Cooperation in the New Automotive Software Supply Chain: An Emphasis on Cybersecurity

While there have been many changes within the automotive industry, since Toyota invented Just-in-Time (JIT) manufacturing in the 1960s, the automotive supply chain hasn’t seen much change within the past 60 years. The supply chain has been a solid vertical structure: Tier 2 suppliers provide subcomponents and materials to Tier 1 suppliers, who then supply OEMs with ready-to-install parts for assembly. This supply chain structure has been universally adopted because it is highly streamlined and efficient, both important attributes of vehicle production. Under this structure, automotive OEMs do not need to communicate directly with lower-tier suppliers, while every supplier focuses solely on fulfilling the orders of the upper-tier supplier. This all worked out great – until automotive software takes over the vehicle.

This vertical structure made perfect sense in the past when the automotive E/E architecture consisted of independent parts and domains. However, we are now approaching a different era of in the automotive supply chain where, fueled by the growing need for connectivity and automation, in-vehicle systems are becoming more and more sophisticated and interconnected, with software now acting as a core component of the vehicle. 

OEMs today are beginning to realize that the conventional manufacturing model no longer serves its purpose in the new era of software-defined vehicles. And with more and more EV startups entering the manufacturing game, conventional OEMs may need to redefine their supply chain to incorporate software development and cross-domain cooperation.

Growing Complexity of the Automotive Software Supply Chain

Name any car feature – more likely than not it is enabled by software. The modern vehicle runs on electronic systems and software that are stitched together to communicate with each other via the in-vehicle network. A typical vehicle today consists of up to 150 electronic control units (ECU), which are essentially minicomputers equipped with processors. System software needs to be embedded in each of these ECUs to control a particular domain of functions, such as powertrain, sensor, and infotainment.

As such, it would be an understatement to refer to the software-defined vehicle as “a computer on wheels.” A more accurate description would be “a computer network on wheels.” That’s because today’s vehicles run an average of 100 million lines of code. That is two to three times that of a PC operating system. And in fact, the level of complexity will only increase as more and more automated features and security systems are incorporated.

Under the current software supply chain structure, software vendors supply software development kits (SDK) and modules to chipmakers, which supply the chips (e.g., ECUs) to OEMs or Tier 1 suppliers, who then stitch all these chipsets onto the parts and components, putting them in place within the in-vehicle network. However, most OEMs have very little experience in software integration. Although vehicular software has been around for decades, nothing was at the magnitude and complexity of the software structure today.

Moreover, OEMs and Tier 1 suppliers are accustomed to the vertical supply chain structure. Many are overwhelmed by this growing need for direct external communications and cooperation.

Therefore, just like what many with a strategic mind would do, OEMs are outsourcing the work.

The Emergence of Software Providers and the Need for Cybersecurity

Due to the sheer volume and quick influx of software components, many OEMs choose to outsource software integration to a comprehensive software provider, acting as a “Tier 1 software supplier.” Many existing Tier 1 suppliers have seen this as an opportunity to expand their software division, and because of this many OEMs have chosen to establish or acquire their own dedicated software provider. Some take it a step further by making plans to establish a proprietary operating system and platform where all applications can be developed on. CARIAD from the Volkswagen Group is one such example. As the dedicated software provider for the Volkswagen Group, the company has announced plans to release the Volkswagen Operating System.

It might be tempting for OEMs to maintain their old way of doing things by having software providers take charge of all software integration, while focusing solely on inventory management, assembly, and quality control. However, the new supply chain landscape isn’t as straightforward, with quality control being the key difference. 

While hardware components are very easy to standardize and inspect, rules are different in the software game. Since there exists a cybersecurity risk in every connected computer – in the age of connected vehicles, software and cybersecurity must come hand in hand. This means that a large part of software quality control is making sure that it is free of vulnerabilities and flaws that may hinder its functionality and pose a cybersecurity risk. To do so, every piece of software needs to be rigorously tested prior to the release of a vehicle batch.

Additionally, similar to how OEMs are responsible for issuing hardware recalls, regulations are now holding OEMs accountable for software cybersecurity mismanagement and loopholes. The UN R155/R156 regulations set out by UNECE WP.29 mandate that all OEMs maintain an automotive cybersecurity management system (CSMS) and a software update management system (SUMS) for their vehicle fleets. This means that even after a vehicle is passed onto the consumer, software performance must be continuously managed, monitored, and updated and patched in real-time.

The bottom line: whether it is the OEM or the software provider in charge, the OEM will ultimately be responsible for cybersecurity management.

The Importance of Cooperation for Secure Software Implementation

At the end of the day, the jobs of both the OEM and software provider are to ensure that cybersecurity risk within the automotive ecosystem is well managed and minimized. However, this should not be taken lightly because cybersecurity management isn’t simply about buying security software from vendors and installing it into the systems.

In the sophisticated automotive software ecosystem, security measures must be incorporated and custom-built in the manufacturing process to ensure both secure implementation and cross-region interoperability.

Therefore, both OEMs and software providers must take an active role in cybersecurity and cooperate with firms specializing in automotive cybersecurity to facilitate secure software integration and implementation across all domains, from the embedded systems within a vehicle to the vehicle-to-everything (V2X) connections for autonomous driving and vehicle-to-grid (V2G) applications for EV charging.

The takeaway is this: the automotive industry has entered a new era – an era where value is no longer added step by step through vertical supply chains but generated from horizontal cooperation, and an era where the automobile is no longer a product, but a combination of services stacked on wheels.

To succeed in the new era of smart mobility, cooperation is the key.

To learn about how AUTOCRYPT’s in-vehicle systems (IVS) security solutions can help OEMs secure software integration and connectivity, contact

To stay informed and updated on the latest news about AUTOCRYPT and mobility tech, subscribe to AUTOCRYPT’s quarterly newsletter.

Related Articles