31 Ottobre 2023

The security cultural transformation of the automotive industry

For the last few years, the automotive industry has been going through a renaissance with cars becoming software-driven, adding new functionalities and “apps” to every new model year. Like the evolution from mainframe computers to sophisticated cloud-connected graphics processing unit-driven desktops, the automotive industry is evolving from traditional hardware-centric cars to software-driven computers on wheels. There are parallel tracks regarding the functionality of the vehicles of the future that our industry is focused on right now:

  • Those dealing with the “robot” under the hood moving the car of the future.
  • All user-related functions, apps, and cabin-related experiences.

The underpinning of the technological development for cars in both categories is safe and secure transportation. When I say safe, I am referring to ISO 26262. When I say secure, I am referring to the new (as of the last two to three years) cybersecurity regulations such as ISO/SAE 21434,1 ISO/DIS 24089,2 and the United Nations Economic Commission for Europe (UNECE) WP.293 focused on keeping these secure for their entire useful life. Yes, going forward, cars need the lifecycle of their cybersecurity managed for the 15 to 20 years they are on the road.

Microsoft Security

Help protect people and data against cyberthreats to give you peace of mind

Forward facing view of two men working on a Microsoft Surface Studio with a larger blurred screen/display behind them.

Unique complexities of the automotive industry

Considering the complexities of these cars and the automotive industry, this is a very tall order. Here are some of the challenges:

  • Complex supply chain: There are thousands of suppliers globally contributing to the making of a car and the start of production.
  • Volume of code: Cars are now the most significant threat surface in the world, with a typical midsize car containing more than 150 million lines of code from hundreds of suppliers in thousands of files, mostly in binary format.
  • Product lifecycle: Cars have a long useful life of 15 to 20 years in active use versus two to three years for consumer products.
  • Regulations: Functional safety and new cybersecurity mandates for managing the life cycle of security.

As cars become more connected, the risk of cyberattacks increases.

Functional safety and cybersecurity

What is cybersecurity?

Learn more 

Functional safety is the discipline that deals with designing and manufacturing systems to reduce the risk of harm to people. Cybersecurity deals with protecting information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The automotive industry needs to combine functional safety and cybersecurity to ensure that the safety and security of the driver, passengers, and other road users are not compromised.

Incorporating cybersecurity into the design and manufacturing process of cars is essential. While connected cars open a whole host of new opportunities to the industry and passengers of the vehicles, this connectivity and visibility is a double-edged sword as it also makes them susceptible to bad actors trying to hack them to obtain data or even functional control of the vehicle itself remotely. The implications of a more than 3,000-pound vehicle being directly controlled by an unintended user is of utmost concern. Again, safety is the focus.

Standards and regulations

The automotive industry has several standards and regulations that address functional safety and cybersecurity. Developed by the International Organization for Standardization (ISO), one such standard is ISO 26262, which outlines the safety requirements for road vehicles, which aims to reduce the probability of hazards in automotive applications where the machine operation can impact the life of the passenger.  

The ISO/SAE 21434 vehicle cybersecurity engineering standard is focused on the entire automotive product lifecycle and integrates safety and security measures that ensure vehicles have been designed, manufactured, and deployed with the rigorous security requirements in mind. It also, defines the responsibilities for various groups involved during different stages of automotive product development. The final version of ISO/SAE 21434 standard, also includes a Threat Analysis and Risk Assessment (TARA), focusing on possible threat scenarios within a vehicle operation, with relevant posture scoring factors. It also defines the “shift left” aspect of security aligned with automotive systems engineering V-model, to approach the products functionality and cybersecurity requirements simultaneously. 

ISO/DIS 24089 is another standard that provides guidelines for managing software updates in a consistent and systematic way. The United Nations Economic Commission for Europe (UNECE) as a part of WP.29 standard has put a new regulation R156 in place which regulates the software update management system. ISO 24089 provides the guidelines on how to systematically manage software updates compliant with the UNECE R156. The UNECE WP.29 has also developed regulation R155 focused on the cybersecurity lifecycle management of road vehicles. 

Securing the car of the future

Securing the car of the future involves several technical details, such as securing the vehicle’s electronic architecture, managing the software lifecycle, and managing the cybersecurity lifecycle using software updates. The car’s electronic architecture is moving from domain controllers to zonal architecture with an eye on the ultimate cloud-connected central computer. Managing the lifecycle of software and cybersecurity using software updates ensures that the car remains secure and protected against any new threats that emerge. This requires dedicated Vehicle Security Operations Centers that manage this process and automate as much of the process as possible.

The UNECE WP.29 regulation mandates four concrete areas of cybersecurity:

  1. Manage vehicle cyber risks
  2. Secure vehicles by design
  3. Detect and respond to security incidents
  4. Provide safe and secure software updates

Three lifecycle phases of development, production, and post-production are called out, with post-production to include monitoring, detecting, and responding to cyberattacks. Cars need to be built securely, and that security posture needs to be maintained as they go through the manufacturing process. Finally, once they go out the door on day zero in the lot, they need to stay secure for the life of that car. This means every aspect of the car’s design, development, manufacturing, and operations will be affected and need to change. As of January 2021, WP.29 applies to passenger cars, vans, trucks, buses, and other light vehicles are subject to the regulation as of January 2021.

