Cyber Resilience Act Explained: What It Means for the Automotive Industry

With the rapid rise of products utilizing AI, IoT, and connected technology, there has been growing concern across all industries of the cybersecurity risks associated with embedded technology. In response, in December 2024, the European Union put into force the Cyber Resilience Act (CRA), aiming to raise the baseline for security for all digital products and solutions sold in the EU.

Though the regulation originated in Europe, its impact will be global, as today’s interconnected market and supply chain crosses borders. Here’s a closer look at the CRA, why it matters, and its implications on the world’s automotive sector.

What is the Cyber Resilience Act?

The CRA is a legal framework that outlines cybersecurity requirements for products (both hardware and software) with digital elements sold within the European Union. The CRA casts a much wider net than requiring cybersecurity for traditional IT systems, covering everything from smart watches, refrigerators, to agricultural vehicles. In fact, the regulation not only applies to the products themselves, but the full lifecycle of IoT and digital products.

The objective of the CRA is to improve consumer safety, build trust in the digital marketplace, and ensure that manufacturers are held accountable for the security of their products. With this overarching regulation, the hope is that the CRA will foster more transparency for the digital ecosystem, ultimately encouraging innovation while still protecting both businesses and consumers from emerging cyber threats.

The CRA mandates a “security-by-design” approach, which means that companies must integrate cybersecurity from design through the end-of-life (EOL). It also requires vulnerability management and updates, along with compliance and documentation.

Key Implications for Industries Utilizing Connectivity

More and more industries are implementing connected technologies into their supply chain, which means the CRA targets a wide range of industries, including defense, IT infrastructure, and robotics/smart factory, to name a few.

Healthcare & Medical Devices: Many healthcare products now boast connectivity and dedicated user support. Products like remote monitoring tools, smart implants, and other medical devices must secure processed data and ensure device integrity.

Smart Manufacturing: Factories often use IoT and smart automation to optimize their factory lines. Networks and real-time operations must protect against cyberattacks that could disrupt industrial processes.

Space & Defense Systems: Satellites and mission-critical technologies must use robust protection to safeguard against cyber threats and protect sensitive operations for national security.

Agricultural Machinery: Like connected vehicles, agricultural transport is becoming much more connected and software-driven, meaning vehicles like autonomous tractors and sensor-based farming equipment must comply with the CRA as well.

CRA: More than the Law

The CRA represents more than just regulation within the EU. It signals a global shift towards mandatory cybersecurity standards for connected solutions, including all types of vehicles. Early preparation will be key, as manufacturers must utilize security-by-design principles from the development stage of all products.

The CRA introduces a risk-based product classification system, allowing a transition period until December 2027 for full compliance.

CRA timeline infographic

A lack of cybersecurity resilience increases likelihood of a cyber attack, which can not only lead to operational disruption and financial loss within a company’s supply chain and sales funnel, but can also result in legal ramifications. Non-compliance will result in fines of up to €15 million or 2.5% of global turnover and potential EU market bans, which could also result in a lack of brand awareness or worse, negative brand image.

Why the Automotive Industry Should Care

While most automotive vehicles are excluded from the CRA due to the overlapping nature of the CRA regulations with existing regulations (like the WP.29 R155 and EU General Safety Regulation, GSR), certain automotive components like digital components, aftermarket software, andconnected services, as well as vehicles not covered under R155 (like construction or agricultural vehicles) are still subject to the CRA.

Vehicles are complex digital ecosystems, and with more and more technology being embedded into the architecture, compliance will also become more complex. While the details of the CRA are still being worked out, the automotive industry will have to move quickly, as the impacts of the regulation will be wide-ranging. Manufacturers and suppliers can begin by aligning with existing guidelines for cybersecurity resilience in vehicles:

   •  Standard and Regulation Compliance: Automotive manufacturers will have to ensure that they comply with the existing regulations like UNR-155 and GSR, and are recommended to follow standards like ISO/SAE 21434 when it comes to vehicle architecture and connected platforms.

 •  Secure OTA Updates: Manufacturers can ensure that their Over-the-Air (OTA) capabilities are secure and efficient, and ensure that vulnerabilities are patched in real-time.

 •  Regular testing: Testing current architecture for vulnerabilities can be a great starting point to analyze where mitigation is needed.

 •  V2X security and Security Credential Management Systems: While a Security Credential Management System (SCMS) isn’t explicitly required by the CRA, it can support compliance by demonstrating security best practices.

