Welcome dear NetworkSecLearners to this new tutorial on the Automotive Cybersecurity Standards Landscape. As always, this will be a very interesting tutorial in which we are going to explore this important topic that plays a key role in today’s Automotive Cybersecurity.😊
With vehicles becoming more connected, more Software-driven and more exposed to the outside World, Cybersecurity is no longer optional in the Automotive Industry. It has become a real necessity. Protecting Vehicle Systems against Cyberattacks is not only about implementing Security Features but also about following well-defined processes, rules and standards throughout the entire Vehicle Life Cycle.😉
In this article, we will take a step back and look at the big picture of existing Standards in the Automotive Industry and then we will deep dive into each category in order to give you a clear and simple overview. Trust me, the goal here is not to overwhelm you with Regulations but to help you understand how everything fits together in a structured and practical way.
This tutorial is beginner friendly and intended for people already working in the Automotive Cybersecurity as well as those planning to move into this field. My goal is also to give some awaresness level information to people who are simply curious about how Vehicle Security is regulated. Are you ready? if so, grab a cup of coffee, sit comfortably and let’s get started.🙏😊
1. Overview of Automotive Standards
You might be wondering why it is worth writing an article on this topic. Well, that is a fair question but believe me, this is one of the most important topics in the world of Automotive Cybersecurity.🙏 Indeed, Regulatory or mandatory Standards define requirements that OEMs and suppliers must meet in order to sell their Vehicles or components like Electronic Control Units in markets where these standards apply. Meeting these requirements means that OEMs and their suppliers have put in place the necessary processes and activities to ensure Cybersecurity across the entire Vehicle Life Cycle from Concept, Development to Production and Operation and Maintenance. In simple terms, these Standards define what must be done from Automotive Cybersecurity perspective. They do not always tell you exactly how to do it but they clearly state the expectations.
I published an article in 2024 on the importance of Automotive Cybersecurity and how standards help protect Vehicle Systems against Cyberattacks. I strongly recommend checking it out if you haven’t already : Introduction to Automotive Cybersecurity 😉
In the Automotive Industry, some Cybersecurity Standards are mandatory or regulatory while others are recommended or supportive. In the next sections, we will first look at the core mandatory Automotive Cybersecurity Standards, then move on to the Complementary Standards and finally cover Supporting Standards and Frameworks.
2. Core Automotive Cybersecurity Standards
In the context of Automotive Cybersecurity, some standards are mandatory regulations that directly impact how Vehicles and Components are designed, produced and maintained. Failing to comply with these standards can lead to serious legal and financial consequences for both OEMs and suppliers.😯 These core standards define the minimum Cybersecurity expectations that must be met in order to sell Vehicles in the Regulated Markets. In other words, they set the baseline for what is considered acceptable Cybersecurity practice in the Automotive Industry today.
2.1 UNECE WP.29
When it comes to mandatory standards, one of the most important references in the Automotive Cybersecurity is UNECE WP.29 which stands for the World Forum for Harmonization of Vehicle Regulations under the United Nations. UNECE WP.29 applies to many regions including Europe and defines mandatory cybersecurity requirements that Automotive manufacturers must respect. Within WP.29, two key regulations directly address Cybersecurity :
- REG 155 which focuses on Cybersecurity Management
- REG 156 which focuses on Secure Software Updates
These regulations aim to ensure that Vehicles are designed, produced, operated and updated in a secure way. They cover four main areas : managing Cybersecurity Risks, Securing Vehicles by design across the Supply Chain, detecting and responding to Cyber Incidents in the Vehicle fleet and of course ensuring that Software Updates are Safe and Secure. This is especially important today as Over-the-Air (OTA) Updates can be both a powerful Security tool and a potential Attack Vector if not properly managed.😉
2.1.1 REG 155 : Cybersecurity Management System (CSMS)
REG 155 requires automotive manufacturers to establish and maintain a Cybersecurity Management System often called CSMS. This consists in putting in place some structured Cybersecurity processes across the entire Organization and its Supply Chain.
