Key Takeaways The automotive sector is actively developing and delivering secure parts and features ranging from secure boot to encrypted data and in-network protections. The cost of a breach can involve everything from ransomware to liability and/or damage to a brand. New standards are being introduced to ensure security, and technology developers are integrating cybersecurity requirements early in the silicon design phase, enabling parallel development and certification. The auto industry is ramping up security features, procedures, and new standards to address the rising complexity of software-defined vehicles and a growing recognition that vehicles are attractive targets for hackers. The auto industry isn’t alone, but it tops nearly everyone’s list in the commercial sector for innovation and investment in security technology and standards due to the high cost of a breach. There are penalties to contend with, potential liability in case of accidents, damage to a brand, as well as data leakage and theft. “Automotive is on the cutting edge of security standardization for all of the commercial markets,” said Scott Best, senior technical director for silicon IP at Rambus. “There’s nobody currently more advanced. The more advanced the features are, the more at risk passengers are to malicious actors. The automotive companies know that, and they know they have a huge amount of brand exposure to solve this correctly. So in one sense, they are moving very deliberately forward on the security requirements, which is great.” For the past couple decades, security experts have been issuing warnings about the need to build security into chips and systems, starting with the initial architecture design. But it wasn’t until the electrification of different functions and the increased connectivity within and outside of those vehicles that carmakers and their suppliers began to take security seriously. Since then, the auto industry has made significant progress, and that progress is accelerating as it establishes new standards and redefines how chips and systems within a vehicle are designed and manufactured. “Automotive cybersecurity focuses on meeting current vehicle security standards and anticipating future developments,” said Bill Stewart, vice president of marketing for the Americas at Infineon Technologies. “Presently, automotive OEMs design vehicles with dedicated functions assigned to individual ECUs, each interconnected via networks such as Ethernet or CAN and protected by encryption, especially in vehicles produced from 2026 onward. Security features such as robust gateways, firewalls, and trust anchors help safeguard vehicle networks from hacking attempts.” Modern vehicles increasingly rely on networked actuation for systems like power steering and advanced driver-assistance systems (ADAS), which have been the initial target for security. But over the next decade, security is expected to include both internal and external protections, such as insurance dongles that operate outside of OEM control. “The industry is moving beyond the traditional ‘one function per box’ approach toward centralized computing architectures,” Stewart said. “While centralizing computation can increase efficiency, it also presents new security risks. Compromising the central unit could allow incorrect data transmission and even disrupt safety-critical systems like steering.” Chiplets add other security risks. While they can improve time-to-market for automakers, each chiplet needs to be designed with security in mind, and the connection to other chiplets or memories needs to be secure, as well. Standards are evolving to ensure best practices around all of this. “Protecting the silicon is very important, and the certification of the silicon is becoming much faster because we now have standards in place,” said Sylvain Guilley, co-founder and CTO of Secure-IC, a Cadence company. “For instance, for ISO 21434 on the cybersecurity of road vehicles and the industry, and particularly for Secure-IC/Cadence, we were compliant even pre-silicon. We take the requirements, implement them, and verify them in the source code and the model. This means we have 100% visibility into whether the silicon will be certifiable, so you can parallelize the silicon design and reduce the time to complete certification. This is instead of having to complete the system first, then certify it.” In addition, all cars today have some form of secure boot and firmware integrity checks, and all the ECUs in a car are very important as control units. So a lot of the communication of those ECUs with each other needs to be protected. “Data is encrypted,” said Dana Neustadter, senior director of product management for Security IP Solutions at Synopsys. “You have in-car network protection. First, there was the CAN bus. Now there is also Automotive Ethernet with MACsec. The camera and serial interfaces have security coverage through CSI. You also now have over-the-air updates. Tesla is the well-known one, but other companies are also building more around that, sometimes with some flaws. And we’ve also heard about some remote attacks. In any case, security around over-the-air updates, whether it’s done at the highest grade using the best approach, is in the cars today.” Securing