AUTOCRYPT has been closely involved in cybersecurity regulatory compliance from the early stages, focusing on practical, optimized solutions for manufacturers and suppliers. Our expertise in automotive and IT cybersecurity empowers our partners to seamlessly meet regulatory requirements while strengthening their product reliability, market competitiveness, and maintain a positive brand image.

To learn more about the CRA, click here. To contact our team about how your company can get started with CRA compliance, contact global@autocrypt.io.

Post-Quantum Cryptography, and the Future of Automotive Cybersecurity 

As of late, there’s been a lot of worried and concerned discussion regarding quantum computing. There are concerns that once quantum computers become available, all IT systems will collapse and be hacked; some blockchain enthusiasts worry that cryptocurrencies will become obsolete; governments worry that national security systems may be compromised. Are these valid concerns? In today’s blog, we’ll explore what quantum computers are and what we can do to manage concerns about the future.  

What is Quantum Computing?

The modern-day computer uses “bits” as the basic unit, while quantum computers use “qubits.” The key difference is the way that qubits exist. For example, a bit can be a 0 or a 1, but a qubit can be a 0, 1, or both at the same time. Imagine a spinning coin. While spinning, a coin can be both heads and tails. In quantum mechanics, this is called the principle of superposition, and this superposition allows for quantum computers to process many possibilities simultaneously.  

Another interesting property of qubits is entanglement. When qubits are “entangled,” the state of one qubit is directly related to the state of another. This means that if a qubit changes its state, it will instantly affect the other. This phenomenon of qubits enables quantum computers to perform complex calculations far more quickly than a computer using bits, which processes information in a linear, sequential manner.  

Quantum computers are still in the early stages of development, and larger tech companies have already begun to create and use quantum computers for research and experimentation. Many experts will say that the quantum computers available today have a relatively small number of qubits and are susceptible to errors. However, some are optimistic that the technology will achieve more accuracy and broader use very soon. 

What is Post-Quantum Cryptography (PQC)?

While quantum computing holds great promise for solving more complex problems, it also presents a great risk. If misused, quantum computers could, in theory, break encryption methods that secure sensitive data like personal communications, banking transactions, and even confidential government data.  

This is why the development of Post-Quantum Cryptography is crucial to safeguard against this potential threat.  

Post-quantum cryptography (PQC), in simple terms, refers to cryptographic algorithms that are secure even in quantum computing environments. Unlike the traditional cryptographic systems we use today, such as RSA or ECDSA, PQC algorithms rely on mathematical structures that quantum computers are less likely to break, such as lattice-based, hash-based, code-based, or multivariate polynomial-based.

Developing PQC for different use cases is essential because if we wait until quantum computing reaches supremacy, it could quickly render current cryptographic systems obsolete, leaving data vulnerable. The transition to PQC should begin now, as preparing for a quantum future will require proactive effort to ensure cybersecurity frameworks remain intact and resilient.  

PQC Standardization and Regulatory Development

In 2016, the National Institute of Standards and Technology (NIST) launched a competition to standardize PQC. Researchers from all over the world submitted algorithms and through several rounds, 82 proposals were reviewed and in 2022 four algorithms were chosen: SPHINCS+, CRYSTALS-DILITHIUM, CRYSTALS-KYBER, and FALCON. They are incorporating these standards into the Federal Information Processing Standards (FIPS) document, and additional rounds will likely select new algorithms for digital signatures or other uses.  

In April 2024, the European Commission published a recommendation for member states to develop a strategy for implementing PQC, which would define clear goals and timelines for the implementation. This has led several workstreams and think tanks to actively participate in developing and implementing PQC into the European digital infrastructure.  

In 2022, the U.S. passed the “Quantum Computing Cybersecurity Preparedness Act,” which included a federal mandate for federal agencies to transition to PQC. The NSA announced that by 2035, all national security systems should implement PQC.  

In South Korea, the transition to PQC is being actively addressed by the National Intelligence Service and the Ministry of Science and ICT. They released their roadmap for transitioning to quantum-resistant cryptographic systems in 2020, and the roadmap was designed to span over a 15-year period, setting the goal of fully integrating PQC by 2035. 

PQC in Automotive Cybersecurity

The global implementation of PQC roadmaps is ongoing, and use cases can vary across governments and organizations, but one of the most important areas is the automotive industry. As modern vehicles are increasingly becoming software-centric, vehicle architecture is becoming increasingly sophisticated, integrating advanced connectivity features like OTA updates and V2X communications. These advancements enable smarter and more convenient mobility but also create a myriad of cybersecurity challenges if the vehicle architecture is breached, as many of the cryptographic methods were designed for more traditional computing environments.  

