Rethinking Liability: How OEMs Can Protect the Software-Defined EV

Picture an automotive system increasing its capabilities overnight, learning from trips, and adapting to driving patterns and behavior. It is an emerging reality of the Software-Defined Vehicle (SDV). With SDVs leading the way, the automotive industry is quickly shifting from hardware-focused designs to software-driven architectures.

The international automotive market is anticipated to reach approximately $462 billion by 2030. In this, the software segment in automotive accounts for 40% of vehicle value, while SDVs are forecast to comprise around 90% of auto manufacturing by 2029. However, cybersecurity in SDVs raises significant concerns amid the expanding market for SDVs.

Transformation in SDVs facilitates modular architectures and a Feature-as-a-Service business model. As a result, complexity rises in security and lifecycle management. This increases risks and greater accountability for OEMs and software partners, as cybersecurity is crucial to compliance, brand reputation, and safety. This increases risks and greater accountability for OEMs and software partners, as cybersecurity is crucial to compliance, brand reputation, and safety.

Given the stakes and the scale, Cybersecurity in Software-Defined Vehicles should be a top priority. It affects business frameworks, product strategy, enterprise value, and regulatory approval. Cybersecurity maturity can serve as a competitive differentiator. Let us briefly review the risk areas and strategic imperatives for OEMs to safeguard software-defined EVs.

Mapping Vulnerabilities within the EV Ecosystem for Industry Players

In-Vehicle System Threats: Deployment of SDV architectures in new automotive systems increases the attack surface exponentially due to strong connectivity, high data throughput, and centralized cloud computing.

a.) Privacy Risks and Data Breach: Software-defined EVs collect everything from sensor telemetry, location, driving behavior, and, in some cases, biometrics. Hence, any connectivity module loopholes in infotainment units can result in data breaches or data leakage. Any violation of privacy laws, such as the GDPR or the California Consumer Privacy Act, raises legal concerns and undermines customer trust. Thus, privacy protection is pivotal to vehicle safety when integrating SDV architectures.

b.) Domain Controller Susceptibility: Centralizing distinct Electronic Control Units (ECUs) into domain zones simplifies the architecture while simultaneously supporting SDV functions. On the other side, consolidation aggravates risk factors. Therefore, vulnerabilities within the domain controller hamper battery management to steerin; in short, the central safety system. The performance slowdown issue occurs due to the application of containerization and virtualization technologies. A recent assessment of SDV virtualization models showed measurable effects on network, disk, memory, and CPU performance, and these overheads should be tactfully managed to ensure safety in real time. It is important to note that without robust isolation, encrypted communication, and strict safety validation, compromised controllers create significant regulatory and safety challenges.

Off-Board Infrastructure and Connectivity

a.) EV Charging Infrastructure: Some risks are inherent in charging networks where protocols like backend Charge Station Management Systems (CSMS) and Open Charge Point Protocol (OCPP) are vulnerable to attacks. Attackers can exploit these as entry points to inject malware or alter charging behavior. Therefore, it is crucial to ensure SDV resilience and protect infrastructure effectively, especially as the number of private and public charging stations increases.

b.) Over-the-Air (OTA) Update Pipeline Attacks: OTA updates address shortcomings, help apply security patches, and add novel attributes. However, the update procedure poses a security risk, as the system is prone to attacks. In the event of any compromise in the OTA channel, safety disruptions and the spread of malicious firmware are imminent.

c.) Vehicle-to-Everything (V2X) Communication: V2X channels ensure seamless connectivity through advanced driver-assistance attributes and coordination in real-time. However, risks and threats stemming from weak identities and poor authentication enable attackers to execute phishing attacks and alter sensor data.

Hence, intelligent abnormality detection becomes central to eradicating systemic failure across the ecosystem.

How to Secure Software Defined-EV Ecosystem?

UNECE R155 Adherence: UNECE R155 mandates the establishment of a cybersecurity management system that determines, examines, and alleviates risks across the entire lifecycle of the vehicle. With global markets embracing R155, adherence to it has become a prerequisite for automotive manufacturers for market entry and vehicle type approval. Overall, cybersecurity governance is an integral part of international market access for industry leaders.

Robust R&D Strategy- Necessity of Embedding Security from the Groundwork Phase: Automotive manufacturers face adverse consequences from high costs incurred in addressing faults or errors in the final phases of product development. So, it is important to alleviate irregularities in the initial phase to decrease expenses. It is vital to note that fixing errors late in the product lifecycle can increase overall expenses by 15-50 times. A solid strategy encompassing safe architecture, threat modelling, and early testing decreases operational cost and risk exposure.

Resilient Supply Chain

Strategic Partner Scouting: The SD-EV ecosystem comprises cloud platforms, OTA services, and cybersecurity tools. Therefore, each partner in the ecosystem must be rigorously vetted and selected for cybersecurity resilience. Here, strategic partner scouting is an effective way to ensure that all vendors comply with essential standards prior to integration.

Auditing Against ISO/SAE 21434: ISO/SAE 21434 provides a holistic framework for cybersecurity risk management across the SDV’s lifecycle. Embedding it in supplier contracts ensures flawless supply chain security.

Vehicle Security Operations Centers (VSOC): A dedicated VSOC identifies anomalies, offers end-to-end visibility into fleet behavior, and provides structured prompt responses. With V2X communication and OTA updates, a VSOC is vital to a resilient fleet and thorough regulatory reporting.

Conclusion:

As transformations shape next-gen mobility with SDVs, a robust, holistic cybersecurity strategy is necessary to deliver business value. Strict regulations and growing attack surfaces require security measures to be integrated across the supply chain, operations, and architecture. While SDVs present lucrative opportunities such as data-driven services, software revenue, and rapid innovation, these benefits come with significant responsibility. OEMs can turn risks into sustained growth and market leadership, setting the stage for the future-focused and responsible evolution of mobility.

Setting a VSOC with the product development lifecycle, partnering with compliant vendors, and focusing on cybersecurity as a continuous obligation to mitigate risk and strengthen protection is the way forward. By treating cybersecurity as a fundamental strategic asset, OEMs and suppliers can turn risk into a lasting competitive edge and speed up the secure development of future mobility.

Also Read: Software-defined vehicles and vehicle configuration management