infotainment As vehicle connectivity and in-car technologies evolve, the emphasis on securing infotainment systems has become increasingly important. This shift reflects the industry’s broader commitment to safeguarding both internal communication and external interfaces from emerging cyber threats. There are security capabilities and features to protect the infotainment, Neustadter said. “It’s been a while since the infamous Jeep was connected remotely while the driver was in the car on the highway, and someone controlled the brakes and other things in the car. That was done because of a security flaw between the infotainment system and the rest of the vehicle control. In today’s cars, there is security for hardening or protecting the infotainment and connectivity interfaces between the vehicle and the outside world, but also from the infotainment to the rest of the system. These are some of the capabilities and security features that are in the system for protection within the vehicle, but also for communicating to the outside world.” There are tradeoffs, however. Making everything secure can add latency, particularly with a centralized compute model. “Secure data transmission can slow down critical functions, such as ADAS decision-making, which relies on real-time camera input for tasks like speed adjustment or object detection,” Infineon’s Stewart said. “Ensuring rapid and secure data flow, possibly down to milliseconds, from sensors to central processors and then to actuators (like electric motor brakes) requires innovative architectural decisions. Integrating microcontroller units (MCUs), Ethernet devices, and robust cryptographic processes without disrupting performance remains an ongoing focus. Achieving seamless and efficient security is crucial for the future of automotive systems.” Many vehicles on the road today, especially those built on older platforms, were never designed with strong security in mind. Data was never encrypted, and the buses used to transport data had only minimal security, if any at all. “These are areas where you wouldn’t have thought about historically with old technology, whether it’s a power grid or a power plant or an automobile, ‘Oh, I need to have it super secure,'” said Simon Rance, general manager and business unit leader, Process and Data Management at Keysight EDA. “In fact, most of the devices that go into those things, historically as well, have very minimal security across certain access points. They’re so easy to access. You can control a vehicle, especially an autonomous vehicle, remotely, and that’s a big concern.” Ensuring security in a vehicle also can add to the cost with uncertain return on investment. While automakers are using secure encrypted buses and other approaches in new designs, real‑world tests have shown that even high‑end vehicles can still be taken over remotely. “If it’s hardware, such as a chip or secure buses, where the bus data is encrypted from the CPU or the processor, when you start getting into those types of architectural choices and decisions the cost of the chip goes up,” Rance said. “It is well known that from a test that was done about five or six years ago on some of the high-end automotive vehicles, it was very easy to hack into them while driving on an actual test road. They could either shut all of the electronics down right then and there, or do other things with it.” Evolving security threats These persistent and evolving vulnerabilities underscore the urgent need for comprehensive updates to industry standards and regulatory frameworks. Addressing security concerns in both legacy and modern vehicles requires coordinated action, continuous risk assessment, and robust policies that can adapt to emerging threats. As vehicles become more complex and interconnected, ensuring that protections keep pace is critical to safeguarding consumer safety and maintaining trust in automotive technologies. Jaroslaw Szostak, a member of the security team at Imagination Technologies, noted that historically, automotive was a distributed landscape, so there were ECUs for different subsystems in the vehicle. “In a modern vehicle, you would be looking at maybe 100 odd ECUs, but in the late ’90s and early ’00s, security was more about component protection. We wanted to protect components from being exchanged between different cars, so in case something was stolen, it would not be able to be installed in another vehicle. This concept was later used for safety approaches, in the advent of active safety. There were complex systems such as cameras, radars, lidars, and those were type-approved. Other systems, such as braking systems, were also type-approved. In the case of theft, you want to prevent the use of components from a car that was involved in an accident, went to a scrap yard, and someone could go to a scrap yard, fetch the component, and retrofit it into the vehicle. For example, let’s say there was damage to the ultrasonic sensors. But then there are the 360-degree cameras, and this is exactly the point where our GPUs can come into play. We develop GPU soft IP, with two primary use cases — the graphical use case and the computational use case. We can display the content and generate the content, fusing it, but this fusion comes at the