In order to comply with REG 155 requirements, OEMs must be able to demonstrate that they systematically identify Cybersecurity Risks, assess them and apply appropriate mitigation measures throughout the Vehicle Life Cycle. As you might have already guessed based on the Automotive Cybersecurity knowledge acquired here, this involves performing Risk Assessments, Implementing Technical and Organizational Controls, Testing the effectiveness of those controls and continuously monitoring vehicles for Cybersecurity Incidents once they are on the road. Compliance with REG 155 is assessed through a two-stage approach. for the first stage approach, the manufacturer’s CSMS itself is audited to verify that proper processes and governance are in place and for the second one the actual vehicle is assessed to confirm that cybersecurity measures have been correctly applied at the product level. Only when both stages are successfully completed can a vehicle obtain the so called Vehicle Type Approval or VTA for short in regions where WP.29 applies. It is also important to note that REG 155 does not only impact OEMs. Suppliers providing cybersecurity-relevant components must also follow the CSMS requirements since cybersecurity risks must be managed consistently across the entire Supply Chain.😉
I would like here to clarify one common misunderstanding about REG 155. Indeed, REG 155 does not impose a specific Cybersecurity Framework that OEMs must use but defines instead what must be achieved but not how it must be achieved. This means that each OEM is free to choose the framework that best fits its Organization as long as the objectives of REG 155 are met. In the Automotive Industry, ISO/SAE 21434 is recognized as the suitable framework for implementing a Cybersecurity Management System or CSMS for short. Because of its availability, structure and wide adoption in the Automotive Industry, most OEMs and suppliers rely on ISO/SAE 21434 to demonstrate compliance with REG 155 and to build their CSMS in a consistent and accepted way.😊
2.1.2 REG 156 : Software Update Management System (SUMS)
While REG 155 focuses on cybersecurity management system, REG 156 addresses another critical topic which is Software updates. Modern Vehicles rely heavily on Software and the ability to update that Software remotely brings both benefits and risks. REG 156 requires therefore OEMs to implement a Software Update Management System (SUMS) to ensure that updates including OTA (Over the Air or Remote Update) are performed securely and safely. As you might guess, the goal is to prevent unauthorized Software modifications and making sure that Updates do not compromise Vehicle Safety and Security REG 156 introduces a clear framework for managing Software Versions, validating update compatibility and ensuring that only approved and secure updates are deployed to vehicles. In simple terms, it ensures that updates are trustworthy, traceable and safe throughout the Vehicle’s lifetime.
2.2 ISO/SAE 21434 : Cybersecurity Engineering Standard
ISO/SAE 21434 provides a comprehensive framework for integrating Cybersecurity into the Vehicle and ECUs development process and covers the entire Vehicle Life Cycle starting from the Concept phase, through Development, Production to Operations, Maintenance and end-of-life. It also introduces activities such as Threat Analysis and Risk Assessment (TARA), Cybersecurity requirements and concepts definition, Secure Design and Implementation, Verification and Validation, Production Control, Incident Response and Vulnerability Management. ISO21434 applies to both OEMs and suppliers and emphasizes collaboration across the Supply Chain. In practice, many organizations use ISO/SAE 21434 as the reference Framework to demonstrate compliance with REG 155 since it is explicitly recognized as a suitable approach for implementing a CSMS.
2.3 ISO 24089 : Software Update Engineering
ISO 24089 defines how software updates intended for Vehicles should be managed securely throughout their Life Cycle. If you remember in the previous sections, we stated that ISO/SAE 21434 plays a key role for Cybersecurity Management Systems (CSMS).😉 Well, ISO24089 plays exactly the same role for Software Update Management Systems (SUMS). ISO24089 is mainly used by Automotive Manufacturers and Suppliers to support compliance with UNECE REG 156 especially for Over-the-Air (OTA) Software Updates. Its goal is to ensure that Software Updates are safe, secure, reliable and do not introduce new risks.
