In many automotive companies, the same systems-engineering teams are responsible for both safety and security. As a result, cybersecurity is treated as a subset of safety, undergirded by an implicit assumption: “If it’s safe, it must be secure.”
But that’s not necessarily always the case.
As so many chief information and product security officers across the industry have seen, a vehicle deemed functionally safe under ISO 26262 can be highly vulnerable to cyber threats, especially as connected vehicles, software-defined architectures and over-the-air updates grow standard for the industry.
Cybersecurity must be addressed as its own standalone concern end-to-end across the organization. Bundling it under traditional safety frameworks risks severely underprioritizing cyber resilience.
How might decoupling security from safety strengthen the CISO/PSO’s ability to help an original equipment manufacturer (OEM) or supplier to better respond to digital threats targeting everything from vehicle systems to supply-chain integrity?
Updating the organization for today’s reality
Although safety and security are two sides of the same coin, there are fundamental differences which lead to the need to decouple functions, clarify ownership and strengthen collaboration between safety and security teams—especially during concept, design and validation phases of product development.
Safety is all about unintentional malfunctions and faults; whereas, security is about intentional misuse and threats.
They are different concepts of different requirements and risks in the automotive industry, and they are accordingly addressed by different standards and regulations.
For example, Hazard Analysis and Risk Assessment (HARA) is traditionally used to assess functional safety-related hazards in line with standards like ISO 26262, while Threat Analysis and Risk Assessment (TARA) is the corresponding security activity required by ISO 21434 to identify threats.
Furthermore, cybersecurity and ISO/SAE 21434 mandate supply-chain security, helping to protect privacy, data and control integrity.
However, because there has not yet been a large-scale adoption of mass ransomware or other significant attacks, the industry has increasingly taken a conservative approach to cybersecurity, aligned to regulatory requirements as a minimum deliverable. There are other, seemingly more tactical problems to solve (e.g., tariffs, changing supply chain, new requirements around country of origin, etc.), and, so, cybersecurity remains down the priority chain in some cases and loses when tradeoffs between safety and security are required.
Most companies in the industry maintain an organizational design by which there are three teams tasked with security: product security (PS), information technology (IT) security and operational technology (OT) security. However, PS is typically decoupled from the IT and OT budget center and funded out of the safety budget.
At the same time, however, the automotive cyberattack surface is exploding in size and complexity. In today’s software-defined vehicles (SDVs), cyber threats are developing across every interconnected function, network layer, zonal controller, operating system and vehicle-to-X connection within and beyond the car.
OEM boards and senior management largely have come to the realization that their organizations can no longer look at the product, IT and OT security domains in isolation of one another, and the most progressive OEMs and Tier 1 and Tier 2 suppliers are giving chief information officers the mandate to adapt organizations to treat cybersecurity as its own critical component of SDV development.
Ultimately, safety-critical domains can be used as anchors to impose better cybersecurity posture.
Decoupling safety and security would facilitate OEMs’ ability to provide suppliers with explicit security requirements, by way of enforcing security-specific validation documentation, artifacts, and assets such as TARA, software bill of materials (SBOM), cryptographic bill of materials (CBOM) and origin of components.
Also, decoupling would help ensure security teams have direct technical discussions with suppliers through a security and threat lens, leading to greater focus on actual capability maturity. This could clear the way for shared security solutions and responsibilities.
Empowering CIOs/CISOs for success
While cybersecurity professionals will remain embedded within their respective domain areas, a cross-functional layer is emerging to provide oversight and visibility across all vehicle connection points, including connectivity, hardware and software delivery mechanisms. From a cybersecurity perspective, the organization is effectively merging the three security domains and decoupling the activity from safety.
This positions the organization to comprehensively manage cyber threats at the domain level, proactively mitigate cross-domain risks, maintain visibility across the supply chain and implement engineering, infrastructure or configuration changes as needed. It’s clear that the feedback loop traversing the security teams must happen in very fast iteration.
This organizational transformation is, of course, no small-scale task. It’s a giant undertaking, which, in most cases, will require the weight of a top-down directive for success. That makes board-level education the first job facing most CIOs and CISOs.