expense of computation. When we look at bandwidth data, it is streaming from three or four cameras, with multiple sensors doing the perception features, which are running on our GPU. That means, slowly but surely, you are getting to the point where you are putting a lot of eggs into one basket. With the move toward automotive Ethernet and the adoption of technologies such as BroadR-Reach [invented by Broadcom], we are exchanging more and more data. Previously, there were control signals. Now we are sending the feeds or streams.” What this means for semiconductor companies is that they now have a seat at the table with the automotive OEMs because of ISO 21434 cybersecurity and other standards such as UNECE WP.29 Regulation No. 155 (UN R155), which mandates that vehicle manufacturers establish a certified cybersecurity management system (CSMS) to identify, assess, and mitigate risks throughout a vehicle’s lifecycle. In force since January 2021, it became mandatory for new vehicle types in July 2024, covering passenger cars, trucks, buses, and, increasingly, motorized two-wheelers. UNECE WP.29 Regulation No. 155 (R155) is not mandated in the U.S., since the U.S. is not a signatory to the WP.29 agreement. Instead, the U.S. operates under its own Federal Motor Vehicle Safety Standards (FMVSS), relying on voluntary guidelines and industry standards, such as ISO/SAE 21434. R155 is mandatory for new vehicle types in signatory countries as of July 2022, and all new vehicles produced after July 2024. UN R155 on vehicle cybersecurity became mandatory for all new vehicles produced and sold in adopting countries, including the E.U. and Japan, from July 2024 onward. Some manufacturers, including Porsche, have encountered challenges with compliance. As a result, certain models could not be sold within the EU. As automotive cybersecurity regulations evolve and manufacturers strive to meet new requirements, the industry also is seeing significant shifts in both technical approaches and supplier relationships. These regulatory demands are driving innovation and reshaping how stakeholders address security challenges across the automotive landscape. “When you move from PSA-level certification, you start to add levels of, ‘Do I trust this firmware? Did I sign it? Is it authenticated and encrypted so I can’t flip things?'” said David Garrett, vice president of technology and innovation at Synaptics. “But that’s not enough, because physical attacks start to show up. Raspberry Pi had a chip that was hacked a year ago. They said, ‘Hey, our chip is unhackable.’ Within four weeks, someone figured out a physical attack and glitching attacks. Cybersecurity in automotive is also about physical attack protection. It’s not just encryption. It is about what somebody does that doesn’t think like you. That’s the thing to take away. It’s also about, ‘Holy cow, I never realized you would jolt at 10,000 volts for 10 nanoseconds at the right moment, and it flips a bit that protects everything.’ That’s the next level. We do that for our edge devices. It’s critical for that.” As these regulatory and technical shifts reshape industry practices, stakeholders are now navigating a landscape where collaboration and adaptation are essential. The interplay between evolving standards and market demands is prompting both manufacturers and suppliers to rethink traditional roles and relationships in the automotive ecosystem. But ultimately it’s up to the automotive tiered suppliers and the OEMs. “Relying upon what a traditional Tier One or Tier Two is going to provide, I don’t think there’s a lot of trust there these days,” said David Fritz, vice president of hybrid-physical and virtual systems at Siemens EDA. “In the end, if somebody hacks into your car and you get into an accident, the OEM is going to have to have some kind of liability for that, so they’re really concerned. What’s happening, however, is that they’re going directly to the automotive semiconductor companies that are providing all of this in the SoCs that are going into the central compute.” There also is a new breed of Tier Twos, including SAIC, SiliconAuto, and others, coming that are going to change the game. “Security, high-performance Level 4 and Level 5 autonomy focus, and high-end IVI focus are coming to really challenge the existing Tier Twos,” Fritz said. “It’s been coming. It shouldn’t surprise anybody, and their solutions are highly likely to be more coveted by the OEMs in the end.” Conclusion The rapid evolution of automotive cybersecurity is fundamentally transforming how industry standards, supplier relationships, and regulatory compliance are approached. As vehicles integrate more advanced connectivity and autonomous features, the complexity and scope of potential vulnerabilities expand, requiring not only robust technical safeguards but also seamless collaboration among automakers, semiconductor suppliers, and policymakers. To stay ahead of emerging threats and regulatory demands, stakeholders must foster a culture of continuous innovation, invest in comprehensive risk management strategies, and maintain a proactive stance on both digital and physical security, ensuring that consumer safety and public trust remain at the forefront of automotive technology’s advancement.
