From Vehicles to Ecosystems: Key Trends from Escar USA 2026

Event: May 20-21, Novi, MI 

Who was there: 176 registered participants, down from 205 in 2025 but still above the 159 who attended Escar Europe. The audience included a mix of OEMs, Tier 1s, and technology vendors. Sponsored booths featured ETAS, Finite State, Omnitrust (formerly Integrity Security Services), VxLabs, Upstream, VicOne, PlaxidityX, and Saphira. Auto-ISAC was also a sponsor. 

Automotive cybersecurity is moving beyond vehicle-level protection toward ecosystem-level assurance. Throughout Escar, the conversation repeatedly extended past ECUs and in-vehicle networks to include API systems, regulatory evidence pipelines, and AI-driven attack and defense. Vehicles are no longer standalone products, but distributed cyber-physical systems connected to wider mobility, cloud, and energy networks. 

Key trends 

API- and cloud-first vehicle security 

A central theme at Escar was that vehicles are no longer standalone products. They are just a small part of a larger ecosystem that connects OEM backends, mobile apps, EV charging networks, logistics platforms, and third-party services. With these mobility systems becoming more connected, they access APIs across multiple suppliers and trust boundaries. This creates new risks for both the OEM and supplier. Many of the vulnerabilities discussed during the conference include API security issues, broken authorization, insecure communication, and resource abuse, underscoring the need for stronger API governance. 

Why it matters: As vehicles become part of larger API-driven ecosystems, cybersecurity can no longer stop at the vehicle boundary. Managing risk now requires stronger API governance, clear ownership, and visibility across interconnected systems. 

EV charging & grid integration as a prime attack surface 

EV charging and grid integration are becoming a large attack surface in the automotive ecosystem. Vehicles, charging infrastructure, backend management systems, and utility grids now must operate as a tightly connected cyber-physical system. 

That integration creates multiple entry points for attackers. Charging stations often rely on internet-connected protocols such as OCPP, linking cloud platforms for billing and control directly with energy infrastructure. Some of the weaknesses shown at escar include poorly implemented TLS encryption, if any, insecure firmware update mechanisms, and exploitable web services. 

Attacks are no longer limited to a single component. Research showed attacks spanning the vehicle, charger, backend systems, and grid operations. Some scenarios shown included unauthorized energy use, load manipulation across charging networks, firmware downgrades, and cloud-originated attacks aimed at physical infrastructure. 

The grid connection significantly increases the threat scenario.  Disrupting local power networks, creating artificial demand spikes, or interfering with grid balancing are all possible attack scenarios an adversary could exploit.  With the increasing adoption of bidirectional charging (V2G), vehicles act as both energy loads and energy sources, adding even more complexity and expanding the number of possible attack vectors. 

Why it matters: EV charging ecosystems sit at the intersection of automotive, cloud, and energy infrastructure, making them a high-value target with outsized impact. Securing this space requires moving beyond component-level protection toward end-to-end security, including robust protocol implementations, secure OTA mechanisms, continuous monitoring, and cross-domain threat modeling that accounts for both cyber and physical consequences. 

Regulation, compliance and “assurance cases” as a core process 

Escar also highlighted that regulatory frameworks are increasingly changing the development process. China’s GB 44495-2024 introduces a mandatory cybersecurity framework with requirements that include structured testing across multiple domains. Compared with standards such as UNECE R155, it takes a more test-driven approach and requires both recertification and ongoing compliance tracking. 

Euro 7 further extends that trend by turning compliance from a ‘check box’ certification into a continuous lifecycle tracking. Requirements such as VIN-level monitoring, OTA tracking, and even emission validation. 

Why it matters: Compliance is no longer a downstream activity. It is becoming a core design constraint, pushing OEMs and suppliers to build traceability, structured data pipelines, and auditability directly into development and operations. 

