TL;DR: Software-defined vehicles are expanding attack surface across embedded systems, OTA infrastructure, APIs, and third-party integrations, while AI is accelerating both detection and attacker tradecraft, according to Upstream Security. The security model is shifting from perimeter thinking to continuous lifecycle resilience, where uptime, key management, and supply-chain oversight become operational requirements.
NHIMG editorial — based on content published by Upstream Security: AI in Mobility Connected Vehicle Cybersecurity EV Charging A CISO View from REE Automotive on the Evolving Cyber Landscape and AI
Questions worth separating out
Q: How should teams govern software-defined vehicle security across the full lifecycle?
A: Teams should govern software-defined vehicle security as a continuous lifecycle problem, not a deployment checkpoint.
Q: Why do connected vehicle platforms increase identity and access risk?
A: Connected vehicle platforms increase identity and access risk because they depend on non-human credentials, API trust, and third-party integrations that can outlive the original security decision.
Q: What breaks when key management is weak in software-defined vehicles?
A: Weak key management breaks the trust boundary between software, suppliers, and live vehicle operations.
Practitioner guidance
- Map OTA workflows as trust chains Document every system that signs, stores, distributes, validates, or installs updates, then assign ownership for each control point and test revocation paths for failed or compromised artifacts.
- Treat vehicle credentials as governed machine identities Inventory certificates, tokens, API keys, and supplier credentials used across mobility platforms, then define rotation, expiry, and offboarding rules for each identity class.
- Separate supplier access from fleet runtime access Limit partner integrations to the minimum functions required, segment them from core operational controls, and require explicit approval for any path that can influence update or runtime behavior.
What's in the full article
Upstream Security's full article covers the operational detail this post intentionally leaves for the source:
- How REE Automotive's CISO frames OTA resilience, runtime monitoring, and secure-by-design mobility controls in practice
- The specific attack vectors highlighted for SDVs, including weak key management, compromised supply chains, and runtime attacks
- Why AI is treated as a defender and attacker force multiplier in connected vehicle environments
- The standards and lifecycle obligations discussed for OEMs and suppliers, including UNECE R155/R156 and ISO/SAE 21434
👉 Read Upstream Security's analysis of AI, connected vehicles, and cyber resilience →
Software-defined vehicle cybersecurity: what is changing for teams?
Explore further
Runtime trust, not perimeter trust, is the new mobility security baseline. Software-defined vehicles depend on update channels, APIs, and cloud links that remain active after deployment, so the security model must follow the system throughout its operating life. A one-time approval model is inadequate when software, configuration, and supplier access all continue to change. Practitioners should treat the vehicle runtime as an identity-governed environment, not a static asset.
A question worth separating out:
Q: Who is accountable when an OTA or supplier pathway is compromised?
A: Accountability sits with the organisation that owns the vehicle platform and the partners that influence its trust chain. Security, engineering, procurement, and supplier governance all need defined responsibilities for signing, distribution, revocation, and incident response. If those duties are vague, the attack path is also the accountability gap.
👉 Read our full editorial: Software-defined vehicle security is shifting to runtime resilience