The Evolving Landscape of Automotive Cybersecurity

According to Desai and ARAI, (2025), Cybersecurity has become a critical challenge in the automotive industry as modern vehicles become increasingly connected. Integrating advanced electronics, software-driven features, and over-the-air (OTA) updates has significantly expanded the attack surface for potential cyber threats. Recognizing this risk, global regulatory bodies such as UNECE WP.29 and ISO 21434 have established cybersecurity frameworks to ensure that vehicles meet stringent security requirements throughout their lifecycle. These frameworks mandate comprehensive cybersecurity risk management, covering everything from design and development to post-production monitoring.


Figure 1: Vehicle Threat Landscape

Figure 1 highlights multiple cybersecurity risks that modern vehicles face. Threats include vulnerabilities in external vehicle interfaces, in-vehicle networks, and essential components like sensors, radar, LiDAR, and cameras. Effective cybersecurity strategies must address these attack vectors to prevent unauthorized access and potential breaches.


Figure 2: Industry expert presenting insights on global cybersecurity standards for connected vehicles

Regulatory Mechanisms in India: A Roadmap for Compliance

India has proactively aligned its automotive regulations with global standards, introducing the AIS 189 and AIS 190 frameworks to ensure compliance with cybersecurity and software update management requirements, as mentioned by Desai and ARAI, (2025). The Automotive Research Association of India (ARAI) is pivotal in defining these regulations and facilitating approvals for certain types. The government has mandated that vehicle manufacturers implement cybersecurity management systems (CSMS) to ensure the integration of cybersecurity measures into vehicle design from the outset.


Figure 3: Regulatory Mechanism in India

Figure 3 highlights how various governmental and industry bodies coordinate to regulate automobile cybersecurity standards. Agencies like MoRTH, BIS, and ARAI are crucial in developing standards, certification processes, and compliance mechanisms to align India with global automotive cybersecurity norms.

Cybersecurity Management System (CSMS) and Type Approval

A well-defined Cybersecurity Management System (CSMS) is crucial for compliance with regulatory standards, as highlighted by Desai and ARAI, (2025). CSMS encompasses processes for identifying, assessing, and mitigating cyber risks throughout the vehicle lifecycle. Under the AIS 189 standard, vehicle manufacturers must implement CSMS and obtain type approval before launching their vehicles. This includes rigorous security testing, incident response mechanisms, and ongoing threat intelligence monitoring. The move towards cybersecurity certification ensures manufacturers remain accountable for securing their vehicles against evolving threats.


Figure 4: Cybersecurity Throughout the Vehicle Lifecycle

Figure 4 highlights the end-to-end cybersecurity management process in the automotive industry. Cybersecurity risks must be continuously identified and mitigated from the initial concept and product development phases to production, operations, and maintenance.


Figure 5: Acknowledging key contributions in advancing automotive cybersecurity compliance

Challenges in Implementing Cybersecurity Regulations

Despite the regulatory push, the Indian automotive industry faces several challenges in implementing cybersecurity standards, as emphasized by Desai and ARAI, (2025). The primary obstacles include a lack of specialized cybersecurity expertise, limited penetration testing capabilities, and the need for standardized security assessment procedures. Additionally, establishing a centralized database for sharing type approval information, similar to the European Union’s Database for Exchange of Type Approval (DETA), remains a key area for improvement. Addressing these challenges requires collaboration between industry stakeholders, regulatory bodies, and cybersecurity professionals.

The Future of Automotive Cybersecurity in India

India’s approach to automotive cybersecurity will continue evolving, with increased focus on AI-driven threat detection, vehicle-to-everything (V2X) security, and enhanced OTA update mechanisms, according to Desai and ARAI, (2025). Implementing AIS 189 and AIS 190 lays a strong foundation for future advancements, ensuring that Indian vehicles remain resilient against cyber threats. Integrating robust cybersecurity measures will be essential to maintaining consumer trust and regulatory compliance as the industry moves towards software-defined vehicles.


Figure c: Transition to Software-Defined Vehicles

As shown in Figure 6, modern Level 5 (L5) autonomous vehicles require nearly 1000 million lines of code, compared to 100 million in traditional, modern cars. This surge in software complexity and connectivity expands the cybersecurity threat surface, making

robust security frameworks, secure OTA updates, and real-time threat monitoring essential for future vehicles.


Figure 7: Experts and industry leaders driving the future of automotive cybersecurity compliance

References

Desai, M. C ARAI. (2025). Driving compliance – Global Automotive cybersecurity standards and Indian regulations. In ARAI.

Author

  • Mike Bartley

    Dr Mike Bartley has over 30 years of experience in software testing and hardware verification. He has built and managed state-of-the-art test and verification teams inside several companies (including STMicroelectronics, Infineon, Panasonic, and the start-up ClearSpeed) and also advised several companies on organisational verification strategies (ARM, NXP, and multiple start-ups). Mike successfully founded and grew a software test and hardware verification services company to 450+ engineers globally, delivering services and solutions to over 50+ clients in various technologies and industries. The company was acquired by Tessolve Semiconductors, a global company with 3000+ employees supporting clients in VLSI, silicon test and qualification, PCB, and embedded product development in multiple vertical industries. Mike is currently a Senior VP at Tessolve supporting VLSI globally, focusing on helping companies incorporate the latest verification techniques and strategies into their verification flows and building verification teams to support these companies in implementing them on IP and SoC projects. He is also responsible for the Tessolve Centres of Excellence running all R&D projects with Tessolve, including building a new AI capability across all Tessolve products and services. Mike has a PhD in Mathematics (Bristol University), and 9 MSc in various subjects including management (MBA), software engineering, computer security robotics and AI, corporate finance, and blockchain and digital currency. He is currently studying part-time for an MSc in quantum computing at the University of Sussex and the use of technology in healthcare at the University of Glasgow.