Software-Defined Vehicle Fleets Face a Twisty Road on Cybersecurity

As manufacturers sprint to add software-defined features for vehicles, the ability for third-party maintenance and repair falls behind, leaving businesses with few choices to manage their cybersecurity.

When Israel-based REE Automotive designed its P7 electric vehicle chassis, it worked from the software out: The flat vehicle chassis is totally configurable with four independent modules near each tire for steering, braking, suspension, and power train, each driven by an electronic control unit (ECU) customizable through software.
It has drive-by-wire, steer-by-wire, and brake-by-wire — and data collection as a service — giving the company the ability to tailor the vehicle to the customers application, but also potentially making the platform a hackers dream.
Securing a vehicle fleet is a major effort, requiring cybersecurity for the design and development teams, the factory floor, and the connected vehicles themselves, says Yaron Edan, CISO for the automotive technology company. Cybersecurity teams not only have to monitor cyber threats, but also manage the security of the supply chain, the operation technology (OT) in the factory, and the vehicle network used to monitor and update the platform.
My headache, my concern, is basically divided in two: our network [which supports the creation of the platform], but that is not enough, he says. We need to figure out what are the threats, and monitor [for those] all day long for each vehicle through our SOC.
Such security efforts, however, have another challenge: The success of right to repair efforts to open up all kinds of consumer and enterprise technology to allow customers to fix the devices that they buy. The passage of a Massachusetts law, for instance, calls for auto manufacturers and automotive-technology makers to share information and data produced by vehicles to allow consumers and third parties to maintain, repair, and even modify their vehicles.
While the National Highway Traffic Safety Administration (NHTSA)
initially ruled
that existing federal safety regulations preempted the laws — saying, [f]ederal law does not allow a manufacturer to sell vehicles that it knows contains a safety defect — the state and federal governments eventually came to an agreement over implementation: Automakers would be required to give third parties the ability to locally access data and systems to the vehicles they own, but the remote diagnostic and update networks can remain closed,
the regulators ruled
.
Whether the agreement will help companies with large fleets of vehicles, especially electric vehicles, remains an open question.
Software-defined vehicles
really took off with EVs — and the example of Teslas success — and the most significant software-based capabilities will likely remain with electric vehicles.
EV makers can build their platforms starting with initial design using software that can be updated to change the configuration and performance of the vehicles all the way through deployment and beyond, says Alex Oyler, director for North America at SBD Automotive, an auto supply chain consultancy.
The ability to effectively and quickly respond to cybersecurity events will likely remain with those manufacturers, not third parties, he says.
If theres a really critical zero-day, and that needs to be patched as soon as possible, those product cybersecurity teams [at auto manufacturers] are running the show, coordinating stakeholders across the business and accelerating timelines to patch things, he says. Its not an easy process today, thats for sure.
Some manufacturers may outsource the cybersecurity function, however. The United Nations
passed an amendment for product safety
requiring the countries which are part of the UN Economic Commission for Europe have regulatory approval of the cybersecurity management systems used in vehicles.
Vehicles have been connected for decades, whether as part of an in-vehicle maintenance system or driver assistance. Yet, software-defined vehicles have expanded that connectivity, such as remote start via a smartphone app and tracking limited diagnostics for the consumer — essentially turning cars into Internet-of-things (IoT) devices. As automobile manufacturers offer more accessibility through APIs, more risk will follow, says Shira Sarid-Hausirer, a vice president at Upstream, an automotive cybersecurity and data management firm.
Opening up to the ecosystem is what has probably introduced the most risk, she says, pointing to
various cybersecurity hacks of Tesla vehicles
. What happens when OEMs started to open up their APIs to other third-party apps that can now send commands into your vehicle? ... The vehicle is becoming a hub for technology.
Giving companies access to some of that data to allow fleet management may be enough, while the agreement in the Massachusetts Right to Repair law allows some third parties to offer vehicle maintenance services — although,
probably at great cost
. Whether those restrictions will ameliorate in the future, as the fast pace of SDV innovation slows, remains to be seen, SBD Automotives Oyler says.
Its somewhat fair for both NHTSA and automakers to raise some flags, but that said, there is a secure way to share diagnostic information, and the software defined vehicle actually provides a way to do that through those secure channels, he says.
Automakers recent focus on cybersecurity has resulted in much more secure platforms over the past decade. But the focus for the future needs to be on delivering that security and safety, while offering more transparency to customers, Oyler says. As enterprise customers and individual vehicle owners demand more maintainability and reusability in their devices, automakers will need to follow.
Properly designed platforms can also drastically reduce the risk of a widespread cyberattack, says Upstreams Sarid-Hausirer. The company already handles threat intelligence and incident response for some manufacturers and most incidents are not safety-related, but the company does classify half of all incidents as massive or high severity, according to the companys
2024 Automotive Cybersecurity Report
.
I can tell you that the vast majority of incidents that we see do not necessarily jeopardize safety, because there needs to be a reason to jeopardize your safety, and attackers dont work that way — theyre out there to make money, she says. Instead, the company has seen a lot of attacks on availability. They manipulate the app, so that you cannot start your trucks or get into your trucks in the morning. It could be ransomware, it could be other forms, but availability and fleets is something that has to be discussed.
Other attacks have used ride-hailing apps to
cause traffic jams in Moscow
and hacks for remote start apps. Those availability issues are less to do with diagnostic systems, such as the information necessary for right to repair, and more to do with the management systems, she says.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Software-Defined Vehicle Fleets Face a Twisty Road on Cybersecurity