Essential Cybersecurity Practices for Protecting Cyber-Physical Systems in the Automotive Industry

Introduction

The automotive industry is undergoing a rapid digital transformation driven by the integration of advanced technologies. According to Rockwell’s 2024 report “State of Smart Manufacturing: Automotive Edition,” at least 81% of respondents have adopted or plan to adopt network hardware, industrial computers, and connected devices such as sensors and actuators.

Additionally, in recent years, the industry has faced major challenges such as supply chain disruptions, chip shortages, and an increase in cyberattacks. However, the automotive sector had already been struggling to balance quality with profitability long before these issues arose. Today, manufacturers have found a solution in smart manufacturing. This integrated approach combines production monitoring, quality management, and Manufacturing Execution Systems (MES) to create a highly efficient system that operates seamlessly. Smart manufacturing technologies utilize real-time data to guide production and resolve quality issues before they disrupt operations. Leading manufacturers are adopting this pragmatic approach to optimize costs and improve profitability without sacrificing quality or customer data integrity.

While digital transformation is undoubtedly imperative, the convergence of Information Technology (IT) and Operational Technology (OT) systems has expanded the attack surface for cybercriminals, making cybersecurity a critical concern for the global automotive industry. This article will explore the risks faced by the automotive industry and its supply chain, the development of regulations, and recommend best practices for cybersecurity in automotive manufacturing.

Cybersecurity Challenges in Automotive Manufacturing

Rising Cyber Risks from IT and OT System Integration

In today’s smart manufacturing environment, the integration of industrial automation, cyber-physical systems (CPS), and advanced communication networks has transformed automotive production. While this transformation brings unprecedented efficiency, it also significantly expands the attack surface for cyber threats, posing considerable risks to production continuity and product integrity. While these advancements enhance productivity and quality, they also create a highly interconnected system that is vulnerable to sophisticated cyberattacks.

Legacy Systems and Protocols: Struggling with Real-Time Security

The inherent complexity of these systems—from programmable logic controllers (PLCs) and MES to cloud-based data analytics platforms—makes them ideal targets for skilled hackers. These attackers often employ multi-stage penetration strategies, starting with seemingly harmless components. For example, in 2024, a malware named FrostyGoop was discovered that could send legitimate commands to Modbus servers. This was due to the lack of authentication in the Modbus TCP protocol used by factories, allowing attackers to use Modbus communications to impact OT. Traditional security tools struggle to detect this type of attack because it operates with legitimate commands. Once attackers are inside the network and gain access to PLCs, RTUs, controllers, or other devices running unauthenticated control protocols, they can easily move laterally within the industrial environment, potentially leading to critical data encryption or direct manipulation of production processes.

Internal Threats: Accidental or Intentional Privilege Abuse

An urgent concern is the deployment of integrated production monitoring and quality management systems (QMS), with 84% of surveyed manufacturers already implementing or planning to implement these systems. While these systems are designed to optimize workflows and ensure product consistency, they also represent critical points of failure if compromised. For example, internal employee accounts could accidentally or intentionally abuse their privileges to manipulate the MES or PLC, leading to production disruptions or equipment failures. Internal employees may also unintentionally or intentionally use their privileges to make unauthorized system configuration changes or transfer malware via USB devices. If attacks on these platforms occur, they could cause widespread disruptions across the entire production lifecycle, affecting everything from real-time adjustments on robotic welding lines to the final assembly of vehicle components.

VPN and Remote Protocol Vulnerabilities in OT Systems

The challenge of securing these environments is compounded by legacy security paradigms that historically classified sensors and basic instruments as low risk. Modern attack vectors, particularly ransomware and remote management protocol exploits (e.g., RDP or VPN), can easily compromise these “simple” devices. Once breached, these devices become entry points for larger attacks, exploiting weaknesses in network segmentation to spread across the OT environment. Ransomware attacks, for example, have shown the ability to directly target industrial systems, bypassing traditional IT-centric security measures. These attacks often exploit vulnerabilities in OT/ICS, such as legacy operating systems or poor patch management practices common in many manufacturing plants. The infamous WannaCry ransomware attack, which brought production at major manufacturers like Honda to a complete halt, exemplifies this trend.