However, though regulations and standards do not yet mandate its implementation, manufacturers, suppliers, and solution providers in the industry have already begun to explore and evaluate PQC implementation:  

  • NXP Semiconductors is developing quantum-resistant firmware updates for vehicle applications 
  • Vodafone is testing PQC-secured VPNs, which is focused more on network security, but the company states it could be extended to connected vehicle applications 
  • LG U+ showcased its PQC-based applications like secure digital keys and infotainment systems at CES 2023, and continues to develop quantum-resistant technology for network and cellular applications 

As with traditional IT systems, once quantum computing reaches supremacy, vehicle systems could be vulnerable to attacks. Transition to PQC before quantum computing reaches practical implementation is crucial, as many worry that bad actors could already be stockpiling encrypted automotive data, waiting for quantum computing to enable them to decrypt, a long-term attack strategy known as “Harvest Now, Decrypt Later” (HNDL). 

Preparing for the Post-Quantum Future

While there’s no way to know when quantum computers will reach practical supremacy, one thing is clear: the transition to PQC is no longer a theoretical need but an urgent necessity, especially invehicle applications.  

However, transitioning to PQCbased solutions comes with its own set of challenges. PQC algorithms require a greater amount of computational power, which can be a concern for existing automotive hardware. This is why early testing, standardization, and collaboration will prove to be invaluable for realistic integration.  

The dilemma is not whether we should implement PQC but how quickly we can make it a reality. The automotive sector has a lot of work to do, and security solutions providers like AUTOCRYPT are on track to ensure that the transition happens efficiently and securely. 

 


To stay informed about the latest news on mobility tech and software-defined vehicles, read our blog for more technology insights or subscribe to AUTOCRYPT’s monthly newsletter.

Exploring Maneuver Sharing and Coordinating Service (MSCS) in Autonomous Driving

Autonomous driving is advancing rapidly, with self-driving cars being tested in urban mobility, highways, and logistics. Have you ever wondered how these vehicles communicate to navigate safely? Unlike human drivers, who rely on signals and intuition, autonomous vehicles use data-sharing systems. This blog examines the limitations of cooperative driving systems and introduces Maneuver Sharing in Autonomous Driving through the Maneuver Sharing and Coordinating Service (MSCS) as a solution to improve vehicle communication, safety, and efficiency.

Current cooperative autonomous driving systems rely on Basic Safety Messages (BSMs) within Vehicle-to-Everything (V2X) communication. Each vehicle regularly transmits BSM data, sharing essential information such as speed, position, and heading with surrounding vehicles. This allows vehicles to assess potential collision risks and respond accordingly.

However, BSMs alone cannot convey the intent behind a vehicle’s movements. As shown in the graph below, a BSM provides only fundamental status data without explaining why a vehicle is moving in a certain way.

Basic Safety Messages within V2X

In other words, while BSMs enable cooperative autonomous driving, they lack the capability to communicate driving intentions. If vehicles could understand the purpose behind each movement in advance, particularly in emergency situations, driving safety and efficiency would significantly improve.

Real-World Scenario: The Need for MSCS

To illustrate this, let’s define two key entities:

  • HV (Host Vehicle): The vehicle transmitting its movement intention.
  • RV (Remote Vehicle): The vehicle receiving the movement information.

Now, consider a different scenario: What if the HV had already informed nearby RVs of its intent to change lanes in advance? In that case, the RV could adjust its route ahead of time, leading to a smoother and safer driving experience.

The same idea applies beyond driving. In any situation, whether at work, in school, or during teamwork, understanding someone’s intentions before they act allows for better planning, coordination, and overall efficiency.

What is MSCS?

To overcome the limitations of BSMs, the Maneuver Sharing and Coordinating Service (MSCS) offers a smarter approach to cooperative driving.

MSCS enhances V2X communication by enabling vehicles to share their intended maneuvers. Understanding the purpose behind a vehicle’s movement enables better analysis and response, enhancing overall road safety and efficiency.

Unlike traditional BSM-based driving, which reacts to real-time data, MSCS enables proactive decision-making by considering the planned maneuvers of surrounding vehicles. This advancement leads to a smoother and more coordinated driving experience.