Supply chain, components and certification as leverage points 

Supply chain transparency is becoming a major aspect of automotive cybersecurity. This could be due to regulatory and the growing complexity of software-defined vehicles. Modern vehicles depend on a large supply chain, with software, firmware, and hardware contributions coming from multiple suppliers, open-source components, and third-party integrations. That complexity makes it harder to see exactly what is deployed in vehicle systems, increasing the risk of hidden vulnerabilities, unauthorized components, or compromised dependencies. 

Software Bills of Materials (SBOMs), especially those generated at build time, are gaining adoption. Build-time SBOMs create a record of the components included in software at compilation, making traceability, vulnerability management, and compliance reporting far more practical. Beyond regulatory alignment, they are also becoming an essential tool for identifying dependency risks and responding to newly discovered vulnerabilities across vehicles. 

Why it matters: Supply chain visibility, component traceability, and certification readiness are becoming decisive in both compliance and competitive positioning. Organizations that can generate reliable, real-time insight into their software and hardware composition will be better equipped to meet regulatory demands, respond to vulnerabilities, and scale securely. By contrast, limited transparency across the supply chain creates risk and makes it harder to validate integrity, ensure compliance, and maintain trust in increasingly complex vehicle platforms. 

Real‑world exploitation is catching up: off‑the‑shelf car hacking, diagnostics and data privacy 

Another major theme across Escar was that automotive cybersecurity risks are no longer theoretical. Real-world exploitation is catching up quickly, fueled by the growing availability of off-the-shelf tools, exposed interfaces, and the expanding quantity of vehicle data. As vehicles become more connected and software-defined, capabilities once limited to specialized researchers are becoming accessible to a much wider range of actors, even those with less tech expertise.  

Modern vehicles expose data for maintenance, telemetry, and updates that are now closely tied to cloud platforms and mobile applications. Those capabilities are essential for lifecycle management and OTA updates, but they also create opportunities for misuse when they are not properly secured. Attackers can exploit diagnostic pathways or misconfigured APIs to access vehicle functions, bypass controls, or extract sensitive data.  

Data privacy is also becoming a bigger concern as consumers are more aware of how much information vehicles generate and transmit, including location data, driving behavior, and user profiles. Increasing the risk of exposure through misconfiguration, weak access controls, or supply chain vulnerabilities are all aspects of protecting PII, as much of that data passes through external services. 

Another factor is the growing sophistication of attackers, supported by automation and AI. Tools that help with reverse engineering, vulnerability discovery, and exploit development are speeding up the process of finding and weaponizing system weaknesses. Combined with widely available tooling and more standardized platforms, this is creating an environment where exploitation is faster, more repeatable, and less dependent on highly specialized expertise. 

Why it matters: The combination of accessible tooling, connected architectures, and large-scale data flows has pushed automotive cybersecurity from a niche concern into a mainstream threat environment. Addressing that risk requires strong control over diagnostic interfaces, robust API security, and disciplined data governance. As real-world exploitation becomes more common, organizations need to assume vulnerabilities will be actively targeted and design for resilience, monitoring, and rapid response from the start. 

What this means for OEMs 

OEMs will need to move from vehicle-centric security models to ecosystem-level architectures that account for API exposure, cloud dependencies, and cross-domain risk. That means embedding compliance, traceability, and SBOM generation directly into development pipelines while adopting AI-enabled defensive tools to keep pace with evolving threats. Continuous compliance models, including VIN-level traceability and OTA monitoring, are likely to become standard expectations, and planning early for post-quantum cryptography will be important given the long lifecycle of vehicles. 

What this means for Tier 1s 

For Tier 1 suppliers, value is likely to shift toward enabling OEM platforms rather than delivering isolated components. That includes supporting compliance workflows, integrating with assurance case frameworks, and providing transparent SBOM data. Suppliers that align with standardized TARA approaches and bring strong API security and ecosystem integration capabilities will be better positioned to compete. There is also growing opportunity in AI-enabled development and validation tools, as well as in delivering the full lifecycle evidence needed to support regulatory compliance. 

How SBD can help