In this Help Net Security interview, Robert Sullivan, CIO & CISO at Agero, shares his perspective on automotive cybersecurity. He discusses strategies for developing mature security programs, meeting regulatory requirements, and addressing supply chain risks. Sullivan also looks ahead to how AI and other emerging technologies will shape the future of cybersecurity.
What does a mature automotive cybersecurity program look like, and how can organizations measure their progress?
A mature cybersecurity program must have a foundational design and procedures as represented by an established framework like ISO (International Organization for Standardization). This should be validated through an external audit to ensure proper application. The audit should provide a maturity score that will give your organization insight into its overall security posture. But frameworks alone aren’t enough, as they provide general guidance rather than address your organization’s threat landscape.
You should create and implement a risk management program that’s tailored to your specific threats and the security assets you need to protect. This includes proactive controls consistently deployed across the enterprise. Additionally, a mature program requires complete threat surface visibility (including cloud resources) and 24/7 detection and response capabilities. It also requires continuous monitoring through a suite of cybersecurity metrics to ensure the program’s effectiveness.
Cloud environments present challenges, with thousands of configurations requiring specialized monitoring tools and expertise. Organizations need technology paired with skilled cybersecurity teams to maintain visibility, monitor threat activity, and manage incidents around the clock.
While smaller organizations may struggle with resource constraints, the investment in comprehensive monitoring far outweighs the potential costs of a breach, both financial and reputational.
How are regulations like UNECE WP.29 and ISO/SAE 21434 influencing the way automakers and suppliers build their cybersecurity strategies?
These regulations, along with TISAX (Trusted Information Security Assessment Exchange), refine core framework controls to address automotive manufacturing’s unique challenges, particularly third-party risks in the design process.
Our ISO compliance translated into TISAX requirements, demonstrating how strong foundational frameworks support specialized certifications. However, compliance alone isn’t enough. Automakers and suppliers must go beyond certification requirements by conducting thorough risk assessments specific to their business model. They must implement risk management programs beyond regulatory minimums. They must also evaluate emerging threats and vulnerabilities continuously. While regulations provide valuable structure, cybersecurity requires a comprehensive approach that extends well beyond compliance checkboxes.
Many automakers rely on a complex ecosystem of suppliers. What best practices do you recommend for managing third-party risk in this environment?
Supply chain security requires a multi-layered approach focused on verification and monitoring. Ensure that your suppliers follow a compliance framework with external audit validation. Look into how advanced they are in monitoring cloud configurations and SDLC risks. You should require 24/7 SOC monitoring to ensure incident response. And make sure they have proven defenses against ransomware and data loss threats, especially in GenAI environments.
Companies should devote the most attention toward the third-party suppliers with whom they share specific consumer data, as this data must be protected and managed with significant care. Implement strict data access controls, as suppliers should only access precisely what they need and protect it to your organization’s standards. This minimizes exposure and prevents downstream risks that can impact your organization. Remember, your security is only as strong as your weakest supplier link.
What metrics or KPIs are most useful for gauging the effectiveness of automotive cybersecurity efforts?
Risk-based vulnerability management (RBVM) provides the most actionable insights. Combine CNAPP (cloud-native application protection platform) tooling with code security to create comprehensive risk assessments.
RBVM delivers automated environmental context that enables teams to prioritize based on a comprehensive view of risk expanding beyond the single vulnerability view. For example, it distinguishes between a code dependency vulnerability in a repository not deployed to production and the same vulnerability in an externally exposed container. This contextual prioritization allows teams to focus resources on the most serious threats, reducing the time window that the enterprise is at risk.
With the growing convergence of automotive, IT, and OT environments, where do you see the greatest need for innovation in automotive cybersecurity?
The combination of IT and OT environments can create a vast data source that could be used by GenAI and agentic AI to proactively hunt for threat paths and develop new indicators of compromise (IoCs). Data review methods make this task resource intensive and time consuming, but the use of GenAI could provide the needed coverage to achieve this.
For instance, GenAI models could identify threat actor behaviors through pattern recognition across vast datasets and potentially discover novel attack paths. They could also enable automated threat monitoring through advanced AI agents, providing next-generation security operations automated and response (SOAR) capabilities.
However, agentic AI implementation requires careful containment strategies, including staging environments to ensure responsible deployment. The goal is leveraging these technologies to maximize productivity, efficiency, and security protection while maintaining human oversight of critical decisions. The future lies in responsibly harnessing AI to stay ahead of sophisticated automotive cyber threats.
