vehicle cybersecurity Archives

Building on our previous post examining the industry’s transition from SAE Level 2 to Level 3 autonomy, this article revisits the topic in light of regulatory and commercial developments around autonomous driving. Our earlier analysis found that the slow progession toward Level 3 autonomy has been driven more by regulatory uncertainty than by technological limitations. Due to ongoing legal bottlenecks, we observed that OEMs introduced Level 2+ systems but remain hesitant to classify them as Level 3, primarily because of unresolved concerns around legal responsibility and risk management.

Since then, the regulatory and commercial landscape for autonomous driving has continued to evolve. This article highlights how recent policy shifts have accelerated Level 3+ deployment and testing efforts, while also examining the growing importance of open-source software in enabling software-defined vehicle (SDV) development. As SDVs grow more complex — both technically and in terms of regulatory oversight — it has become essential for OEMs and Tier 1 suppliers to stay aligned with ongoing developments and adapt their cybersecurity practices accordingly.

Bridging Regulation and Deployment in Autonomous Driving

As commercial interest in Level 3+ autonomy grows, regulatory developments have played a pivotal role in shaping a more stable legal environment for innovation. Both globally and regionally, recent updates have provided clearer guidelines for deployment, liability, and compliance. Among the most impactful are the ongoing amendment series to UNECE Regulation No. 157 on Automated Lane Keeping Systems (ALKS) and the introduction of UNECE Regulation No. 171 on Driver Control Assistance Systems (DCAS).

Global Regulatory Progress in Autonomous Driving

The UNECE Regulation No.157 on Automated Lane Keeping Systems (ALKS) was first adopted by the World Forum for Harmonization of Vehicle Regulations (WP.29) in January 2021 to govern SAE Level 3 conditional automation. Since enforcement began in January 2023, successive amendments introduced from 2022 onward have significantly clarified the operational behavior, system safety, and failsafe protocols required for real-world applications.

WP.29/2022/59/Rev.1 Amendment: Speed limit raised from 60km/h to 130km/h, Automated lane changes allowed

WP.29/2024/145 Supplement: Ensure ALKS system resilience in electromagnetic environments

WP.29/2025/64 Supplement: Clearer rules for lane-change behavior and heavy vehicle restrictions

In parallel with ALKS, UNECE Regulation No.171 on Driver Control Assistance Systems (DCAS) established safety requirements for SAE Level 2 driver assistance features, including lane keeping and traffic jam assist. The regulation emphasizes stricter standards for driver engagement, monitoring systems and interface transparency. Together, these two frameworks — covering foundational technologies like ALKS and DCAS — have strengthened the regulatory pathway towards higher levels of autonomy by mandating provisions for cybersecurity, performance validation and over-the-air (OTA) updates.

Regional Regulatory Advances around Autonomous Vehicles

At the regional level, China and Germany have taken leading roles in building regulatory frameworks for autonomous vehicles, while the United States and South Korea have also made notable progress in deployment and certification efforts.

China introduced a clear commercialization pathway for OEMs targeting Level 2-4 autonomy through its national pilot program, announced in November 2023. By focusing on seamless integration between vehicles, infrastructure and cloud platforms — leveraging technologies such as Cellular Vehicle-to-Everything (C‑V2X), edge computing, and signal systems — the initiative has ensured pilot zone vehicles are equipped for safe and standardized evaluation.

Through this initiative, Chinese OEMs have made significant progress, launching their own branded ADAS platforms — DiPilot (BYD) and G-Pilot (Zeekr) — in early 2025. BYD became the first Chinese automaker to obtain a conditional Level 3 testing license in July 2023 and has since introduced Level 4 autonomous parking capabilities through its DiPilot ADAS platform. By June 2025, nine manufacturers, including Nio, Changan Automobile, and GAC, had completed preparations for public road testing of Level 3-capable vehicles.

Germany has also emerged as a regulatory leader, particularly through the Autonomous Vehicles Approval and Operation Ordinance (AFGBV) which governs the approval, registration and operation of SAE Level 4 autonomous vehicles. While the ordinance was adopted in May 2022 and came into effect in July 2022, detailed implementation guidelines published in 2024 clarified practical procedures for public transportation authorities. These documents have provided essential guidance to municipalities, transit operators and OEMs, helping shape a consistent framework for the long-term deployment of autonomous fleets.

Guideline for Operational Area Approval: Framework for municipalities and OEMs to define, assess, authorize public road areas for autonomous vehicle operation
Handbook with Implementation Proposals for Municipal Practice: Offers integration guidance for public transport operators
Strategy for Autonomous Driving in Road Traffic: Outlines Germany’s national roadmap for autonomous vehicle (AV) deployment across mobility and infrastructure sectors

These regulatory advances have enabled OEMs such as BMW and Mercedes-Benz to integrate automation software into their vehicle portfolios. In June 2024, BMW introduced both Level 2 (‘BMW Highway Assistant’) and Level 3 (‘BMW Personal Pilot’) systems in its 7 Series lineup, offering highway automation and conditional driver delegation capabilities. In December 2024, Mercedes-Benz received approval to increase the operating speed of its DRIVE PILOT system to 95km/h and became the first automaker in Germany authorized to use special marker lights indicating automated driving mode.