ISO24089 provides therefore high-level requirements and guidance covering the full Software Update process including Planning, Development, Testing, Deployment and Maintenance. By following this standard, organizations can demonstrate that their update mechanisms are well controlled and aligned with Industry best practices.
2.4 ISO/PAS 5112 : Guidelines for Auditing Cybersecurity Engineering
ISO/PAS 5112 is a guideline that helps organizations prove compliance with ISO/SAE 21434 process requirements. The question on how to demonstrate that Cybersecurity processes are really implemented and effective quickly appeared and this is exactly where ISO/PAS 5112 comes in. This standard provides guidance for auditing an organization’s Cybersecurity Management processes but not the Vehicle or Product itself. It means it helps audit teams evaluate whether an OEM or supplier is actually applying the Cybersecurity processes required by ISO/SAE 21434 in a consistent and structured way.
ISO/PAS 5112 is based on general auditing principles from ISO 19011 and adapts them specifically to the Automotive Cybersecurity. It indeed explains how to plan and conduct audits, what kind of evidence to look for (such as Cybersecurity Plans, Cybersecurity Cases or Assessment Reports) and how to evaluate audit findings. Audit results are typically classified as conformity, minor non-conformity or major non-conformity which then drive corrective actions if needed.
I would like to share one important point to remember about ISO/PAS 5112 which is that it focuses on process audits only and thus does not assess the Cybersecurity level of a specific product. However, successfully passing a process audit is often a prerequisite before moving to product level cybersecurity assessments. In practice, ISO/PAS 5112 gives organizations a clear way to show that their cybersecurity processes are not just documented but actually working. 😊😉
2.5 CRA : Cybersecurity Resilience Act
The Cybersecurity Resilience Act (CRA) is a European regulation that aims to improve the Cybersecurity level of Digital Products sold on the EU market. It requires manufacturers to consider Cybersecurity from the design phase and to maintain Security throughout the product’s entire life cycle.
With the CRA, manufacturers must identify and manage cybersecurity risks, fix vulnerabilities and provide Security Updates when needed. The regulation also introduces clear rules for Vulnerability handling and Incident Reporting.
The CRA was adopted in 2024 and will become fully applicable after a transition period of about 36 months meaning most requirements fulfillment will become mandatory from December 2027. Some obligations such as Vulnerability Reporting will apply earlier in September 2026.💪🙏
For the automotive industry, the CRA complements existing regulations like UNECE WP.29 and standards such as ISO/SAE 21434. While WP.29 focuses specifically on vehicles, the CRA has a broader scope and applies to many digital products including Software and Components used in vehicles further then strengthening Cybersecurity across the Supply Chain.
3. Secondary Automotive Cybersecurity Standards
While core automotive cybersecurity standards define the mandatory requirements, they rely heavily on secondary standards to support their practical implementation. These standards are not always legally required but in reality, they are widely expected by OEMs and play a key role in building secure and reliable automotive products. They mainly focus on quality management and software development processes which are essential foundations for Cybersecurity.
3.1 IATF 16949 (International Automotive Task Force) : International Standard for Automotive Quality Management Systems
IATF 16949 is the Automotive Quality Management Standard used across the entire Supply Chain. Even though it is not a Cybersecurity Standard, it is a strong prerequisite for Automotive Cybersecurity. Indeed, without controlled processes, Change Management, Documentation and Quality Checks, Software defects increase and so do Security Vulnerabilities. This is why ISO/SAE 21434 expects Organizations to operate within a Quality Management System. In practice, many Cybersecurity processes reuse existing IATF 16949 practices which makes implementation much easier and more efficient.
3.2 Automotive SPICE (Automotive Software-based systems Process Improvement and Capability DEtermination)
Automotive SPICE focuses on Software development process maturity for automotive ECUs and helps OEMs assess whether a supplier can develop Software in a structured and reliable way. In order to support modern Cybersecurity needs, ASPICE for Cybersecurity was introduced. This extension aligns ASPICE with ISO/SAE 21434 and UNECE R155 by adding Cybersecurity related process areas such as Secure Design, Risk Treatment and Cybersecurity Validation. ASPICE for Cybersecurity is therefore a practical link between Software Engineering processes and Automotive Cybersecurity compliance.