Autonomous Maneuver Sharing in SAE J3186 standards

MSCS operates in compliance with SAE J3186 standards, which defines its primary use cases as:

  1. Cooperative Lane Change
  2. Cooperative Lane Merge

These scenarios demonstrate how MSCS enables smoother lane changes and merges by allowing vehicles to communicate their intended movements. Through MSCS, vehicles notify one another and cooperate to execute maneuvers safely.

It is important to note that MSCS is designed to function based on vehicle intent and follows two distinct communication protocols:

  1. General Vehicle Protocol: Requires mutual negotiation through request and response interactions.
  2. Emergency Vehicle Protocol: Prioritizes emergency vehicles (e.g., ambulances, police cars) without requiring negotiation from surrounding vehicles.

In general, standard vehicles (following the General Vehicle Protocol) must yield to emergency vehicles (following the Emergency Vehicle Protocol). This ensures that special-purpose vehicles can operate efficiently without mutual negotiation.

By implementing MSCS, vehicles can share movement intentions, enabling others to adapt proactively. This results in safer, more efficient, and cooperative autonomous driving.

MSCS and MSCM

Next, let’s differentiate between MSCS and MSCM to explore the operational aspects of MSCS.

  • MSCS (Maneuver Sharing and Coordinating Service): The overall system that enables maneuver coordination
  • MSCM (Maneuver Sharing and Coordinating Message): The message exchanged between vehicles to communicate movement intent

The graph below illustrates the structure of MSCM:

Structure of Maneuver Sharing and Coordinating Service (MSCM)

In MSCS, a Maneuver represents a coordinated movement involving multiple vehicles, while a Sub-Maneuver refers to the individual actions each vehicle takes to carry out that Maneuver.

The Executing Vehicle (HV) initiates the Maneuver request and identifies surrounding Affected Vehicles, which receive MSCM messages to coordinate movement. HV must obtain agreement from Affected Vehicles unless it is an emergency vehicle.

MSCM Data Structure

MSCM Data Structure

MSCM messages contain key data components, including the MSCM Type, which classifies messages into one of eight types:

Autonomous Maneuver Sharing: MSCM Type

Additionally, each Maneuver in MSCM consists of multiple Sub-Maneuvers, structured as follows:

Sub-Maneuvers Data

In conclusion, there are 8 types of protocols for each Maneuver in MSCM.

MSCS Operational Process

To understand the operation of MSCS, let’s examine how it functions in standard vehicles. The system follows three sequential stages:

  1. Awareness State
  2. Maneuver Negotiation State
  3. Maneuver Execution State

MSCS Operational Process

  1. Awareness State
    • This is the preliminary stage of MSCS operation
    • While vehicles are aware of their surroundings via BSM, they have not initiated MSCS yet
    • Only MSCM Type 0 messages (intention notifications) can be sent in this stage
  2. Maneuver Negotiation State
    • Vehicles begin negotiating the execution of a Maneuver
    • Emergency vehicles skip this step, as negotiation is not required
    • MSCM Types 1-3 are used to request and confirm Maneuvers, while Types 4-5 handle cancellations
  3. Maneuver Execution State
    • Vehicles execute the approved Maneuver
    • The HV and RV reach a mutual agreement and act accordingly
    • MSCM Type 7 messages confirm execution, and the Maneuver concludes when all Sub-Maneuvers are completed.

In conclusion, Maneuver Sharing and Coordinating Service (MSCS) represents a significant advancement in autonomous driving, allowing vehicles to communicate their movement intentions and not just their basic status. By enhancing Vehicle-to-Everything (V2X) communication, MSCS improves safety, coordination, and efficiency on the road. Unlike traditional systems that react to real-time data, MSCS enables proactive decision-making, particularly in complex scenarios like lane changes or merges.

With protocols that prioritize emergency vehicles and ensure smooth coordination, MSCS creates a structured environment for vehicles to work together seamlessly. This proactive approach helps prevent collisions, reduces traffic congestion, and leads to safer, more efficient roads. As autonomous vehicles continue to evolve, MSCS will be at the forefront of shaping a future where roads are not only safer but also smarter, bringing us closer to a fully integrated, autonomous transportation system.

 


To stay informed about the latest news on mobility tech and software-defined vehicles, read our blog for more technology insights or subscribe to AUTOCRYPT’s monthly newsletter.