Beyond China and Germany, regulatory clarity has expanded in other key regions. In South Korea, a March 2025 update to the enforcement decree of the Act on the Promotion and Support for the Commercialisation of Autonomous Vehicles enabled performance certification and approval of Level 4 autonomous vehicles, including those lacking pre-established safety standards. Similarly, the United States broadened Federal Motor Vehicle Safety Standards (FMVSS) exemptions under Part 555 in June 2025, allowing developers to deploy safety-validated autonomous vehicles that do not meet conventional design requirements.

These national and international efforts collectively signal a growing global alignment in regulatory strategy and commercial deployment readiness. Structured permit systems and clearly defined liability frameworks have provided OEMs with the flexibility to develop, certify, and scale Level 3+ autonomous vehicles — a momentum that is likely to accelerate further in the coming years.

Open-Source SDV: Software-Driven Collaboration

As the path to commercial autonomy becomes clearer, attention is increasingly turning to the software foundations that enable it to scale — particularly open-source software defined vehicle (SDV) projects. This shift is being shaped by the growing convergence of autonomous vehicles (AVs) and SDVs, where AVs increasingly rely on SDV architecture for modularity, real-time updates, and system integration. Open-source platforms are emerging as critical enablers of this transition by supporting scalable and collaborative development.

SDV platforms provide the technical backbone for scalable autonomy by enabling modular design, continuous over-the-air (OTA) updates, and real-time system integration. These capabilities, when delivered through accessible and interoperable open-source solutions, help overcome the fragmentation and integration challenges that often hinder large-scale AV deployment.

A key example of this trend is the S-CORE Project, announced in June 2025. Backed by key industry players like Bosch, QNX and Mercedes-Benz, the initiative aims to build the first open-source core stack for SDVs. The core stack is designed to standardize the middleware layer between the operating system and higher-level vehicle applications, with an emphasis on functional safety. Aligned with global regulatory standards such as ISO 26262 (functional safety), ISO/SAE 21434 (cybersecurity), and UN Regulation No. 156 (OTA Updates), the framework is OEM-agnostic and modular by design — supporting deployment across a wide range of vehicle platforms.

While it builds on a growing legacy of open-source automotive projects such as Autoware — of which AUTOCRYPT is a participating member focused on addressing security risks in real-world vehicle software — the S-CORE Project represents a meaningful shift. It moves focus from application-specific tools (e.g., AV stacks, ADAS platforms) toward foundational, certifiable infrastructure designed to support mass production of SDVs. Positioned as a “core runtime environment” for software-defined vehicles, S-CORE aims to bridge the gap between low-level system layers and OEM-specific applications, creating more room for OEMs and Tier 1 suppliers to collaborate on shared infrastructure.

Further open-source projects around software-defined vehicles are expected to emerge in the future due to economic and strategic industry alignment. With the complexity of software-defined vehicles (SDVs) increasing, it has become less viable for individual OEMs and/or suppliers to build and maintain fully proprietary software stacks. Open-source core frameworks like the S-CORE project aim to address this challenge by providing a standardized, resuable foundation which could allow companies to redirect resources toward value-added differentiation (UX, apps, mobility features).

Alignment with global regulatory standards has further elevated the role of open-source software. Standards such as UNECE R156 and R157, ISO 24089, ISO/SAE 21434 emphasize the need for secure, traceable, updateable vehicle software, better done transparently through building on open-source environments. In short, open-source projects offer a flexible and accountable framework, helping stakeholders align with evolving requirements more efficiently.

Future Implications

Regulatory and commercial developments across Levels 2 to 4 autonomy continue to mature, creating new opportunities for OEMs and Tier 1 suppliers, while steadily enhancing the autonomous driving experience for end users. This transformation is no longer confined to national borders, as open-source initiatives gain traction, driven by economic and regulatory imperatives.

As autonomous driving environments expand, so do the associated attack surfaces — from internal vehicle systems to connected external infrastructure. This underscores the growing need for continuous cybersecurity validation, including threat modeling, real-time risk monitoring and regulatory gap analysis. Positioned at the intersection of software-defined vehicle (SDV) innovation and autonomous vehicle (AV) safety, Autocrypt remains committed to supporting OEMs and Tier 1 suppliers in scaling innovation without compromising cybersecurity.

To learn more about the Autocrypt’s products and offerings, click here. Read our blog or subscribe to AUTOCRYPT’s newsletters for more technology insights.