The increasing reliance on wireless connectivity and remote access solutions further amplifies these risks. Technologies like 5G and edge computing promise faster communication and lower latency for industrial applications but also introduce new opportunities for network intrusion. Poorly secured remote access gateways, such as unpatched VPNs or unsecured RDP connections, can be exploited by attackers to gain control over critical production systems.

Supply Chain Vulnerabilities in Automotive Manufacturing

Moreover, supply chain vulnerabilities remain a significant issue. Introducing unverified third-party devices or software updates into the production process presents a critical risk, as attackers can exploit these points of contact to infiltrate the manufacturing environment. The interconnected nature of the modern automotive supply chain—where parts suppliers, software developers, and service providers interact within a global ecosystem—intensifies the problem. A compromised supplier could introduce malicious code or hardware backdoors into critical systems, potentially disrupting production across multiple facilities.

Table 1: Common Threat Scenarios and Attack Methods

Understanding Cybersecurity Regulations in the Automotive Industry

The future of automobiles will likely be defined by software. With automobile OEMs becoming one of the largest software suppliers, there will be significant cybersecurity risk. Hackers will try to gain access to the system through this software, thereby threatening security functionality or consumer privacy. However, we believe the severity of the threat will change soon. The World Forum for Harmonization of Vehicle Regulations (WP.29) under the United Nations Economic Commission for Europe (UNECE) released two important cybersecurity regulations, R155 Cyber Security and R156 Over-The-Air Software Update (OTA) on June 24, 2020, which took effect in early 2021.

• UNECE WP.29 R155: Cyber Security Management System (CSMS)
• UNECE WP.29 R156: Software Update Management System (SUMS)

These two security regulations are mandatory for market access and vehicle type approval in UNECE WP.29 member states and contain binding requirements for car manufacturers (and Tier 1 and Tier 2 suppliers). From July 2022, the requirements within UNECE Member States (derived from the 1958 Agreement) apply to type approval of all new car models, and from July 2024 on, they will apply to all vehicles. It is at this point that we believe the severity of the threat will decrease significantly. Compared to UNECE WP.29 R156, we have studied UNECE WP.29 R155 more carefully because UNECE WP.29 R155 is closely related to the field of automobile manufacturing. At the same time, we also found that many companies have begun to realize that UN R155 not only covers products but also product development and organization.

UNECE WP.29 R155: Cybersecurity Management System Overview

UN R155 was binding for new cars on the global market until July 2022. For conventional vehicles, the regulation will apply until 2024. This puts enormous pressure on OEMs and their supply chains, as certification is required to launch a car on UNECE’s market. Type approval for OEMs is divided into 3 main requirements:

• Implementation of a Cyber Security Management System (CSMS)
• Provision of evidence that vehicle architecture design, risk assessment procedures, and cybersecurity control implementation are properly executed for a specific vehicle type
• Compliance with regulations and Annex 5 chapters

UN R155, a regulation binding type approval for 64 member states of the United Nations Economic Commission for Europe, requires vehicle manufacturers (OEMs) to implement a certified Cybersecurity Management System (CSMS) for any connected vehicle. Without it, manufacturers would not be able to obtain model approval. The new CSMS requirements set new standards for managing cybersecurity risks throughout a vehicle’s lifecycle, including security by design, vulnerability mitigation, supply chain risk management, and incident management. OEMs are accountable for managing the CSMS throughout the automotive value chain and suppliers must also comply with CSMS principles. CSMS certification is a prerequisite for vehicle type approval and must be revisited every three years. Although UN R155 does not provide specific guidelines for implementation, the ISO/SAE 21434 standard offers clear organizational, procedural, and technical requirements for cybersecurity throughout the vehicle lifecycle.