AI In Automotive Cybersecurity

The rise of artificial intelligence is signaling disruption in the technology industry. The likes of Microsoft, Google, and OpenAI are spearheading fierce competition to create the most advanced artificial intelligence aimed at improving the way we interact with technology. While intelligent language models like ChatGPT are already fascinating people with their abilities to deliver answers to given prompts, AI technologies currently available to the public are just the tip of the iceberg. In the automotive industry, artificial intelligence can streamline operations and improve efficiency throughout the supply chain. Utilization of artificial intelligence in the automotive cybersecurity sector can especially benefit threat detection and response.

The Need for Strengthened Vehicle Cybersecurity

Several decades ago vehicle security would entail door locks, car alarms, and airbags. While the same is still true, cybersecurity is becoming an essential part of automotive security. Ensuring full protection now includes shielding the vehicle from internal system malfunctions as well as external cyber threats. However, as cars turn more software-driven and connected, vehicle security is becoming increasingly complex.

A modern-day car contains multiple electronic control units (ECUs) responsible for in-vehicle electronic systems that regulate and perform various functions ranging from essential tasks like steering and engine control to more mundane ones like unlocking doors and rolling down windows. The number of ECUs in a given vehicle depends on the quantity and complexity of vehicle features. For instance, a contemporary luxury car can have up to 150 ECUs, and the number may continue growing if new functionalities and sub-systems are added. These ECUs communicate with different parts of the vehicle and other ECUs to keep the vehicle running. Each of these ECUs and their communication nodes must be secured to protect the vehicle from cyber threats.

Limitations of Conventional Automotive Cybersecurity

Keyless car theft, infotainment system attacks, malware, conventional automotive cybersecurity software is built to protect against these and many other known threats. Cybersecurity companies employ ethical hacking methods to ensure the timely discovery of system loopholes. In ethical hacking, white hat hackers are responsible for hacking vehicle systems to find weaknesses in the software and report it to the cybersecurity software developers, who then implement appropriate security measures.

The complex system architecture of modern vehicles contains dozens of ECUs and millions of code lines, all of which can be potentially exploited by malicious actors. Manually searching for vulnerabilities in these vehicles is like looking for a needle in a haystack. As vehicle systems get more complex securing them will become even harder. While ethical hacking helps companies develop resilient security measures against cyber attacks, this ad hoc approach to cybersecurity has its limitations.

The biggest challenge in automotive cybersecurity is protecting the vehicle from unprecedented danger, also known as a zero-day attack. These attacks exploit previously undiscovered vulnerabilities in vehicle systems to install malware or tamper with the vehicle. Protection against zero-day attacks necessitates a more sophisticated approach to automotive cybersecurity, which is where AI comes in.

The Potential of AI/ML-powered Cybersecurity

AI/ML-based systems analyze, classify, and train on large amounts of data to self-improve and make independent decisions down the road. When applied in automotive cybersecurity, machine learning algorithms can be implemented in the security software to learn common patterns of vehicle operations. A trained model will then be able to distinguish anomalies that fall beyond the scope of ordinary vehicle signals. If malicious behavior is detected the cybersecurity software will send alerts and shield the vehicle from danger. Even if a malicious actor exploits a previously unidentified vulnerability, an AI-powered anomaly detection model will be able to detect intrusions and prevent them.

A car’s digital communications are simple and more predictable than that of a typical computer network. Since signals exchanged during normal vehicle operations often follow fixed patterns, determining an anomalous signal is not very difficult. Therefore, employing unsupervised machine learning in cybersecurity is feasible. For instance, imagine a car driving on the highway at cruising speed that suddenly receives a breaking signal requesting to stop the car in the middle of the road. An AI-powered security software will be able to differentiate this unusual command from a common driving pattern. The system will then block the anomalous signal and send it over to the security experts for further action.

While perfecting a fully AI-based cybersecurity software may take years, some companies are already leveraging the power of machine learning in their solutions. One example is AutoCrypt Security Fuzzer, which is an automated testing solution that employs an AI-based algorithm to input semi-random test cases into selected systems to reveal errors in vehicle software. The solution essentially causes intentional crashes in the system to expose software vulnerabilities that need to be addressed. An AI-based security fuzzer greatly reduces testing time, streamlining the ad hoc approach to cybersecurity implementation.


Due to the self-improving nature of artificial intelligence, the potential of AI in automotive cybersecurity is limitless. The speed of developments in the automotive sector requires cybersecurity measures that are just as agile. Leveraging artificial intelligence in vehicle cybersecurity will help address the risks of zero-day attacks and mitigate threats in a timely and efficient manner.

