The automotive sector is going through a period of rapid transformation, driven by the emergence of software-defined vehicles [SDVs], always-on connectivity and increasingly autonomous systems. These innovations are revolutionising mobility, but they are also reshaping the threat landscape in profound and potentially dangerous ways.

Cybersecurity, once somewhat of an afterthought in automotive design, is fast becoming critical to road safety, brand trust and even national security. The question is no longer if hackers will target connected vehicles, but when, how and to what extent.

From privacy concerns to physical risks

Not long ago, automotive cybersecurity was primarily about protecting consumer data, preventing vehicle theft and shielding backend systems, but today, that’s only part of the picture.

Modern vehicles are effectively mobile computing platforms, complete with embedded operating systems, high-speed connectivity and interdependent subsystems that blur the lines between entertainment, diagnostics and critical control functions.

With that integration comes exposure. A vulnerability in an infotainment system or a wireless entry point could, under the right circumstances, be used to access more sensitive components - potentially even those controlling acceleration, braking or steering.

Events such as the infamous Jeep Cherokee hack first alerted the public to these threats. Now, demonstrations at events like Pwn2Own Automotive demonstrate just how routine and replicable such exploits can be. From misconfigured APIs and unsecured firmware to exposed debug ports and weak authentication, the attack surface is large and expanding.

A national infrastructure risk, not just an OEM problem

The threat actors have evolved, too. While financially driven cybercrime remains a significant risk, the spectre of cyberterrorism is no longer merely theoretical. Imagine a coordinated attack where thousands of compromised vehicles are immobilised in key transport corridors or used to block emergency routes.

It’s not “make believe “- it’s a very plausible scenario based on the current threat environment and the increased reliance on over-the-air [OTA] updates and remote fleet management.

As vehicles become entangled with national digital infrastructure, ranging from smart traffic systems to EV charging networks, the implications of an attack transcend any one manufacturer or model. This is a public safety concern, and it demands a collective response.

Learning from mobile and telecom

There are lessons to be drawn from other digitised industries. In mobile telecoms, for example, security breaches led to the widespread adoption of embedded hardware protection, ranging from secure elements to trusted execution environments [TEEs]. This was combined with the widespread introduction of digital identity architectures to provide a layered security approach. The industry learned that software-based defences alone were insufficient.

The same principle applies in automotive. Although robust software is critical, hardware-backed security can offer immutable roots of trust that are essential for verifying boot processes, protecting keys and isolating critical functions. This kind of defence is harder to bypass, especially in a compromised environment.

Embedded security: The first and last line of defence

The ability to remotely lock, isolate or disable a vehicle [if securely implemented at the hardware level] could be important for preventing or containing attacks, and to provide effective deterrents for vehicle crime in general. Such capabilities exist today and should be treated as core safety infrastructure.
OEMs that embed security at the silicon level gain confidence that their defences cannot be circumvented through user-level exploits or malware. In an environment where updates are delivered OTA and consumer devices constantly interact with vehicle systems, that assurance couldn’t be more vital.

Regulation is moving - but is it fast enough?

Efforts like UNECE WP.29 and ISO/SAE 21434 are establishing a regulatory framework for vehicle cybersecurity, and many Type Approval authorities are now assessing vehicles not just for launch-time compliance, but for ongoing ‘evergreen’ cybersecurity capabilities.

This is encouraging, but standards alone are not enough. Security must become a strategic imperative embedded throughout the vehicle lifecycle, from design and development to procurement, testing and post-sale updates. It must be owned by leadership and ingrained in every tier of the supply chain.

Final thoughts

The industry has an opportunity to address these risks before the first large-scale automotive cyberattack materialises, but it is running out of time. Cybersecurity must be treated with the same urgency and investment as functional safety.

Connected vehicles will only earn long-term trust if they can demonstrate not just performance and innovation, but resilience and security. That responsibility is shared - by OEMs, suppliers, regulators and even consumers.

The future of mobility depends on secure-by-design thinking, hardware-anchored protection and proactive cross-sector collaboration. The time to act is now - before the cost of inaction becomes catastrophically clear.

Claire Maslen senior vice president of commercial and operations Trustonic