ISO/SAE 21434: Guiding the Automotive Industry Toward Cybersecurity Compliance

The International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE) have released their standards, which were designed by industry experts and considered to be the most advanced in the automotive industry. These standards provide guidance for cybersecurity, and compliance with ISO/SAE 21434 can aid automakers in using common frameworks and processes to make their products safer. To standardize the implementation of UN R155, ISO/SAE 21434 focuses on providing guidance on good techniques for addressing cybersecurity-related verification, including clauses related to cybersecurity management, project-dependent cybersecurity management, continuous cybersecurity activities, threat and risk assessment methods, and cybersecurity within the concept product development and post-development stages of road vehicles. Additionally, these standards require that not only OEMs, but also Tier 1 suppliers and other critical suppliers comply with network security engineering requirements. These standards primarily focus on the following aspects:

• Development phase
• Production phase
• Post-production phase

Production Control Plan Requirements (ISO/SAE 21434 Clause 12)

Previous research has primarily focused on the ISO/SAE 21434 risk analysis methodology (clause 8) and the concept phase of development (clause 9). However, production security (Article 12) has received less attention. This raises important questions: How should a Cybersecurity Management System (CSMS) be implemented in the post-development phase and how can we prevent the introduction of vulnerabilities into the production process? This paper briefly discusses the necessary measures and tools that organizations should integrate into their processes to ensure compliance with ISO/SAE 21434. In fact, Article 12.2 of the ISO/SAE 21434 standard specifically stipulates that automobile manufacturers must “apply cybersecurity requirements in the post-development stage (including production)” and “prevent the introduction of vulnerabilities in the production process”. The specific requirements include:

• [RQ-12-01] A production control plan shall be created that applies the cybersecurity requirements for post-development (including production phase and post-production phase).
• [RQ-12-02] The production control plan shall include:

a. A sequence of steps that apply the cybersecurity requirements for post-development

b. Production tools and equipment

c. Cybersecurity controls to prevent unauthorized alteration during production

d. Methods to confirm that the cybersecurity requirements for post-development are met

• [RQ-12-03] The production control plan shall be implemented.

ISO/SAE 21434 provides a framework for automotive manufacturers and their supply chains to implement specific security practices for a CSMS during vehicle development and manufacturing. These practices also enable the assessment and verification of cybersecurity compliance for third parties such as automotive Tier1 and Tier2 suppliers, thus improving security throughout the entire supply chain; for example, by establishing reliable security testing processes between OEMs and suppliers.

Top Best Practices for Protecting Cyber-Physical Systems in Automotive Manufacturing

In today’s highly interconnected and digitized manufacturing environment, cybersecurity has become a critical challenge. The widespread adoption of smart manufacturing technologies not only enhances production efficiency but also expands the attack surface for cyber threats. In the automotive sector, rapid technological advancements have introduced new cybersecurity challenges, pushing leading enterprises to rethink their security strategies. This section reviews innovative best practices in addressing cyber threats within the automotive industry and its supply chain, and how these practices can inspire other sectors.

Conducting Security Inspections on Supplier Equipment

Before critical assets enter your factory or facility, asset owners should perform thorough scans to ensure there are no potential malicious programs or severe security vulnerabilities within the assets. This step must align with CSMS policies while establishing a health record for the assets to facilitate future maintenance and management. For equipment providers, addressing all security vulnerabilities may not always be easy. Even if these known vulnerabilities cannot be completely resolved, there should be mitigation measures in place to ensure they don’t pose a potential risk during production.

TXOne Networks’ Portable Inspector solution offers automotive manufacturers a method to conduct asset security inspections without the need for software installation. With this portable scanning tool, automatic scans can be performed without a network connection, ensuring the security of critical assets before they enter the production facility, thereby reinforcing supply chain security.

Integrating Production Equipment into Secured Factory Networks

To secure factory networks, they are isolated from the enterprise network and the internet, with a firewall enforcing a default-deny rule. This security approach is crucial for OT environments, enabling organizations to create a secure zone to protect sensitive devices, data, and applications. For automation and system integration, firewall rules allowing necessary connections to the datacenter must be carefully reviewed and approved under a strict allowlist policy.

In addition, micro-segmentation of factory networks and systems is essential. Traditional OT network segmentation, which primarily uses VLANs on network switches to limit the impact of compromised assets, fails to provide effective monitoring, inspection, or segmentation of east-west traffic. It also lacks OT network traffic visibility from layer 2 to layer 7. Organizations should implement next-generation OT intrusion detection and prevention systems (IDS/IPS) to achieve deep visibility and control. This approach allows for further segmentation of security zones based on specific security requirements and the application of access control lists (ACLs) to manage east-west data flows. It also enables the identification and mitigation of network-level activities associated with adversarial malware, such as abnormal SMB transmissions, preventing lateral movement of malware or viruses.