To stay informed and updated on the latest news about AUTOCRYPT and automotive cybersecurity, subscribe to AUTOCRYPT’s official newsletter.

What Are the Potential Consequences of Cyberattacks on OEMs?

The automotive industry has drastically changed in the past decade becoming increasingly software driven. However, higher reliance on software comes hand in hand with a higher risk of cyberattacks. This is because a more complicated system backend has more potential entryways malicious hackers can exploit. A cyberattack on an OEM can have dire consequences that may affect sensitive company and customer data, disrupt supply chain operations, and tamper with vehicles produced by the OEM. This blog will explore some of the potential consequences of cyberattacks against OEMs.

Data Breaches

One of the biggest cyber threats to an OEM is a data breach. If an OEM’s system is attacked and a data breach occurs, the stored data could be stolen, compromised, or deleted, leading to various adverse effects on both the customers and the OEM.

During a data breach, malicious hackers can steal confidential customer data, such as personal identification numbers (PINs), social security numbers, medical records, and more. This valuable information can either be leaked or posted on the dark web for purchase. In any case, if the customers’ confidential data is exposed, malicious actors can use it to commit fraud, phishing, or an infinite number of other criminal activities. Not all data breaches are targeted toward retrieving customer data. Sometimes cyber criminals may want to access sensitive company information and steal trade secrets or intellectual property. Some breaches are purely destructive, with hackers accessing confidential data only to destroy it. 

Data breaches are extremely dangerous as they not only compromise data but also lead to a loss of customer trust in the OEM. On top of that, OEMs may face legal consequences or be fined for negligent cybersecurity practices that can end up costing a fortune.

Sometimes a breach into a company’s system may not be limited to stealing sensitive data. Malicious hackers may encrypt the data and request a ransom in exchange for a decryptor. Ransomware is designed to deny a user or organization access to files on their computer. By encrypting these files and demanding a ransom payment for the decryption key, cyber attackers place organizations in a position where paying the ransom is the easiest way to regain access to their files.

In 2021, Kia Motors America allegedly suffered a ransomware attack, where the hackers requested $20 million to decrypt files and not leak confidential data. During the alleged ransomware attack, the OEM’s portals suffered a system outage. This resulted in the disruption of services where customers and dealerships across the country were unable to access their data. While financial damages were never disclosed, this incident ended up damaging the OEM’s reputation.

A cyberattack on an OEM can cause significant harm to customer data, leading to financial loss, legal consequences, and loss of customer trust. As such, it is crucial for OEMs to invest in robust cybersecurity measures to protect themselves and their customers from potential cyberattacks.

Supply Chain Disruptions

Software plays a critical role in making sure the automotive sector’s supply chain operates efficiently and effectively. A cyberattack on an OEM, or any other company within the supply chain, could disrupt the production of components that are critical to the supply chain. This could lead to delays in operations, holding up the delivery of final products down the supply chain. Delays in the supply chain will ultimately slow down the rollout of vehicles to customers. If this happens, not only does the OEM suffer financial losses, but the company’s reputation will also take a major hit. A similar incident happened in 2022, when a supplier of Toyota suffered a cyberattack. As a result, the OEM had to halt production which ended up slashing production outputs by a third.

The effects of a cyberattack on the supply chain can be disastrous, therefore industry regulations like WP29 and ISO/SAE 21434 hold OEMs accountable for enforcing cybersecurity practices. Meaning that OEMs are obligated to make sure that cybersecurity measures are implemented across every company in the supply chain. This includes monitoring and auditing cybersecurity throughout the supply chain to demonstrate enforcement of the regulations at all times.

OEMs need to encourage cybersecurity measures at the base of all IT operations within the company and throughout the supply chain. Implementing cybersecurity measures is not limited to installing sophisticated cybersecurity software. It also includes utilizing encryption and authentication, as well as educating employees on cybersecurity practices that need to be honored in day-to-day operations.

Vehicle System Disruptions

While supply chain disruptions and data breaches have negative consequences on operations, finances, and company image, a cyberattack on a vehicle can escalate into a life-and-death situation.

