Cybersecurity as a new field of innovation in automotive processes
Guillermo Ezquerra, CEO of The Security Sentinel, believes that "it is true that the automotive sector has made significant progress in the area of cybersecurity in recent years, although there is still room for improvement. Large manufacturers, both of vehicles and components, have made a notable effort to incorporate protective measures into their systems and products. However, when we look at small and medium-sized companies, especially second- and third-tier suppliers, we see that they still have a lower level of maturity in this area. This is due, in large part, to resource limitations, a lack of specialized personnel, and the fact that risk is often not perceived with the same intensity."
Ezquerra states that “cybersecurity is truly effective when it is integrated throughout the entire vehicle lifecycle, from design to production. In the design phase, for example, it is key to begin implementing security measures from the outset, protecting electronic systems, embedded software, and connectivity from potential threats. During development, it is essential to ensure code integrity and firmware authenticity, thus avoiding vulnerabilities that can be exploited. And during the manufacturing stage, all connected industrial environments (such as robotic production lines or predictive maintenance systems) must be protected to prevent cyberattacks that could affect quality or even halt production.” Although the protection of industrial operating systems (OT) and IT systems across different sectors shares many common characteristics, the CEO of The Security Sentinel believes that “the automotive sector has very specific characteristics. Vehicles are increasingly connected, integrate autonomous functions, and communicate with external infrastructures. All of this expands what we call the ‘attack surface’ and requires a dynamic approach that not only protects the product but also the entire environment in which it operates.”
Finally, Guillermo Ezquerra states that “one of the major challenges in this field is the lack of specialized professionals. There is a significant gap between the demand for and the availability of talent that combines cybersecurity knowledge with a deep understanding of the technology specific to the automotive sector. Therefore, it is essential that the industry collaborate with universities and training centers to develop specific programs that prepare the next generation of experts in cybersecurity applied to mobility.”
Background
From the perspective of Jaime López, a technical consultant at Castroalonso and an expert in cybersecurity and computer forensics, “the automotive industry is undergoing an accelerated technological transformation. Concepts that recently seemed futuristic, such as the connected car, the electric vehicle, and autonomous driving, are now part of our everyday reality. However, many of these innovations reach the market before they have reached full maturity, driven by intense competitive pressure. This speed sometimes causes cybersecurity to be relegated to the background, becoming a pending task conditioned by market demands.”
This situation reveals another reality, according to the Castroalonso representative. “Security doesn't depend solely on large manufacturers. Although large automotive companies typically have strong IT and Information Security departments, they rely on an extensive supply chain comprised largely of SMEs that lack these resources or specific knowledge. This makes the supply chain the weak link in the sector, making it especially urgent to implement effective cybersecurity measures in these supplier companies. In fact, a single supplier with security shortcomings can inadvertently open the door to cyberattacks capable of affecting the entire industry.”
Another challenge complicating this outlook, according to Jaime López, “is the widespread lack of qualified cybersecurity professionals, a problem that affects not only the automotive sector but virtually all industries. The demand for digital security experts far exceeds supply, leaving many companies with vacancies in key positions. Without the right personnel, it is difficult to monitor and protect increasingly interconnected and complex industrial and technological environments.”
“At Castroalonso, we believe that cybersecurity must go hand in hand with technological innovation at every stage of the process. We are passionate about demonstrating that it is possible to protect everything from the initial design of the vehicle, through its software development, to connected manufacturing in the factory, without hindering the sector's capacity for innovation. Fortunately, we are beginning to see collaborative efforts in this direction: manufacturers supporting their smaller suppliers and generating shared security environments,” emphasizes Jaime López.
Ultimately, the automotive industry faces an opportunity, asserts the Castroalonso consultant: “to integrate cybersecurity as a natural ally of technological change. We are convinced that, by investing in collaboration and training professionals capable of understanding these new realities, the sector can move forward with confidence toward a future that is not only more connected, but also more secure and prepared for the challenges ahead.”
Limited development
For Carlos Sahuquillo, Automotive CyberSecurity Consultant at GMV, "although the UNECE R155 regulation has been in force since July 2024, cybersecurity risk management in the automotive industry still shows a limited level of development. Manufacturers (OEMs) and Tier 1 suppliers have begun to incorporate the ISO/SAE 21434 standard into their processes, but are still far from reaching a sufficient level of maturity. As with any management system, a continuous process of improvement will be necessary to ensure the effective implementation of these measures."