3.3 TISAX (Trusted Information Security Assessment Exchange) : Information Security for the Automotive Supply Chain
TISAX is very common in the automotive world especially because the Supply Chain is extremely distributed and sensitive information is shared everywhere (drawings, prototypes, software, test reports, IP, personal data, etc.). If one supplier is weak in Information Security, the whole Supply Chain can suffer. TISAX was created to make Information Security Assessments more standardized across Automotive partners. In simple words, it helps companies “prove” they have good protection for Information. Many OEMs and Tier 1 suppliers require their partners to have a TISAX label before they even start working together. It is also very useful when evaluating Supplier Cybersecurity Capability from an organizational point of view.😉
3.4 SAE J3101 : Hardware Security Modules for ECUs
SAE J3101 is more technical and focuses on secure Hardware in vehicles. Instead of talking about processes, it talks about the “secure building blocks” that help ECUs protect themselves especially through Hardware Security Modules (HSMs). These Secure Hardware Elements can protect Cryptographic Keys, support Secure Boot, accelerate Cryptographic Operations and provide a stronger “Root Of Trust” than Software-only solutions. This standard is useful when you want a common reference to define what a Secure Hardware Environment should be capable of especially for modern ECUs that need Secure Communication, Secure Diagnostics and Secure Updates.
3.5 Coding Standards
A huge number of security problems come from simple coding mistakes especially in C and C++ (memory issues, unsafe functions, undefined behavior, etc.). That is why coding standards exist to guide developers to avoid risky patterns and write safer code from the beginning. In Automotive, you will often hear these names :
- MISRA C / MISRA C++ : very popular in Safety related development and also useful for Security because it enforces disciplined and defensive Coding.
- AUTOSAR C++14 Guidelines : created to support modern C++ usage in critical Automotive Systems with rules meant to reduce unsafe language features and unpredictable behavior.
- CERT C / CERT C++ : more Security-focused than MISRA and very useful when you want coding rules that target real Software Weaknesses attackers often exploit.
If teams apply coding rules early (and not at the last minute), they reduce bugs, reduce rework and reduce Security holes.
3.6 NIST (National Institute of Standards and Technology) Cryptographic Standards
In Automotive Cybersecurity, Cryptography is everywhere from Secure Boot, Secure Communication, Key Management to Secure Updates and more. But Cryptography is tricky because if it is implemented incorrectly, it can create a false sense of Security. That is why NIST standards are often used as trusted references especially for Algorithms, Key Sizes, Random Number Generation and Key Management practices. You don’t need to memorize all NIST documents but as a Cybersecurity Engineer, it is good to know that NIST exists as a strong “source of truth” when you want to justify Cryptographic choices and avoid weak or outdated approaches.
4. Supporting Standards and Resources
Now that we have covered the Core and Secondary Automotive Cybersecurity Standards, let’s talk about the Supporting Standards. These ones are usually not mandatory but they are extremely useful in real life because they help you apply best practices, avoid common Security mistakes and stay aligned with the “state of the art” in Cybersecurity. Think of them like Tools and References that make your life easier when you are implementing ISO/SAE 21434, UNECE regulations in the Automotive Industry.
4.1 MITRE Common Weakness Enumeration (CWE)
MITRE CWE is basically a huge “dictionary” of common Software and Hardware Weaknesses that attackers love to exploit. Every year, MITRE publishes a list called the Top 25 CWEs which highlights the most frequent and dangerous Weaknesses seen in real-world Vulnerabilities. If you are doing a TARA, reviewing code or designing an ECU, CWE is very helpful because it reminds you of the Classic mistakes Engineers should avoid like Memory issues, Access Control problems and Injection Vulnerabilities.