Modern vehicles run on around 100 million lines of code which enable many advanced features beloved by customers. Unfortunately, hackers can exploit vulnerabilities in complex vehicle software to gain unauthorized access to in-vehicle systems. We have seen reports of hackers breaking into vehicles using car infotainment systems, key fobs, or Wi-Fi dongles. But hackers can also gain access to a car by attacking the OEM’s server. Hackers can inject malware into a company’s server, which can then spread to the vehicle’s systems via over-the-air software updates or other connections. The malware can then allow them to take control of the vehicle’s functions or steal data.

If the OEM system has remote access capabilities, through cellular or Wi-Fi connections, hackers can attempt to exploit vulnerabilities in these connections to gain access to the vehicle’s systems. This can allow them to remotely control the vehicle’s functions, such as acceleration, braking, and steering. If malicious hackers get access to vehicle control this can wreak havoc on the roads and put millions of lives in danger.

Companies must secure in-vehicle systems and conduct regular security assessments to mitigate the risks of vehicle-targeted cyberattacks. The automotive industry can collaborate with cybersecurity experts to stay on top of vehicle cybersecurity regulations and best practices. This can help the industry get access to effective solutions that address emerging cybersecurity risks. For instance, AutoCrypt IVS specializes in securing in-vehicle systems by protecting the vehicle from external attacks, monitoring communications within the vehicle, and responding to any abnormal activities.


The increasing reliance on software in the automotive industry has created new cybersecurity risks. To address these risks OEMs have to prioritize cybersecurity within the company, across the supply chain, and in every vehicle on the road by developing a comprehensive cybersecurity framework. Ensuring cybersecurity should come in multiple levels. First, OEMs must secure internal IT systems and operations. On the second level, OEMs will need to secure the supply chain and encrypt all communications between partner companies. And lastly, employ in-vehicle security measures that will make sure that vehicles are protected against internal and/or external threats.

Software-Defined Vehicles: Tangent Industry Collaboration Opportunities

The lines between the automotive and tech sector are blurring as we approach the age of software-defined vehicles. Modern day vehicles are much more sophisticated than ever before, where hardware and software are intricately intertwined to achieve superior car performance and user experience. And while improving hardware is not new for OEMs, creating advanced software systems is a much tougher task. Automotive system innovations are causing disruptions in the entire industry, affecting manufacturing processes, product management, policies, and more. However, these disruptions are bringing in an array of new opportunities in the sector and its tangent industries.

B2B auto insurance

The way vehicles operate has changed in the past decade, but the insurance policies surrounding our cars have not evolved at the same rate as the technology. There is still no universal framework that decides who is liable for accidents involving software-defined vehicles (SDVs). Yet, current events in the industry are pointing to a shift of liability from individuals to OEMs, especially when autonomous driving is involved. Auto insurance policies have yet to reflect upon industry developments.

Traditional vehicle insurance policies typically cover physical damages resulting from driver-caused accidents. However, as ADAS and autonomous driving becomes more prevalent, the element of human error will gradually decrease, making traditional insurance policies less relevant. In addition, as software improves and cars become safer, revenue from individual insurance sales will also drop. Losses are expected to reach $25 billion, putting auto insurance providers at a risk of bankruptcy. Nevertheless, industry disruptions are creating new opportunities for auto insurance providers, with a significant portion of these opportunities located in the B2B sector. Between 2020 and 2025, new insurance policy revenues are predicted to reach $81 billion , according to a source.

As long as vehicle performance is directly tied to software performance, OEMs will be held accountable for cyberattacks, bugs, and software malfunctions in SDVs. Since the cost of software-caused accidents can have a colossally negative impact on manufacturers they will be looking for ways to offset the losses. Insurance providers will need to adjust to the changes in the industry and create policies that offer coverage for a new set of potential threats for a smaller pool of larger customers. Key opportunities for new policies include cybersecurity insurance, product liability insurance, and infrastructure insurance for OEMs and governments.

In recent years, cyberattacks have become more common and are projected to cost the automotive industry $505 billion. Due to the growing frequency of malicious cyberattacks, governments are enforcing cybersecurity regulations and pushing OEMs to adopt more stringent cybersecurity measures. Data breaches, hacking break-ins, ransomware attacks, and similar incidents are on the rise, and as the number of SDVs continues to increase, these attacks may soon spread into the automotive industry, leading to various negative consequences. One solution to mitigate these risks is for auto insurance policy providers to analyze the most common cyber threats and offer coverage for a new set of cyber risks. This approach can help companies protect themselves and their customers against the costly repercussions of cyberattacks.