The big-compelling-event: In the European Union (EU), WP.29 regulations R155 and R156 will be mandatory for all new vehicle types from July 2022 and will become compulsory for all new vehicles produced from July 2024. That means starting July 2024, all vehicle manufacturers need to manage the life cycle of the security of the cars they build and operate for the life of that vehicle on the road (15 to 20 years).


WP.29 covers 54 countries, including the EU, the United Kingdom, Japan, and South Korea. WP.29 regulations in these countries are legally enforceable, and proof of compliance is required for a car manufacturer to obtain the needed type-approval and sell into the above markets. That means even the automotive original equipment manufacturers in countries not covered by WP.29 will be affected if they want to sell cars in the above countries. Like the existing homologation process for ISO 26262, type approval provides mutual compliance recognition across the EU without further tests. Approval can be obtained from technical services auditing companies such as TUV SUD. Development, manufacturing, and finally operations of the car will be affected and will need to change.

Attack surfaces

Cars have become the world’s largest and most complex threat surface, with millions of lines of code running on several computers and many attack points and tactics that bad actors can exploit. On a per-car basis, this is significantly more complex than most IT systems worldwide. Nowadays, most industry news is dominated by the word of IT hacks and exploitation of IT systems. To be clear, the IT industry has dealt with security issues for decades, whereas cars were not connected until recently, hence car security meant something completely different. So, a sector that has not been dealing for long with cybersecurity is now supposed to secure the most complex and sophisticated entities and threat surfaces in the world, where every car is a mission-critical system, where the operation of the machine impacts the life of the passengers.


In IT, over 80 percent of incidents are caused by company employees, primarily because of inadequate security hygiene (for example, lack of rigorous security culture).4 To meet the security requirements of the three lifecycle phases of development, production, and post-production of cars, a holistic approach to security cultural transformation at every car manufacturing company is needed.

Cultural transformation

Cultural transformation starts with educating everyone about security, regardless of role or job title. This means everyone from software and hardware designers and developers to the C-suite.

Microsoft security documentation

Read more 

Sharing a common language to discuss security is the best place to start. That means educating everyone on the risks involved, expectations from each other and the whole team, and using security best practices regardless of the task, and in many cases, regardless of the cost associated with a “security-first” culture. When the team is educated on security, they become empowered to make better decisions, resulting in positive security outcomes.

Building a security-first culture aligns knowledge with behaviors so that, as an example, developers think about securing before writing a line of code, and C-suite decision-makers think about security risks impacts on the bottom line and consider proper investment in security as business-critical.

Unfortunately, the security industry is currently challenged with a need for more qualified resources, so attracting and retaining the best talent from diverse backgrounds and developing security leaders is more critical than ever. 

Shifting left, which means embedding security as early as possible in the product development life cycle and automating as much as possible leveraging AI and machine learning, also helps developers focus on solving high-value problems.

Empower your team with cybersecurity awareness

Explore resources 

Automotive manufacturers can improve their security posture by focusing on people and the culture of “security-first” within their teams, followed by using the best security tooling focusing on minimal gaps and overlaps to build a strong foundation for security operations.

The only way to secure the cars of the future is to take a holistic approach to cultural transformation that institutionalizes a “security-first” mindset.

Start your security transformation with Microsoft

At Microsoft, along with our partners, we have curated a broad portfolio of products and services for a comprehensive support of automotive and manufacturing industries during the three lifecycle phases of development, production, and post-production, and all the associated homologation processes. For the design and development phase along with our partners, we offer a comprehensive set of tools and services, focused on compliance as well as managing the lifecycle of cybersecurity for the automotive market. We can also help our customers with their security cultural transformation journey.

graphical user interface, text, application

For managing the every day lifecycle of the vehicle on the road, we have curated key partners who are leveraging the Microsoft Cloud and our security products, along with products and services, to provide comprehensive Vehicle Security Operations Center (VSOC) services, as well as converged SOCs covering IT and manufacturing operational technology security as well. 

Customers who have switched to Microsoft Security not only have significantly reduced their cost, but they have also drastically improved their cybersecurity posture. The ultimate in doing more with less.

1ISO/SAE 21434:2021, Road Vehicles, Cybersecurity engineering, ISO.

2ISO 24089:2023, Road Vehicles, Software update engineering, ISO.

3WP.29 – Introduction, UNECE.

4Stanford Research: 88% Of Data Breaches Are Caused By Human Error, KnowBe4.

The post The security cultural transformation of the automotive industry appeared first on Microsoft Industry Blogs.

Source: Microsoft Industry Blog