When designing an OT network architecture, the primary objective is to ensure the secure, stable, and real-time operation of OT systems. Additionally, due to the unique nature of industrial environments, the hardware used in OT networks must possess characteristics like high-temperature tolerance to withstand harsh working conditions.

The TXOne Edge network solution offers advanced network defense capabilities tailored to the specific requirements and operational contexts of each vertical. This ensures that every industry can deploy an optimal solution for its unique environment, including a variety of OT protocols, micro-segmentation, asset-centric auto rule learning technology, ultimate operational continuity, anomaly detection and prevention, and malware landing prevention.

Protecting Production Systems Against Cyber Threats

Hardening and protecting entails the fortification of assets to eliminate attack vectors, which includes addressing system vulnerabilities and disabling unnecessary services such as applications, user permissions, accounts, network ports, and other non-essential system functionalities. By hardening assets, IT teams can significantly reduce the likelihood of attackers gaining access to mission-critical computers and prevent the execution of malware.

Many OT assets continue to run on outdated Windows systems, including Windows XP, which was released over 20 years ago. In reality, plant managers face a complex decision-making process, where cybersecurity risks are just one of many factors they must address. The interplay of costs, compatibility, and vendor support creates significant barriers to modernizing OT systems. Moreover, traditional antivirus software is not designed for industrial control environments. It requires constant internet connectivity to update its scanning engine and virus signatures, and file scanning often consumes excessive computing and memory resources, leading to overloaded endpoints and frequent false positives.

In situations where these systems are critical to operations, TXOne Networks provides a next-generation CPS endpoint protection solution tailored for essential OT assets. TXOne recommends using the Stellar endpoint protection solution, specifically designed for OT environments, to prevent any unintended system changes from disrupting operations. It is the first solution to offer seamless protection and comprehensive oversight for both legacy and modern OT assets operating simultaneously. This includes industrial-grade next-gen malware scanning, abnormal behavior detection, application lockdown, and trusted peripheral control.

Continuous Security Monitoring, Detection, and Response for CPS

It is necessary to implement security monitoring, detection and response to identify and respond to cybersecurity incidents in real time, with the aim of mitigating the impact of the incident on manufacturing systems, networks, data, and devices. The process involves monitoring networks and systems for signs of potential security breaches, analyzing the data to determine whether an incident has occurred, and then taking appropriate action to contain and remediate the incident.

In recent OT attacks, hackers increasingly leverage “living off the land” techniques, where malicious programs exploit built-in operating system functions (such as PowerShell, WMIC, and ping commands) instead of targeting critical vulnerabilities. On the network side, attackers often take advantage of legacy OT protocols that lack proper authentication, like Modbus TCP, rather than more secure options like Modbus/TCP Security protocol.

Once strict zero-trust mechanisms, such as network allowlists and endpoint application whitelisting, are deployed in OT environments, the next challenge becomes: “How do we ensure the zero-trust policies haven’t been compromised?” To maintain the ongoing integrity of zero trust, we’ve introduced the CPSDR (Cyber-Physical Systems Detection and Response) solution. This addresses the risk of hackers executing unauthorized operations with legitimate, well-formatted commands, which can still lead to significant damage.

TXOne Networks advocates for an operations-centric defense approach in OT/ICS environments to maximize operational uptime. This involves leveraging the unique characteristics of each device and implementing comprehensive security strategies to prevent unintended changes and the risks they introduce. The CPSDR framework generates actionable alerts, enabling security teams to respond to emerging threats and allowing operational teams to investigate potential process issues or changes.

The advanced solutions for CPS protection in automotive manufacturing include:

• CPSDR for Networking: Proactive Protection with Edge Series of Networking Security Appliances

TXOne’s Edge series of networking security appliances utilize cutting-edge CPSDR technology to detect and predict anomalous network behaviors early on. By employing CPSDR, your OT network can proactively mitigate cyber risks, stopping potential threats before they escalate.

