue to evolve, several standards and regulations have been established to ensure vehicles remain secure throughout their lifecycle. These frameworks provide guidelines for risk management, secure development practices, and regulatory compliance. Below is a brief introduction to some of the most critical standards and regulations shaping automotive cybersecurity today.
ISO/SAE 21434 establishes engineering requirements for managing cybersecurity risks across all lifecycle phases of a vehicle’s components, from concept and development to decommissioning. It provides a structured framework for cybersecurity processes, ensuring a common language for risk management. The standard applies to cybersecurity-relevant items and components in series production vehicles, including aftermarket parts.
The document emphasizes a risk-based approach, integrating cybersecurity into the supply chain and supporting continuous monitoring, incident response, and mitigation strategies. It promotes a defense-in-depth approach, using multiple security layers to protect against evolving threats and vulnerabilities in automotive systems.
ISO 24089 is crucial for ensuring the secure and reliable management of software updates in modern vehicles, which are increasingly dependent on complex digital systems. This standard provides a structured approach to implementing Over-The-Air (OTA) updates, reducing the risk of software-related issues that could compromise vehicle safety and performance.
The document emphasizes the implementation of organizational and project-level procedures for secure software update engineering. By complying with ISO 24089 requirements, automotive manufacturers can ensure consistency and quality in their software update infrastructure, packaging, and deployment, fostering greater trust among consumers.
R155 is a UNECE regulation for automotive Cybersecurity and Cybersecurity Management System (CMS) requirements. This is a mandatory regulation for all EU countries and a few other countries that have decided to adopt these regulations.
The regulation requires automakers to continuously monitor, detect, and respond to cybersecurity risks, ensuring protection against evolving cyber threats. Compliance with R155 is essential for obtaining type approval in many regions, reinforcing the industry’s commitment to secure vehicle systems, data protection, and resilience against cyberattacks. It works alongside R156 to enhance the security of modern, connected, and software-driven vehicles.
R156 is a UNECE regulation for establishing automotive Software Update Management System (SUMS) processes per regulation guidelines. It mandates that manufacturers implement a SUMS to ensure secure, reliable, and traceable software updates throughout a vehicle’s lifecycle. The regulation requires compliance with cybersecurity measures to prevent unauthorized modifications that could compromise vehicle safety and performance.
R156 also establishes guidelines for over-the-air (OTA) and physical updates, ensuring transparency and accountability in software version control. By enforcing strict validation and approval processes, it helps maintain vehicle integrity, security, and compliance with evolving regulatory and cybersecurity standards.
The Cyber Resilience Act (CRA) is an EU regulation aimed at improving the cybersecurity of digital products, including software and hardware, by setting mandatory security requirements throughout their lifecycle. It introduces obligations for manufacturers to ensure secure-by-design principles, vulnerability management, and compliance with cybersecurity standards.
For the automotive industry, CRA has a significant impact on In-Vehicle Infotainment (IVI) systems and connected services, requiring robust security measures to protect against cyber threats. Automakers and suppliers must ensure continuous monitoring, patching, and compliance, reinforcing cybersecurity across vehicles and digital ecosystems.
The EU Data Act is a regulation designed to establish clear rules on data access, sharing, and portability across industries, including the automotive sector. It ensures that users, businesses, and third parties can access and utilize data generated by connected devices while maintaining strong data protection and cybersecurity measures.
For In-Vehicle Infotainment (IVI) systems and connected services, the Data Act mandates that vehicle-generated data—such as user preferences, navigation history, and system diagnostics—be accessible to consumers and service providers while ensuring compliance with data privacy and security standards. This regulation promotes competition, innovation, and user control over automotive data.
Conclusion
The automotive industry is at a pivotal moment where cybersecurity is no longer an afterthought but a fundamental pillar of vehicle safety and functionality. The growing sophistication of cyber threats highlights the urgency of proactive cybersecurity measures, compliance with global standards, and industry-wide collaboration.
Regulations like ISO/SAE 21434, UNECE R155, the Cyber Resilience Act, and the Data Act provide essential frameworks to address these challenges, but true security requires ongoing vigilance and adaptation.
As the industry continues to embrace the “Secure by Design” and “Secure by Default” principles, automakers, suppliers, and regulatory bodies must work together to ensure vehicles remain resilient against evolving cyber threats.
In the next part of this blog series, we will take a deep dive into ISO/SAE 21434 and UNECE R155, exploring their requirements in greater detail and providing practical strategies for achieving compliance while mitigating cybersecurity risks.
Let Abalta Help with Your Cybersecurity Needs
To learn more about how Abalta can help solve your cybersecurity needs, please email us at [email protected]!
