Enhancing Cybersecurity in the Development of Software-Defined Vehicles
In many automotive companies, the same systems-engineering teams are responsible for both safety and security. This often leads to cybersecurity being treated as a subset of safety, based on the assumption that “if it’s safe, it must be secure.” However, this assumption is flawed, as vehicles deemed functionally safe under ISO 26262 can still be vulnerable to cyber threats. With the rise of connected vehicles, software-defined architectures, and over-the-air updates, cybersecurity must be addressed as a standalone concern throughout the organisation. Bundling cybersecurity under traditional safety frameworks risks underprioritising cyber resilience, which can hinder an Original Equipment Manufacturer (OEM) or supplier’s ability to respond effectively to digital threats targeting vehicle systems and supply-chain integrity.
Decoupling security from safety can strengthen the collaboration between safety and security teams, particularly during the concept, design, and validation phases of product development. Safety focuses on unintentional malfunctions, while security addresses intentional misuse and threats. These distinct concepts require different standards and regulations, such as Hazard Analysis and Risk Assessment (HARA) for safety and Threat Analysis and Risk Assessment (TARA) for security under ISO 21434. Despite the lack of large-scale cyberattacks, the industry has adopted a conservative approach to cybersecurity, often prioritising regulatory compliance over proactive measures. Most companies maintain separate teams for Product Security (PS), Information Technology (IT) Security, and Operational Technology (OT) Security, with PS typically funded from the safety budget, further complicating the prioritisation of cybersecurity initiatives.
Categories: Safety and Security Integration, Cybersecurity Standards and Regulations, Organizational Structure and Prioritization
Tags: Automotive, Cybersecurity, Safety, Security, ISO 26262, ISO 21434, Risk Assessment, Supply Chain, Vulnerabilities, Collaboration