From compliance to reality: closing the automotive cybersecurity gap

During my time at a European truck OEM, cybersecurity was always a hot topic. Yet many R&D teams were still unclear about what “doing cybersecurity” actually meant in practice.

What requirements should we write?

How should software be developed differently?

Which tests are really needed?

Too often, requirements ended up being treated as the destination rather than the means. Compliance became something owned by legal or quality teams, disconnected from the real and evolving threat landscape.

This problem is baked into today’s regulations. Most cybersecurity frameworks rely on vague language like “appropriate”, “proportionate”, or “reasonable”. While this flexibility is intentional, product teams often find it frustratingly unhelpful. Calibrating the right level of protection against fast-moving threats, under opaque rules, remains a major challenge and it’s still very common today.

We’ve been looking closely at some recent developments that may help fill in these gaps. Here are a few observations. 

GB 44495-2024: More prescriptive, more practical

GB 44495-2024 is a cybersecurity regulation originating in China. Like ISO/SAE 21434, it aims to improve vehicle cybersecurity, but it goes further by explicitly defining test and verification methods for each requirement.

Another key difference: certification is performed per vehicle, not per organisation.

The regulation includes concrete specifications for features such as:

• Network segmentation

• Firewalling

• IP address limiting

• On-board logging
  

It draws heavily on established IT security best practices and applies them directly to the vehicle domain. Interfaces such as Bluetooth, Wi-Fi and USB all common attack vectors, receive particular attention.

Overall, the requirements are sensible and well grounded. However, the associated tests are arguably too flexible and tend to target only the lowest-hanging threats. Teams inclined to cut corners could still achieve compliance while delivering a less secure vehicle.

That said, the direction of travel matters. Making mandatory testing part of regulation sends an important signal and strong cybersecurity teams should build on this foundation rather than stopping at compliance.

ISO 24882: Designing for disconnected machines

ISO 24882 is a draft cybersecurity standard for off-highway equipment, a sector increasingly targeted by ransomware attacks.

Like GB 44495-2024, it explicitly covers maintenance and decommissioning as formal phases of the cybersecurity lifecycle. It also introduces a more structured approach to supply-chain security and establishes a shared vocabulary that helps align all players across the value chain.

Where ISO 24882 really stands out is its assumptions. Most current automotive regulations implicitly rely on always-on connectivity: security flaws can be found, patched and fixed via updates.

ISO 24882 assumes the opposite.

Many off-highway vehicles operate in remote locations with little or no cellular coverage. As a result, the standard places greater emphasis on hardware-level security and physical hardening.

This is rarely a priority for passenger cars and that may be a blind spot. As more proprietary IP is stored on-board, attacks that target the physical vehicle itself become increasingly attractive.

What this means in practice

The rapid rise in cyberattacks, combined with widespread anxiety among automotive cybersecurity teams, suggests that relying on ISO/SAE 21434 alone isn’t enough. Threats evolve faster than regulations.

Bringing additional regulations and standards into your cybersecurity management system can help keep pace. Some newer frameworks are becoming more practical and implementation-focused, but there is still a significant gap between paperwork and real-world security.

How can we help?

Cost and time pressures sometimes force OEMs, often against their better judgment to aim for compliance rather than security. Both the short-term and long-term causes of this are difficult to solve without balanced evaluation and expert advocacy from an external perspective.

SBD can help you right-size your cybersecurity effort to achieve a genuinely more secure product, with compliance emerging as a natural by-product. Positioning yourself as security-first, rather than compliance-first, resonates not only with boards but increasingly with customers too.

앞으로의 전망

"Cybersecurity planning should feel like chess, not dodgeball.  Right-sizing your cybersecurity management system will help you deliver a product that not only has the appearance of security - but actually is."

헨리 시몬스

컨설팅 전문가

SBD Automotive

To find out more about how SBD Automotive can support your security-first approach, contact us at info@sbdautomotive.com to book time with our analysts for your projects.