As the automotive industry transitions into an era dominated by Software-Defined Vehicles (SDVs), the fusion of software and hardware has transformed traditional vehicles into sophisticated "software on wheels." This evolution, propelled by advancements in Connected Autonomous Shared and Electrified (CASE) technologies, has introduced unprecedented opportunities and challenges. A striking illustration of this shift is the projected increase in software complexity; by 2030, modern cars are expected to contain around 300 million lines of code, dwarfing today’s passenger aircraft, which typically has only 15 million lines of code. This monumental increase underscores the importance of robust cybersecurity measures to protect these intricate systems from emerging threats.

The changing landscape of automotive cybersecurity

Initially, cybersecurity threats to automobiles were largely experimental, often conducted by white-hat hackers to help manufacturers improve security. However, the contemporary landscape, as highlighted by the Global Automotive Cyber Security Report from Upstream Security, reveals a more sinister reality. The report indicates a significant rise in the severity and frequency of cyber-attacks, with nearly 50% of incidents in recent years categorized as having a "High" or "Massive" impact. Remote attacks now constitute 95% of these incidents, primarily driven by black-hat hackers aiming for large-scale disruptions.

Increasing attack surfaces in SDV

SDVs, with their reliance on software and connectivity, present numerous attack surfaces:


  1. Software components: The diverse and advanced software components in SDVs, including those leveraging virtualization and service-oriented architectures, introduce vulnerabilities that can be exploited by attackers.
  2. Remote server vulnerabilities: Communication with remote servers is integral to SDVs but can be risky. Certain network messaging protocols lack authentication and encryption, allowing attackers to impersonate backend systems or intercept sensitive data.
  3. Application Programming Interfaces (APIs): SDVs rely on numerous internal and external APIs, expanding the attack surface significantly. Vulnerabilities in these APIs can be exploited to gain unauthorized access to vehicle systems.
  4. Infotainment Systems: Connected to the vehicle's internal network, OEM backends, and user devices, infotainment systems can be a critical entry point for attackers seeking access to personal information or OEM servers.
  5. Telematics and Other Electronic Subsystems: Communication gateways and systems such as tire pressure monitoring and steering control offer entry points that attackers can exploit to manipulate vehicle operations.
  6. Mobile phone applications: Security flaws in companion apps or third-party apps on mobile devices can be exploited to access vehicle subsystems or backends.
  7. Smart key fob manipulation: Hackers can gain unauthorized vehicle access by intercepting or jamming key fob communications or using devices to impersonate the key fob control unit.
  8. EV charging stations: The infrastructure for electric vehicle charging, including associated apps, is vulnerable to attacks that could disrupt charging operations or compromise user data.
  9. Over-The-Air (OTA) updates: While OTA updates enhance software functionality and bug fixes throughout the vehicles' life span, they also introduce risks of wireless communication attacks that could impact multiple vehicles simultaneously.
  10. Vehicle-to-everything (V2X) connectivity: As vehicles communicate with road infrastructure, other vehicles, and various electronic devices, the risk of attacks through these connections’ increases.

Keeping it secured with regulatory frameworks

To address the escalating cybersecurity threats, various regulatory frameworks have been established:


  1. UNECE WP.29 R155 and R156: These standards, mandatory in the EU from July 2024, focus on organizational and operational cybersecurity. R155 requires OEMs to establish a Cyber Security Management System (CSMS) that integrates cybersecurity across all business processes and supply chains. R156 governs a Software Update Management System (SUMS), ensuring secure and effective software update practices.
  2. ISO/SAE 21434: Complementing R155, this standard provides a comprehensive cybersecurity framework covering the entire vehicle lifecycle. It emphasizes compliance and creating work products to ensure cybersecurity measures are adhered to, though it does not prescribe specific processes.
  3. ISO 24089:2023: This standard addresses the requirements and recommendations for software update engineering for road vehicles at both organizational and project levels, aligning with UNECE R156.

Four-pronged approach to tackling cybersecurity in SDVs

Securing Software Defined Vehicles

Addressing the cybersecurity challenges in SDVs involves a multi-faceted approach, typically structured around four progressive stages:

  1. Prediction: Anticipating potential cyber threats and vulnerabilities through processes such as Threat Analysis and Risk Assessment (TARA). Predictive analytics and threat intelligence are crucial in foreseeing risks and preparing proactive measures.
  2. Prevention: Implementing robust security measures to minimize the likelihood of cyber-attacks. This includes encryption, access control mechanisms, secure coding practices, and network segmentation. Secure design principles and methodologies should be integral to software and hardware development processes.
  3. Detection: Deploying mechanisms to identify unauthorized activities, anomalies, or security breaches in real time. This involves using intrusion detection systems (IDS), security monitoring tools, and anomaly detection algorithms to continuously monitor network traffic, system behavior, and user activities.
  4. Response and recovery: Implementing effective response plans to mitigate cyber-attacks impact and restore security. This involves incident response procedures to contain breaches, analyze root causes, and remediate affected systems. Actions may include isolating compromised components, applying security patches, restoring backups, and coordinating with regulatory authorities and cybersecurity experts.

These steps must be integrated throughout the entire vehicle lifecycle, from conceptualization through production to decommissioning, ensuring comprehensive and continuous protection against evolving cyber threats.

Quest Global as a trusted partner for SDVs' cybersecurity

The advent of Software-Defined Vehicles marks a transformative era in the automotive industry, characterized by unprecedented software complexity and connectivity. These advancements offer remarkable benefits but also introduce significant cybersecurity challenges. Adopting a structured and proactive approach to cybersecurity, grounded in robust regulatory frameworks and best practices, is essential for safeguarding SDVs against evolving threats.


As the landscape evolves, ongoing vigilance and innovation in cybersecurity will be crucial. Ensuring the secure and successful future of automotive technology requires collaboration, expertise, and a relentless commitment to excellence in cybersecurity. With its extensive expertise in end-to-end engineering and software services, Quest Global stands as a trusted partner for OEMs navigating these complexities. Our cross-industry capabilities provide a robust defense against cyber threats, enabling OEMs to focus on innovation and delivering secure, sophisticated software-defined vehicles to the market.


For further information or queries, please reach out to us at [email protected]

Navigating cybersecurity challenges in software defined vehicles


Divya M.S.

Senior Technical Architect, Quest Global

Talk to the author