Sahuquillo clarifies that “second- and third-tier suppliers (TIER 2 and TIER 3) face even greater challenges due to their lower technical capacity. They must align themselves with the standards defined by TIER 1 and ensure that their components meet the required requirements. GMV considers it essential that these companies have access to specialized training and expert advice, thus avoiding the introduction of new vulnerabilities during the integration of their products.” The GMV executive explains that “ISO/SAE 21434 proposes a demanding approach: integrating cybersecurity throughout the entire vehicle lifecycle. This represents a significant change compared to previous models. Traditionally, when a component entered production, the engineering department would leave it behind unless a critical failure occurred. Today, manufacturers are required to constantly monitor vulnerabilities and have the capacity to correct them, whether through software updates, patches, or physical replacements, throughout the vehicle's lifespan.
Carlos Sahuquillo believes that “the automotive sector, compared to other industries, starts at a significant disadvantage. A decade ago, vehicles barely had any connectivity, and threats required physical access. Today, they are linked to road infrastructure, other vehicles, and mobile applications, which greatly expands their attack surface. This new reality demands a proactive and rigorous approach, especially in the early stages of design and development.”
He also points out that “the shortage of qualified professionals in automotive cybersecurity is a growing concern.” There is no single model among OEMs: some have acquired specialized companies, others develop internal talent, and many rely on external partners. Although their strategies vary, the goal is shared: to achieve the highest level of protection, at the same level of demands as the physical safety recognized by EURO NCAP.”
Strengthening defenses
At WatchGuard, Guillermo Fernández, Manager, Sales Engineering Southern Europe, explains, "We see that cybersecurity has gained significant importance in the automotive sector's digital strategy, both for large manufacturers and component suppliers. It's true that, compared to previous years, companies have taken firm steps to strengthen their defenses. In some cases, this evolution has been driven by greater internal awareness; in others, by growing regulatory pressure. A good example is the NIS2 directive, which focuses on critical sectors, and it's not surprising that a large part of the automotive ecosystem was influenced."
"Furthermore," Fernández adds, "security demands within the supply chain are pushing SMEs to raise their standards. Many large companies already require their suppliers to provide minimum cybersecurity guarantees, which reflects an obvious reality: in many recent security breaches, the entry point has been a collaborating company or supplier. Security, therefore, is no longer just a competitive advantage, but an essential requirement for operating in the sector.”
The WatchGuard executive maintains that “cybersecurity must be present throughout the entire cycle, from design to production and maintenance. We are talking about sectors with a heavy investment in R&D and intellectual property, where a cyberattack that steals design drawings or strategic data, for example, can cause significant damage. Likewise, if an incident impacts the production chain, the economic consequences can be enormous. And we cannot forget that modern vehicles are increasingly connected: any vulnerability could even affect the physical safety of the user. That is why it is key to incorporate security from the design stage, apply good segmentation practices, protect industrial endpoints, and maintain continuous monitoring.”
Regarding similarities between sectors, Fernández points out that “there are common elements, such as the need to protect the confidentiality, integrity, and availability of data. However, there are specific features that distinguish the automotive industry. For example, the critical nature of the OT (operational technology) environment, with industrial systems that must operate uninterrupted and are often decades old, poses very specific challenges. Regulatory pressure also varies. While a company in the healthcare sector may have to comply with regulations like HIPAA, in the automotive sector we are talking about standards like ISO/SAE 21434 or UNECE WP.29, in addition to the aforementioned NIS2. Each sector prioritizes differently and requires measures tailored to its circumstances.
Regarding the human factor, the WatchGuard executive states that “we face the same reality as the rest of the technology market, where there is a significant shortage of specialized professionals. Demand far exceeds supply, and this forces many companies in the sector to rely on external partners who can offer specialized services, from audits to managed protection. In this context, having technology partners, such as MSPs [Managed Service Providers], who provide experience and qualified resources becomes an accelerator. Furthermore, it is essential that these professionals understand both the regulatory framework and the risks inherent in industrial and connected mobility environments. Only in this way can effective and sustainable cybersecurity be built.”
La secretaria general de Acea, Sigrid de Vries, ha analizado en un nuevo artículo de opinión, que a continuación reproducimos, la situación actual del sector automotriz, así como la dirección a la que se dirige.
Expertos de Castroalonso, GMW, The Security Sentinel y WatchGuard analizan la implantación de sistemas en el sector.
Abril ha finalizado con un total de 98.522 turismos nuevos vendidos, lo que supone un crecimiento del 7,1% respecto al mismo mes del año pasado. A pesar de haber contado con la Semana Santa, a diferencia del año pasado que fue a finales de marzo, el mercado ha seguido su buen comportamiento, encadenando su ya octavo mes de crecimiento.
El evento “Impulsando la Sostenibilidad”, organizado por Sernauto, HAYS y Fundación Repsol, analizó los principales retos y oportunidades la actual transición.
EBRO eleva a 50 el número de puntos de venta en todo el país, apenas cuatro meses después del lanzamiento de su primer modelo, el s700.