It has long been established that cybersecurity is essential to vehicle operations and needs to be implemented universally. However, it is important to note that automotive cybersecurity does not follow a one-size-fits-all approach. Different types of cybersecurity measures have their pros and cons and are more effective for certain types of vehicle architectures rather than others. While there are different types of vehicle cybersecurity measures available on the market today, this blog will discuss hardware security modules (HSM) and trusted execution environments (TEE), offering a closer look at two of the most robust vehicle cybersecurity solutions.

Why do we need in-vehicle security?

Modern vehicles have complex internal computing systems that enable superior functions like advanced driver-assistance systems (ADAS), vehicle-to-everything (V2X) communications, as well as network and cloud connectivity. These internal computing systems interact with each other and the external network, exchanging large amounts of data and signals. If these communication nodes lack appropriate security measures it leaves the vehicle vulnerable to cyber risk.

Wi-Fi, navigation systems, V2X communications, all of these network connection endpoints can be potential routes for cyber attacks. Hackers could breach into a vehicle’s internal system to steal private data like vehicle location, registration number, and even financial information. There is also the risk of hackers breaking into the vehicle systems to gain control of its functions. We saw this happen when two researchers hacked into a car through its cellular connection. After establishing a wireless access to the car, the hackers gained control of the vehicle’s dashboard, infotainment system, and even the engine.

This experiment revealed many vulnerabilities in vehicle internal systems security. It also solidified the importance of a layered approach to vehicle cybersecurity, where both the internal vehicle environment and the external communications are secured.

What is HSM?

One of the most robust cybersecurity solutions in the automotive industry is a Hardware Security Module (HSM). HSM is an external physical security unit that is installed into electronic control units (ECU). It safeguards vehicle communications and functional control systems with message cryptography. Typically, an HSM will include its own processor, cryptographic technologies, and dedicated memory for the hardware security firmware and secure data. Having its own processor, the HSM operates separately from the ECU, bearing the computational load of security functions.

The security module’s main job is to safeguard sensitive vehicle data during message exchanges. It does this by storing cryptographic keys, performing cryptographic operations, and verifying digital signatures to conduct authenticity checks for messages passing through the vehicle. This makes sure that data coming from outside of the vehicle is verified, and data leaving the vehicle is safely encrypted.

HSMs have been the industry standard in vehicle cybersecurity for their ability to safeguard valuable information from tampering. However, there is a problem of scalability with this particular cybersecurity measure. HSM is a security unit that has to be physically installed into ECUs within the vehicle. So, installing HSMs in cars with complex internal architectures and an abundance of ECUs may become costly.

There is also the issue of flexibility. Many modern luxury vehicles support over-the-air (OTA) systems like software downloads and updates. These OTA systems enable the installation of new functionalities into a vehicle without having to alter its hardware composition.

In a rapidly developing automotive industry, cybersecurity software needs to be able to adapt to vehicle software changes. This will be hard to achieve for a car secured only with hardware security modules. The hardware-software segregation in advanced vehicle architectures requires a more flexible approach to cybersecurity that ensures cybersecurity measures evolve hand-in-hand with vehicle software developments.

What is TEE?

A cybersecurity solution that works more effectively in centralized vehicle architectures with ever-evolving software structures is a Trusted Execution Environment (TEE). TEE is a software-based security measure that creates a secure and isolated environment within the application processor, separating critical operations from the rest of the system.

Critical operations and sensitive data can be executed and stored within the trusted execution environment, shielded from potential cyber threats. Similar to HSMs, TEEs have protected crypto libraries where sensitive information, such as cryptographic keys, can be securely stored and managed. They also provide secure communication channels between trusted components, ensuring that data transmitted within the secured area remains confidential and protected from the rest of the vehicle. This helps prevent unauthorized access or tampering.

For instance, the AutoCrypt IVS-TEE security solution offers OTA systems security with encryption and authentication technologies, making sure that only validated software is received and installed during OTA system updates. This is done to ensure that the software comes from an OEM and not a malicious actor.

While TEE and HSM offer similar cybersecurity measures they are very different in terms of implementation and execution. TEEs are built into the application processor’s chipset and can be implemented through software updates, making them more flexible and adaptable to changing security requirements. Leveraging a vehicle’s existing hardware resources, TEEs eliminate the need for additional security components, potentially reducing costs.

Establishing a TEE is a cybersecurity-by-design approach that ensures that there is a secure environment to run critical operations in every application processor.

As vehicles become increasingly connected and autonomous, the importance of robust automotive cybersecurity methods cannot be overstated. HSM and TEE both play crucial roles in securing vehicles against cyber threats. HSMs excel in cryptographic operations and secure key storage, while TEEs create isolated execution environments within the main processor. By combining these methods, automotive manufacturers can maximize protection from external cyber threats and enhance the security of their vehicles.

AUTOCRYPT’s in-vehicle cybersecurity solutions provide complete protection for the vehicle-embedded systems minimizing cybersecurity risks.

To stay informed about the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.

Tag: vehicle cybersecurity

The State of Autonomous Driving in 2025