In addition to cyberattack insurance, OEMs will also need to insure themselves against product malfunctions. Software is just as crucial to a car’s function as hardware, and failures in either can have devastating consequences. Fiat Chrysler experienced the effects of software issues firsthand when a pair of cybersecurity researchers uncovered a significant vulnerability in the manufacturer’s Jeep Cherokee. The researchers were able to hack into the car’s internal computer network through its Wi-Fi connection, gaining access not only to the car’s entertainment system but also to its engine, transmission, and brakes. The discovery revealed software shortcomings in multiple Chrysler models and eventually led to a recall of 1.4 million vehicles. As a result, the OEM’s stock value dropped by more than 2%. This case shows that software gaps can lead to catastrophic outcomes that could cost companies millions, if not billions. Therefore, manufacturers will need product liability coverage to offset the high stakes of potential software malfunctions.

Vehicles are not the only things getting smarter nowadays. The infrastructure is becoming increasingly reliant on software. Wireless technologies that allow communication between pedestrians (V2P), vehicles (V2V), and the infrastructure (V2X) are crucial for ensuring safety on the roads. But even the infrastructure is not entirely safe from cyber risk. Higher levels of connectivity can create more pathways for malicious hackers to exploit. Infrastructure software malfunctions can disrupt traffic conditions in entire cities, potentially putting people’s safety in jeopardy. Failures in the infrastructure can negatively impact governments, OEMs, drivers, and pedestrians. Hence, the risks should be insured against with appropriate coverage policies.

Vehicle software development and maintenance

The number of electric and software-defined vehicles is rapidly increasing, causing car manufacturers to shift their focus from hardware to software. Most new vehicles on the road are essentially computers on wheels, and like any computer, vehicle software needs to be properly maintained and periodically updated to improve performance. To keep up with this demand, manufacturers will need to expand their software development departments. However, since software-defined vehicles are a relatively new concept, most OEMs still lack the technological expertise to create and maintain advanced vehicle software technologies.

Creating and continuously managing vehicle software will become more challenging as the number of self-driving vehicles grows. Vehicle software management requires specialized technical expertise and large amounts of computing power, which in turn requires substantial financial resources. To keep up with industry trends manufacturers have developing in-house technological capabilities, hiring new personnel, establishing subsidiaries, and even acquiring other companies. While expanding in-house abilities can be a viable plan, OEMs can also embrace collaboration and seek partnerships with software solutions providers. By delegating software development, maintenance, bug fixes, and management to software suppliers, car manufacturers can focus on their core competencies. At the same time, software suppliers can unlock new revenue streams by entering the automotive sector.

An example of such cross-industry collaboration is the partnership between Mercedes-Benz and Nvidia. The two companies are working on a new software architecture for self-driving vehicles that is expected to add upgradable automated driving functions in the OEM’s vehicles. Unique expertise and know-how shared through cross-industry partnerships will positively affect the supply chain and help push the industry further forward.

Cybersecurity by design

As the SDV market expands, cybersecurity is becoming one of the biggest challenges facing the industry. Regulations hold manufacturers fully responsible for ensuring cybersecurity measures throughout the supply chain, which means that the risks associated with cybersecurity incidents are not just limited to a single player in the market.

To ensure vehicle cybersecurity measures are effective, manufacturers need to take a multi-faceted approach. One of the key areas that needs to be addressed is the protection of in-vehicle systems. These systems, which are responsible for controlling various vehicle functions, need to be secured to prevent unauthorized access and tampering. Additionally, manufacturers need to ensure secure charging for electric vehicles, as well as safe infrastructure communications. Each of these measures requires the development of different solutions and management systems, which can be a complex and time-consuming process.

In addition to implementing security software, companies also have to periodically test and update their security systems to keep up with the evolving threat landscape. OEMs will need the help of cybersecurity experts to put all of the cybersecurity measures in place. This creates new market opportunities for B2B partnerships between manufacturers and cybersecurity providers. Automotive cybersecurity solutions providers can advise manufacturers on the required security systems and deliver the necessary cybersecurity software. Various models of software-as-a-service can be offered to the manufacturers. Cybersecurity solutions providers can take on the task of not only developing the security software, but also managing it and performing periodic checks and improvements.


Disruptions caused by the new trends in the automotive sector are creating opportunities for collaboration with tangent industries. To take full advantage of current market opportunities, the automotive industry will need to embrace the culture of collaboration.

To stay informed and updated on the latest news about AUTOCRYPT and mobility tech, subscribe to AUTOCRYPT’s official newsletter.