• CPSDR for Endpoints: Ensuring Secure Operations with Stellar Endpoint Protection

TXOne’s Stellar solution analyzes each device’s unique fingerprint at the agent level and monitors deviations in normal operations. With real-time detection through deviation and behavior analysis, it catches unauthorized access, malware, unintended configuration changes, and malicious process modifications, suppressing these risks before any impact occurs.

Safe File Exchange: Securing Data Transfers

The exchange of files and data within and outside manufacturing environments requires robust security controls. For data exported from the manufacturing environment, the primary focus is on safeguarding equipment logs. These logs contain critical information about the manufacturing process, including machine configurations, production data, and quality control metrics. Protecting these logs is essential to maintaining the company’s competitive edge and profitability. This defense is not only necessary to protect proprietary information but also to prevent unauthorized access, tampering, or loss of critical data that could affect production quality and efficiency. Our EdgeFire firewall rules and remote access controls can establish a secure site-to-site VPN with remote access capabilities to protect OT networks from unauthorized access or interception.

Additionally, equipment maintenance often involves both hardware repairs (such as hard drive replacements) and software configuration changes, system upgrades, and security updates. Typically, factories schedule regular maintenance operations. However, any changes introduce potential risks, and OT security decision-makers need to ensure that assets remain synchronized with the latest security policy and intelligence and that any replaced hardware or software complies with the asset owner’s security configuration policies. It’s crucial to avoid introducing new security vulnerabilities through software updates.

Thus, during maintenance, we recommend that production equipment managers perform multiple malware and vulnerability scans. Extra security checks, including malware and vulnerability scans, should be conducted when replacing hardware or software components or making software configuration changes. This is especially critical for portable devices or computers brought into the production environment by vendors or maintenance personnel.

Since security checks are often conducted on-site, where the environment is typically offline, TXOne’s Safe Port can perform security inspection tasks without relying on a network, preventing potential entry points for malware. Additionally, the Portable Inspector offers a complementary solution by scanning assets using USB storage devices without interfering with software or relying on a network. It ensures that the original equipment software and configuration remain untouched while verifying the cleanliness of the device.

Enhancing CPS Security with Real-Time Situational Awareness and Threat Detection

To achieve robust OT cybersecurity, a deep understanding of operations is essential. Factory security teams require a clear, real-time platform to manage the cybersecurity of numerous devices, enabling swift detection and response to attacks as they occur. It is crucial to maintain situational awareness of all assets, monitor software configuration changes, system upgrades, and security updates.

By continuously tracking routine schedules and leveraging TXOne’s SageOne platform, organizations can optimize threat detection and response. SageOne centralizes all CPS security solutions into a unified management console, offering comprehensive visibility across OT environments. Integrating TXOne’s Stellar, Element, and Edge products, SageOne provides full lifecycle protection, managing the CPS attack surface with advanced AI-powered threat detection. With capabilities like cross-telemetry analysis and behavior-based threat intelligence, SageOne ensures rapid responses to both known and unknown threats, safeguarding critical infrastructure while enhancing cybersecurity governance throughout the asset lifecycle.

Conclusion: Future-Proofing Cybersecurity for Automotive Manufacturing

In today’s rapidly evolving automotive industry, the convergence of IT and OT systems, along with complex supply chains, has significantly expanded the attack surface for cyber threats. Ensuring cybersecurity in this environment is no longer optional but a critical requirement for maintaining operational integrity and safeguarding sensitive data. By adhering to stringent regulations like UNECE WP.29 R155 and ISO/SAE 21434, and implementing robust cybersecurity practices—including real-time monitoring, network segmentation, and endpoint protection—automotive manufacturers can effectively mitigate risks. As the industry continues to embrace digital transformation, the integration of advanced CPS security solutions tailored to industrial contexts will be essential in ensuring long-term operational resilience and protecting the future of smart automotive manufacturing.

TXOne Networks works with partners in the automotive industry to provide comprehensive solutions from CPS endpoints to the network, and a unified cybersecurity platform for CPS attack surface management. If you would like to learn more about our products, please contact us.