4.2 NHTSA (National Highway Traffic Safety Administration) Cybersecurity Best Practices (US)
The NHTSA guide is a very practical document that gives recommended Cybersecurity best practices for modern vehicles. It includes both Organizational practices (like Governance, Risk Management, Supplier Handling and Incident Response) and technical practices (like Secure Diagnostics, Protecting Interfaces, Secure Communication, Network Segmentation, Logging and Secure Software Updates. It is not a law but it is a strong reference especially when you want to double-check that your Cybersecurity Requirements cover the basics that the industry expects.
4.3 ENISA (European Union Agency for Cybersecurity) Good Practices for the Security of Smart Cars (EU)
ENISA (the European Cybersecurity Agency) has published reports that are very useful for the Automotive World. Indeed, their “smart cars” good practices provide a clear view of what assets need protection (vehicle functions, sensors, networks, backend servers, etc.) and also lists common Threats and Attack Scenarios. Many Cybersecurity Engineers use ENISA as inspiration when building a Threat list preparing a Vehicle-level TARA or creating a Cybersecurity Controls Catalog.😉
4.4 SAE J3061 Cybersecurity Guidebook
SAE J3061 is an older Automotive Cybersecurity Guidebook and today it is mostly superseded by ISO/SAE 21434 but it still remains a good learning resource because it explains many important ideas in a very “Engineering” way like Cybersecurity Thinking for Cyber-physical Systems, Safety/Security relationship and general Risk Assessment approaches. If you want extra background material to better understand Automotive Cybersecurity logic, J3061 can still be helpful.
4.5 ISO/IEC 27001 : Information Security Management System
ISO 27001 is not an Automotive specific standard but it is widely used across industries to build an Information Security Management System (ISMS). In simple terms, it helps organizations protect sensitive Information through Risk Management, Security Controls, Incident Response and Continuous Improvement. In the Automotive Industry, ISO 27001 becomes important because Engineering teams rely heavily on IT Systems, Tools and shared data. So having a basic understanding of ISO 27001 helps align Cybersecurity expectations between IT Security and product Cybersecurity teams.
4.6 NIST SP 800-160
NIST SP 800-160 is a strong reference for understanding what a secure engineering process looks like. It includes useful content such as Security Design Principles and Security Controls which can support your work when ISO/SAE 21434 asks you to build things like a Cybersecurity Controls Catalog.
4.7 Uptane (Secure OTA Updates)
Uptane is a framework designed to Secure Over-the-Air (OTA) Software Updates and Its main goal is to protect Vehicles against OTA-related Attacks like Rollback Attacks, Replay Attacks and Man-in-the-Middle Attacks. Uptane does this by using strong Signing, Metadata and trust chains so that even if one part of the update infrastructure is compromised, the Attacker still cannot easily push Malicious Updates. For teams working on OTA Systems, Uptane is a very good reference alongside SUMS requirements.
CONCLUSION
As you have seen, the Automotive Cybersecurity Standards Landscape may seem complex at first but when viewed as a whole, it becomes much easier to understand. Each Standard plays a specific role and together they help ensure that Vehicles are designed, produced and maintained in a secure way throughout their Entire Life Cycle.
The core standards define what is mandatory from a regulatory point of view whereas the Secondary Standards support these requirements by providing concrete processes and Technical guidance. Finally, the Supporting Standards and Resources help teams avoid common pitfalls and stay aligned with Cybersecurity best practices.
One important thing to remember is that automotive cybersecurity is not about a single Standard but about combination of Processes, Technology and Awareness across the Entire Supply Chain. You don’t need to master everything at once I recommend you just start with the essentials and build your knowledge on the Automotive Cybersecurity Standards step by step.
I hope this tutorial gave you a clear and useful overview of Automotive Cybersecurity Standards. If you found it helpful, feel free to share it and don’t forget to subscribe to the Newsletter to get notified for any new Automotive Cybersecurity Content. 😊
References:
Automotive Cybersecurity Engineering Handbook, Dr. Ahmad MK Nasser, 1st Edition.