carsecurity.tech

Fast-track analysis of automotive cybersecurity.

Tag: Standards

  • Automotive-CIS

    1–2 minut
    ,
    Source: Autocrypt Unveils „Automotive-CIS,” a Global Integrated Cybersecurity Infrastructure Standard for Vehicles, at CES 2026

    At CES 2026, Autocrypt unveiled „Automotive-CIS” (Cybersecurity Infrastructure Standard), a framework designed to unify Cybersecurity Management (CSMS), Software Updates (SUMS), and vSOC operations into a single reference model for Software-Defined Vehicles (SDVs).

    While the initiative promises to streamline fragmented security functions across the vehicle lifecycle, its emergence highlights a somehow persistent trend in the industry: the proliferation of proprietary standards.

    Information security has a long history of generating norms, guidebooks, and frameworks. However, we must distinguish between engineering resilience and administrative compliance. The rise of „integrated standards” could raise more questions than it answers:

    • Is this standard a technical breakthrough, or a vendor-driven initiative designed to create ecosystem gravity and PR momentum?
    • A comprehensive infrastructure standard does not inherently improve the security posture of a vehicle. It often simply creates a higher administrative barrier that prioritizes „checkbox” compliance over actual vulnerability mitigation.
    • Every new „integrated standard” requires engineering hours for documentation and alignment—resources that are often diverted away from low-level security tasks.

    This is not to suggest that initiatives like Automotive-CIS are without merit or technically flawed; rather, it is a call for the industry to acknowledge that the proliferation of such standards must be closely monitored (by the community!) to ensure they deliver tangible security outcomes rather than merely increasing administrative complexity.

    In other words, let’s be more cautious and aware because the „standard inflation” where marketing-driven frameworks begin to outpace actual engineering progress is just around the corner.

    Kamil Gapiński

  • Network segmentation in automotive architectures

    1–2 minut
    , , ,
    Source: https://storage.googleapis.com

    The concept of network segmentation in automotive architectures is well-established, traditionally using gateways to separate functional domains such as powertrain, telematics, and comfort. However, in an era of Software Defined Vehicles and hyper-connectivity, partial implementation is no longer sufficient. Segmentation must evolve from a architectural preference into a rigorous, industry-wide standard, from the OEM down through the entire Tier-N supply chain.

    Enforcing standards down the supply Chain

    The most critical security gaps often originate not within the OEM’s high-level design, but at the supplier level. A Tier-1 component that unintentionally bridges two segments—for example, a connectivity module with undocumented access to a safety-critical bus—can undermine the entire vehicle’s security posture. This „lateral movement” is exactly what attackers exploit to move from a non-critical breach (like Infotainment) to a safety-critical system.

    Zero Trust at the hardware level

    Segmentation must be treated as a compliance standard. To move forward, OEMs must demand:

    • Verified Isolation: Formal proof of isolation capabilities from every Tier-1 and Tier-2 supplier.
    • Zero Trust Integration: Ensuring that „Zero Trust” principles—where no communication is trusted by default—are embedded into both hardware and software long before components reach the assembly line.
    • Architectural Rigor: Moving beyond simple physical separation to include logical isolation (VLANs) and strict firewall rules within the vehicle’s backbone.

    We can no longer rely on „security by obscurity” or the assumption that sub-components are intrinsicaly isolated. Resilience requires a top-down approach that leaves no room for unintentional bridging.

    Kamil Gapiński